Re: [pfSense] About SSL Filtering: Squid and Squidguard.

[Volker Kuhlmann]

On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote:

> Has somebody setup well SSL Filtering in PFSense?

Yes, or at least I tried to.

Because there are substantial problems with MITM methods I tried simpler
URL filtering. It looks like that'd be sufficient for you.

Configure browsers with an appropriate proxy script to use pfsense:3128
for both http and https as proxy. Squidguard can only filter on the host
part of the URL for https, because the rest is hidden by ssl.

Transparent mode is a disappointment, because it does not ensure traffic
goes through squid/squidguard, as you observed. Pfsense is also
fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy,
disabling all filtering, which I find rather unsatisfactory. Or whatever
the exact reason is some traffic bypasses squid/squidguard, I haven't
found it yet. Turning transparency off and inserting a block rule for
direct http/https seems to be safest.

Also, squid bypasses squidguard when it detects a malfunction with it -
OK for a cache, pretty much no good for a filtering proxy implementing
policies.

There are bugs in the handling of filter expressions in squidguard,
allowing some URLs to pass that should be blocked! Plus the SG config
file generation in pfsense is broken (creates illegal/non-functional
configs), but no-one was interested in fixing it although I submitted a
patch years ago.

It'd also be handy if pfsense was able to serve the browser proxy script
and squidguard error pages, but in the desirable configuration it's not,
though serving the error pages does seem to work partially anyway.

HTH,

Volker

-- 
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

[José Gregorio Díaz Unda]

Update:

Before I left the office, decided to test from another laptop.
Unfortunately, I was able to access YouTube.

Why some machines access YouTube and others apparently are blocked?

What could I be missing?

Thanks in advance.

José G.




On Mon, May 8, 2017 at 7:20 PM José Gregorio Díaz Unda 
wrote:

> Hi Web and thanks for your help,
>
> Recently I've updated to:
>
> *2.3.4-RELEASE (i386) *
> *built on Wed May 03 15:22:11 CDT 2017 *
> *FreeBSD 10.3-RELEASE-p19*
>
>
> And my packages for content cache/filtering:
>
> *squid 0.4.36_3*
> *squidGuard 1.16.2*
>
>
> I have selected *"Splice All"* for SSL/MITM Mode chich says: *"This
> configuration is suitable if you want to use the SquidGuard package for web
> filtering. All destinations will be spliced. SquidGuard can do its job of
> denying or allowing destinations according its rules, as it does with HTTP.
> You do not need to install the CA certificate configured below on clients."*
>
> Currently I have Transparent HTTP Proxy mode enabled. However, I
> uninstalled the local SSL certificate pinned in Firefox.
>
> After enabling HTTPS/SSL Interception, I created a couple of rules:
>
>1. In Domain List box I wrote: mega.cl;
>2. A Target Group named "stream_de_video" and inside "Regular
>Expression" box wrote "youtube".
>
>
> Then, I did some tests with Firefox and had these results:
>
>1. http://youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>2. http://www.youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>3. https://youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to youtube.com . SSL
>received a record that exceeded the maximum permissible length. Error code:
>SSL_ERROR_RX_RECORD_TOO_LONG"*
>4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to youtube.com . SSL
>received a record that exceeded the maximum permissible length. Error code:
>SSL_ERROR_RX_RECORD_TOO_LONG"*
>5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>7. https://www.mega.cl/ ->
> *"Secure Connection Failed: An error occurred during a connection to
>youtube.com . SSL received a record that exceeded the
>maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" *
>
> I don't understand why 3 and 4 are not matching with the target group, but
> apparently youtube it's being blocked when the browser is Firefox. By the
> other hand, mega.cl as domain is being blocked with as SSL and non-SSL
> traffic.
>
> However, when I do the same tests using Google Chrome there is a different
> history:
>
> *Using an Incognito Window: *Apparently everything is blocked
>
>
>1. http://youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>2. http://www.youtube.com -> *Chrome redirects to a
>https://www.youtube.com  site and the error says
>"www.youtube.com  sent an invalid response.
>ERR_SSL_PROTOCOL_ERROR"*
>3. https://youtube.com/ -> *The error says "youtube.com
> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"*
>4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to www.youtube.com .
>SSL received a record that exceeded the maximum permissible length. Error
>code: SSL_ERROR_RX_RECORD_TOO_LONG"*
>5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>7. https://www.mega.cl/ -> *"www.mega.cl  sent an
>invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl 
>does not use a SSL certificate)*
>
>
> *Using my "Normal Window"* (Non-Incognito): I access Youtube via SSL
>
>
>1. http://youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>2. http://www.youtube.com -> *Chrome redirects to a
>https://www.youtube.com  site and the youtube
>content is shown.*
>3. https://youtube.com/ -> *The error says "youtube.com
> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"*
>4. https://www.youtube.com/ -> *Chrome redirects to a
>https://www.youtube.com  site and the youtube
>content is shown.*
>   

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

[José Gregorio Díaz Unda]

Hi Web and thanks for your help,

Recently I've updated to:

*2.3.4-RELEASE (i386) *
*built on Wed May 03 15:22:11 CDT 2017 *
*FreeBSD 10.3-RELEASE-p19*


And my packages for content cache/filtering:

*squid 0.4.36_3*
*squidGuard 1.16.2*


I have selected *"Splice All"* for SSL/MITM Mode chich says: *"This
configuration is suitable if you want to use the SquidGuard package for web
filtering. All destinations will be spliced. SquidGuard can do its job of
denying or allowing destinations according its rules, as it does with HTTP.
You do not need to install the CA certificate configured below on clients."*

Currently I have Transparent HTTP Proxy mode enabled. However, I
uninstalled the local SSL certificate pinned in Firefox.

