On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: > This is useful to filter facebook, twitter, gmail and other HTTPS sites, > just taking into account the URL ??? What can't I block for example ???
Look at squidguard rules - they're in 3 sections: hosts only, URLs, and general regexp. With http all 3 of them work (within the bugginess of squidguard and pfsense anyway). With https the URL is encrypted, except for the host name part. I.e. the SSL connection to the server is established on the host part only, and the client sends the full URL only over the SSL connection once established. So you have 2 options for https: 1) Full MITM attack, requiring client cert installs on all clients so that the clients establish encrypted connections with the key of your attack server (aka firewall) instead, and you have a chance of inspecting the content. 2) Inspect on host name only, that part is not encrypted. As everything is moving to http it's becoming seriously difficult to use squidguard as outgoing filter to get rid of all the shitvertising and privacy invading user tracking rubbish (which wastes my time, bandwidth and money for absolutly zero gain to me). Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
