[pfSense] squid3
dear all, today i fresh installed squid 3 then i rebooted my pfsense firewall then i try to access pfsense firewall its not access i have gettting msg pls help ... ERRORThe requested URL could not be retrieved -- The following error was encountered while trying to retrieve the URL: https://172.16.100.4/ *Unable to forward this request at this time.* This request could not be forwarded to the origin server or to any parent caches. Some possible problems are: - An Internet connection needed to access this domains origin servers may be down. - All configured parent caches may be currently unreachable. - The administrator may not allow this cache to make direct connections to origin servers. Your cache administrator is admin@localhost . -- Generated Wed, 21 May 2014 07:11:03 GMT by localhost (squid/3.1.20) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Squid3 with https filtering
Hello, Had anybody successfully configured squid3-dev with squidguard-squid3 with properly works https filtering...? Thanks MOHAN RAO +91 98260 61122 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
Waiting... For new posts... On Jun 16, 2014 11:36 PM, "A Mohan Rao" wrote: > Hello, > Had anybody successfully configured squid3-dev with squidguard-squid3 with > properly works https filtering...? > > Thanks > MOHAN RAO > +91 98260 61122 > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
And? This list is only as active as the people that read it. Posting additional emails without additional information is, at the least, annoying. On Jun 16, 2014, at 21:31, A Mohan Rao wrote: > Waiting... For new posts... > > On Jun 16, 2014 11:36 PM, "A Mohan Rao" wrote: > Hello, > Had anybody successfully configured squid3-dev with squidguard-squid3 with > properly works https filtering...? > > Thanks > MOHAN RAO > +91 98260 61122 > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
On 16/6/14 7:06 pm, A Mohan Rao wrote: Had anybody successfully configured squid3-dev with squidguard-squid3 with properly works https filtering...? (not specific to pfSense, but might be useful info for HTTPS interception in general) You are only going to be able to do that if you have control over the client machines and can add the Squid server's certificate to the client browser's trust list, otherwise your users are going to get incorrect certificate warnings whenever they browse an HTTPS site. It does rather beg the question: why are you trying to do this? Given HTTPS is *designed* to be a secure protocol end-to-end, breaking it open in the middle, decrypting it, then re-encrypting it with your certificate is just opening up an easy attack vector. At the very least your users need to be made very clearly aware that this is what you're doing and why you're breaking SSL to do it. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
actually i need to block https sites like https facebook or https youtube etc with transparent proxy. now pls give any idea...! On Tue, Jun 17, 2014 at 2:59 PM, Chris Bagnall wrote: > On 16/6/14 7:06 pm, A Mohan Rao wrote: > >> Had anybody successfully configured squid3-dev with squidguard-squid3 with >> properly works https filtering...? >> > > (not specific to pfSense, but might be useful info for HTTPS interception > in general) > > You are only going to be able to do that if you have control over the > client machines and can add the Squid server's certificate to the client > browser's trust list, otherwise your users are going to get incorrect > certificate warnings whenever they browse an HTTPS site. > > It does rather beg the question: why are you trying to do this? > Given HTTPS is *designed* to be a secure protocol end-to-end, breaking it > open in the middle, decrypting it, then re-encrypting it with your > certificate is just opening up an easy attack vector. At the very least > your users need to be made very clearly aware that this is what you're > doing and why you're breaking SSL to do it. > > Kind regards, > > Chris > -- > This email is made from 100% recycled electrons > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
On 17/6/14 10:32 am, A Mohan Rao wrote: actually i need to block https sites like https facebook or https youtube etc with transparent proxy. So in order to block Facebook and Youtube, you're going to put all your users at risk of SSL MITM attacks on every secure website they visit? You would be better off - I'd have thought - simply blocking the relevant DNS entries and/or IP ranges used by those websites you wish to block. DNS is probably better - and there are lists out there of Facebook DNS names, since blocking by IP range might knock out the whole CDN, which may be used by other sites as well. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