After enabling HTTPS/SSL Interception, I created a couple of rules:

   1. In Domain List box I wrote: mega.cl;
   2. A Target Group named "stream_de_video" and inside "Regular
   Expression" box wrote "youtube".


Then, I did some tests with Firefox and had these results:

   1. http://youtube.com -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   2. http://www.youtube.com -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   3. https://youtube.com/ -> *"Secure Connection Failed: An error occurred
   during a connection to youtube.com . SSL received a
   record that exceeded the maximum permissible length. Error code:
   SSL_ERROR_RX_RECORD_TOO_LONG"*
   4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
   occurred during a connection to youtube.com . SSL
   received a record that exceeded the maximum permissible length. Error code:
   SSL_ERROR_RX_RECORD_TOO_LONG"*
   5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   7. https://www.mega.cl/ ->
*"Secure Connection Failed: An error occurred during a connection to
   youtube.com . SSL received a record that exceeded the
   maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" *

I don't understand why 3 and 4 are not matching with the target group, but
apparently youtube it's being blocked when the browser is Firefox. By the
other hand, mega.cl as domain is being blocked with as SSL and non-SSL
traffic.

However, when I do the same tests using Google Chrome there is a different
history:

*Using an Incognito Window: *Apparently everything is blocked


   1. http://youtube.com -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   2. http://www.youtube.com -> *Chrome redirects to a
   https://www.youtube.com  site and the error says
   "www.youtube.com  sent an invalid response.
   ERR_SSL_PROTOCOL_ERROR"*
   3. https://youtube.com/ -> *The error says "youtube.com
    sent an invalid response. ERR_SSL_PROTOCOL_ERROR"*
   4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
   occurred during a connection to www.youtube.com .
   SSL received a record that exceeded the maximum permissible length. Error
   code: SSL_ERROR_RX_RECORD_TOO_LONG"*
   5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden"
   (Matched with stream_de_video target group)*
   6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   7. https://www.mega.cl/ -> *"www.mega.cl  sent an
   invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl 
   does not use a SSL certificate)*


*Using my "Normal Window"* (Non-Incognito): I access Youtube via SSL


   1. http://youtube.com -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   2. http://www.youtube.com -> *Chrome redirects to a
   https://www.youtube.com  site and the youtube
   content is shown.*
   3. https://youtube.com/ -> *The error says "youtube.com
    sent an invalid response. ERR_SSL_PROTOCOL_ERROR"*
   4. https://www.youtube.com/ -> *Chrome redirects to a
   https://www.youtube.com  site and the youtube
   content is shown.*
   5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden"
   (Matched with stream_de_video target group)*
   6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   7. https://www.mega.cl/ -> *"www.mega.cl  sent an
   invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl 
   does not use a SSL certificate)*


After you mention QUIC, I did some research and found this: How to 

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

[WebDawg]

There are interception modes.

Peek
Peek and splice
And bump.

So sqid:

I do not have it in front of me right now but it sounds like you do not
have the SSL proxy setup right.  Only one of those methods does not require
a SSL cert to be installed on a client system.

Also you have to deal with pinned certs in web browsersalso you have to
deal with chrome udp protocals like QUIC that bypass the proxy entirely...

It is either you have the proxy setup wrong or did not setup the sqid rules
right.

Web.


On May 8, 2017 11:34 AM, "José Gregorio Díaz Unda" 
wrote:

Dear PFSense crew,

I'm not sure if this is the right place to post my issue. If not, please
let me know.

Has somebody setup well SSL Filtering in PFSense?

I have installed:

PFSense 2.3.3_1
squid 0.4.36_3
squidGuard 1.16.1

Transparent Mode


I just want to block Youtube (ssl) for certain group of users via alias,
but when Squiduard is enabled, any SSL traffic is blocked.

This is a basic task but unfortunately it has been impossible to make it
work.

Thanks in advance.

José G.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] About SSL Filtering: Squid and Squidguard.

[José Gregorio Díaz Unda]

Dear PFSense crew,

I'm not sure if this is the right place to post my issue. If not, please
let me know.

Has somebody setup well SSL Filtering in PFSense?

I have installed:

PFSense 2.3.3_1
squid 0.4.36_3
squidGuard 1.16.1

Transparent Mode


I just want to block Youtube (ssl) for certain group of users via alias,
but when Squiduard is enabled, any SSL traffic is blocked.

This is a basic task but unfortunately it has been impossible to make it
work.

Thanks in advance.

José G.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold