Thanks to all, you help me a lot... Chris, when you said "accept that you aren’t going to be able to do more than the most basic filtering on HTTPS traffic - that is to say, by IP address or FQDN"...What do you mean exactly ? The IP or FQDN https filtering will be made by Squid or Squidguard in this case?
Thanks again, ADAM 2017-10-11 18:15 GMT-03:00 Chris Bagnall <pfse...@lists.minotaur.cc>: > On 11 Oct 2017, at 21:05, Adam Cage <adamcag...@gmail.com> wrote: > > Dear Chris, I need the Squid proxy to filter traffic working with > > Squidguard. The guest cell phones will be authenticated to my WiFi, and > > after that they can go to HTTP/HTTPS web sites with zero configuration > > because I can't tell my guests to setup a CA certificate, a proxy IP and > > port in their phone's browsers or whatever at all. So I need a > transparent > > proxy. > > What you’re asking isn’t possible without installing a certificate on the > client device(s) - and with good reason: you’re effectively performing a > man-in-the-middle attack; something SSL/TLS was designed to prevent. > > In order to proxy SSL traffic, you need to effectively decrypt it at the > proxy, then re-encrypt it using a new private key. Obviously you can’t > re-encrypt it using the original key, because you don’t have access to the > private key, hence the need for your own certificate installed on the > client device. > > So you have two choices: either install the certificate on the client, or > accept that you aren’t going to be able to do more than the most basic > filtering on HTTPS traffic - that is to say, by IP address or FQDN. > > Kind regards, > > Chris > -- > This email is made from 100% recycled electrons > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
