Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:opt_capture:capt_make [2020/02/05 17:32] – ↷ Page moved from en:dpi:dpi_options:base_functionality:opt_capture:capt_make to en:dpi:dpi_options:opt_capture:capt_make lexx26
+++ en:dpi:dpi_options:opt_capture:capt_make [2024/09/26 15:29] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Preparing white list ======
+{{indexmenu_n>2}}
+The allowed resources list is created in two steps: first, **a text file** with the list of resources is created. Second, this **file is converted** into internal dictionary's format by the special utility.
+<note tip>The following utilities are used for conversion:
+  * url2dic - for URL, SNI, CN
+  * ip2bin - for IP
+Reverse conversion utilities:
+  * dic2host - to convert dic files with URL, SNI, CN to a list of domains
+  * dic2star - to convert dic files from SNI, CN to a list of domains with *
+  * bin2ip - to convert dic files from IP
+To create a white list for payment systems, we recommend using a ready-made list. [[https://github.com/cloudipsp/all_banks_ips|List of payment systems]]
+</note>
+After the text file is converted you need to move the lists to the DPI configuration directory:
+<code bash>mv my_url_list.bin /var/lib/dpi/whlist.bin
+mv my_cn_list.bin /var/lib/dpi/whlistcn.bin
+mv my_ip_list.bin  /var/lib/dpi/whlistip.bin
+mv my_sni_list.bin  /var/lib/dpi/whlistsni.bin</code>
+<note important>This list names are used for the default profile.\\
+Any of the lists may be missing, but for restricting https resources, the SNI list is mandatory</note>
+===== The file format of the whitelisted resources' URLs: =====
+Each line contains one URL (no <nowiki>http://</nowiki> prefix), it is allowed to use *. **For example:**
+<code bash>1magehut.com/users.php?act=gallery&gal=81&page=4
+dmx.net
+*.3dmx.net
+</code>
+To convert into the internal format:
+<code bash>cat my_url_list.txt|url2dic my_url_list.dic</code>
+===== The file format of the whitelisted names in SSL certificates (Common name): =====
+Each line contains one [[en:dpi:dpi_options:opt_filtration:making_dictionary:cn_info|name]]. For example:
+<code bash>*.facebook.com
+www.vasexpertsdpi.com</code>
+To convert into the internal format:
+<code bash>cat my_cn_list.txt|url2dic my_cn_list.dic</code>
+===== The file format of the whitelisted SNI (HTTPS) =====
+Each line contains one SNI (without <nowiki>http://</nowiki> prefix). It is allowed to use *. **For expample:**
+<code bash>qiwi.ru
+*.qiwi.ru</code>
+To convert into the internal format:
+<code bash>cat my_sni_list.txt|url2dic my_sni_list.bin</code>
+<note>To prevent the https sites blocking, you have to prepare white list for CN, SNI with *** symbol**, signaling that CN and SN can be any.</note>
+====== File Format for White List of IP Addresses, CIDR: ======
+Starting from version 12.4, the creation of a list is supported based on:
+  * IPv4 <space> port_number
+  * IPv4
+  * IPv6 <space> port_number
+  * IPv6
+  * CIDR IPv4/IPv6
+Each line of the file contains only one entry, example for IPv4:
+<code bash>
+.47.115.34 443
+.211.6.93
+.211.4.0/24
+</code>
+Convert to internal format:
+<code bash>cat my_ip_list.txt | ip2bin my_ip_list.bin</code>
+<note>If an IP address or CIDR is specified, **ONLY ALL TCP ports except for the allowed IP/CIDR are blocked**. To block UDP ports, you need to enable the ''[[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd#configuring_tcp_and_udp_protocol_blocking|udp_block=3]]'' setting in /etc/dpi/fastdpi.conf</note>

Profile

Settings

Differences