URL Filtering functionality (DPI) EcoNAT Documentation / URL Filtering functionality (DPI)
This functionality is available with EcoDPIxxxx-LIC license (how to view the license, see "Getting help").
URL Filtering (DPI) functionality allows service providers to filter unwanted and prohibited resources on the Internet, and also provide services such as "Child Online" with filtering for large lists. This functionality meets all requirements and has been tested by Roskomnadzor (the official conclusion is available at http://www.rkn.gov.ru/docs/Izobrazhenie_29.09.2017.tiff).
Subscriber redirection to the blocking page ("resource is prohibited") is set individually for each list. Supports subnet filtering.
In case of HTTPS supports filtering SNI (Server Name Indication) to break the connection with the forbidden resource. In there is no SNI field in the query, the request is passed transparently. It checks incoming server certificate on which the request was sent. If there is URL denied by filters in the certificate, the connection to the server is dropped.
The main list of banned sites – a register of Russian Roskomnadzor (it has a predefined name dpilist0 in system dpi configuration space).
It also supports up to 16 user-defined lists of sites (dpilist1 ... dpilist16), each of which can be either black (list of banned sites) or white (the list of allowed sites).
The format of the uploaded lists: a text file with list of URL beginning with “http://” or “https://” in which the port number may be setted. Also in the URL entry, the '*' character can be used to specify any character set, for example, to filter multiple mirror sites. If you want to filter both HTTP and HTTPS, then '*' is placed at the beginning of the URL, if only one of the protocols, then “http://” or “https://” is prefixed before '*'. In the lists, IP addresses, subnets or ranges of addresses (via a hyphen) can be specified. The delimiter is CR or CR LF (the end of the line and the newline). The name and file extension are not regulated.
Dpilists are allowed to use comments. For example, to logically split IP addresses into groups by Internet service provider area. Each comment line must begin with the pound sign '#'. In addition, with the same character, if necessary, you can “comment out” certain lines in the list, and they will not be processed when building or updating the database.
File example:
http://citybus.nnov.ru:8080/login.php
https://maps.yandex.ru/213/moscow/?source=tableau_maps http://flibusta.nethttps://hh.ru
http://hh.ru
http://*.example.ru
*.badsite.ru
http://vk.com
en.wikipedia.org/wiki/Ethernet
8.8.8.0/24
3.3.3.1
# District
5.5.5.5-5.5.5.150
A subscriber may be filtered according to several lists. In the case of triggering multiple lists at the same time, the action will be in accordance with the most priority of them (those which has the lower number).
Blacklist – is a list of banned sites. Triggered by it means the prohibition of access to the page. In this case, the HTTP connection will be redirected to the page specified in the configuration, and the HTTPS connection will be closed by RST.
White list contains the contrary permitted sites. Triggered by it means permission to access this page. The absence of events on the white list means that access is denied by default (and there will be redirect or closure), but the user can be subscribed to multiple white lists simultaneously, in this case, to access the page is enough to load at least one of them.