On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote: > Has somebody setup well SSL Filtering in PFSense?
Yes, or at least I tried to. Because there are substantial problems with MITM methods I tried simpler URL filtering. It looks like that'd be sufficient for you. Configure browsers with an appropriate proxy script to use pfsense:3128 for both http and https as proxy. Squidguard can only filter on the host part of the URL for https, because the rest is hidden by ssl. Transparent mode is a disappointment, because it does not ensure traffic goes through squid/squidguard, as you observed. Pfsense is also fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy, disabling all filtering, which I find rather unsatisfactory. Or whatever the exact reason is some traffic bypasses squid/squidguard, I haven't found it yet. Turning transparency off and inserting a block rule for direct http/https seems to be safest. Also, squid bypasses squidguard when it detects a malfunction with it - OK for a cache, pretty much no good for a filtering proxy implementing policies. There are bugs in the handling of filter expressions in squidguard, allowing some URLs to pass that should be blocked! Plus the SG config file generation in pfsense is broken (creates illegal/non-functional configs), but no-one was interested in fixing it although I submitted a patch years ago. It'd also be handy if pfsense was able to serve the browser proxy script and squidguard error pages, but in the desirable configuration it's not, though serving the error pages does seem to work partially anyway. HTH, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
