Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

Wed, 11 Oct 2017 14:32:50 -0700 

Hi,

Op 11-10-2017 om 23:15 schreef Chris Bagnall:

On 11 Oct 2017, at 21:05, Adam Cage <adamcag...@gmail.com> wrote:

Dear Chris, I need the Squid proxy to filter traffic working with
Squidguard. The guest cell phones will be authenticated to my WiFi, and
after that they can go to HTTP/HTTPS web sites with zero configuration
because I can't tell my guests to setup a CA certificate, a proxy IP and
port in their phone's browsers or whatever at all. So I need a transparent
proxy.

What you’re asking isn’t possible without installing a certificate on the 
client device(s) - and with good reason: you’re effectively performing a 
man-in-the-middle attack; something SSL/TLS was designed to prevent.

In order to proxy SSL traffic, you need to effectively decrypt it at the proxy, 
then re-encrypt it using a new private key. Obviously you can’t re-encrypt it 
using the original key, because you don’t have access to the private key, hence 
the need for your own certificate installed on the client device.

So you have two choices: either install the certificate on the client, or 
accept that you aren’t going to be able to do more than the most basic 
filtering on HTTPS traffic - that is to say, by IP address or FQDN.

Kind regards,

Chris
If only domain name filtering (/ reporting?) is needed then the "Splice all" option should work i guess..
The help (i) for "SSL/MITM Mode" on squid config page in pfSense contains the following: 

"*Splice All:*
This configuration is suitable if you want to use theSquidGuard package <https://doc.pfsense.org/index.php/SquidGuard_package>for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. 
You do/not/need to install the CA certificate configured below on clients.
Content filtering (such as Antivirus)/will not/be available for SSL sites.
"

Regards,

PiBa-NL

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to