Enable https with splice all on squid in transparent mode .... On Thu, 12 Oct 2017 at 23:38 Adam Cage <adamcag...@gmail.com> wrote:
> Thanks to all, you help me a lot... > > Chris, when you said "accept that you aren’t going to be able to do more > than the most basic filtering on HTTPS traffic - that is to say, by IP > address or FQDN"...What do you mean exactly ? The IP or FQDN https > filtering will be made by Squid or Squidguard in this case? > > Thanks again, > > ADAM > > 2017-10-11 18:15 GMT-03:00 Chris Bagnall <pfse...@lists.minotaur.cc>: > > > On 11 Oct 2017, at 21:05, Adam Cage <adamcag...@gmail.com> wrote: > > > Dear Chris, I need the Squid proxy to filter traffic working with > > > Squidguard. The guest cell phones will be authenticated to my WiFi, and > > > after that they can go to HTTP/HTTPS web sites with zero configuration > > > because I can't tell my guests to setup a CA certificate, a proxy IP > and > > > port in their phone's browsers or whatever at all. So I need a > > transparent > > > proxy. > > > > What you’re asking isn’t possible without installing a certificate on the > > client device(s) - and with good reason: you’re effectively performing a > > man-in-the-middle attack; something SSL/TLS was designed to prevent. > > > > In order to proxy SSL traffic, you need to effectively decrypt it at the > > proxy, then re-encrypt it using a new private key. Obviously you can’t > > re-encrypt it using the original key, because you don’t have access to > the > > private key, hence the need for your own certificate installed on the > > client device. > > > > So you have two choices: either install the certificate on the client, or > > accept that you aren’t going to be able to do more than the most basic > > filtering on HTTPS traffic - that is to say, by IP address or FQDN. > > > > Kind regards, > > > > Chris > > -- > > This email is made from 100% recycled electrons > > > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
