I have a Centos 6 box running as a router and squid proxy. Through squid I am directing users to a device handling a captive portal, so IPTABLES functions as my SSL walled garden service. Users making an HTTPS request are allowed to access a number of whitelisted FQDN hosts, and if the request doesn't match I drop the traffic (requests on HTTP are directed to squid immediately and it handles the whitelist on that side).
The solution itself works very well, my problem comes when I have to whitelist an FQDN that is on a CDN and rotates addresses on a regular basis. I've had some success by scripting out an iptables reload on a regular basis but still run into a number of times when walled garden entries are unreachable because the IP that the firewall has in its entry is no longer what the url resolves to.
For example, one of our whitelist sites is facebook.com, which uses a CDN. Depending on when Facebook's CDN updates its IP address users may or may not be able to actually load that website.
I'm wondering if anyone has come across a similar use case and issue, and if so if you were able to find a work-around. Google-fu is failing me here.
[link][1 comment]