On Tue, 17 Jun 2014, A Mohan Rao wrote: actually i need to block https sites like https facebook or https youtube etc with transparent proxy. now pls give any idea...! Simple things like adding bogus DNS records pointing to your own server would stop the majority of non-tech savvy users. Blocking the majority of facebook ips would help too: http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook -- Joe Laffey The Stable Visual Effects http://TheStable.tv/?e34619M/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
On 06/17/2014 05:32 PM A Mohan Rao wrote: > actually i need to block https sites like https facebook or https youtube > etc with transparent proxy. > > now pls give any idea...! You may want to try using the CONNECT method in order to filter HTTPS requests. Those happen before a secure connection is being established. This way you can filter I usually run dansguardian which has a quite complex but very effective way of filtering SSL related traffic. From its documentation: "Blanket SSL blocking so you can block SSL anonymous proxies and allow access to legitimate SSL sites such as banking by whitelisting" => http://dansguardian.org/ But be aware using CONNECT method based filtering requires the proxy to be explicitly configured on respective devices and therefore won't work with a transparent proxy. Additional information on the CONNECT method: http://wiki.squid-cache.org/Features/HTTPS Cheers signature.asc Description: OpenPGP digital signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
I m using squid3-dev and squardguard-squid3 with transparent proxy with https proxy. All works fine but gmail or goole not open. Other sites working good. When i try to access google or gmail its given certificate error. i checked my level best also many times create or delete certificates then also import that certificate on browser but still m having same problem... Really very appritiate and lots of thanks in advance if give any positive IDEA. Thanks Mohan +91 98260 61122 On Jun 18, 2014 1:02 PM, "Jan" wrote: > On 06/17/2014 05:32 PM A Mohan Rao wrote: > > actually i need to block https sites like https facebook or https youtube > > etc with transparent proxy. > > > > now pls give any idea...! > > You may want to try using the CONNECT method in order to filter HTTPS > requests. Those happen before a secure connection is being established. > This way you can filter > > I usually run dansguardian which has a quite complex but very effective way > of filtering SSL related traffic. > > From its documentation: > > "Blanket SSL blocking so you can block SSL anonymous proxies and allow > access to legitimate SSL sites such as banking by whitelisting" > > => http://dansguardian.org/ > > But be aware using CONNECT method based filtering requires the proxy to be > explicitly configured on respective devices and therefore won't work with a > transparent proxy. > > Additional information on the CONNECT method: > > http://wiki.squid-cache.org/Features/HTTPS > > Cheers > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
There is a way to auto configure the proxy settings on modern browsers, so that you don't have to manually configure them individually WPAD and Proxy auto-config http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol http://en.wikipedia.org/wiki/Proxy_auto-config Walter On Wed, Jun 18, 2014 at 8:14 AM, A Mohan Rao wrote: > I m using squid3-dev and squardguard-squid3 with transparent proxy with > https proxy. > All works fine but gmail or goole not open. Other sites working good. > When i try to access google or gmail its given certificate error. i > checked my level best also many times create or delete certificates then > also import that certificate on browser but still m having same problem... > Really very appritiate and lots of thanks in advance if give any positive > IDEA. > > Thanks > Mohan > +91 98260 61122 > On Jun 18, 2014 1:02 PM, "Jan" wrote: > >> On 06/17/2014 05:32 PM A Mohan Rao wrote: >> > actually i need to block https sites like https facebook or https >> youtube >> > etc with transparent proxy. >> > >> > now pls give any idea...! >> >> You may want to try using the CONNECT method in order to filter HTTPS >> requests. Those happen before a secure connection is being established. >> This way you can filter >> >> I usually run dansguardian which has a quite complex but very effective >> way >> of filtering SSL related traffic. >> >> From its documentation: >> >> "Blanket SSL blocking so you can block SSL anonymous proxies and allow >> access to legitimate SSL sites such as banking by whitelisting" >> >> => http://dansguardian.org/ >> >> But be aware using CONNECT method based filtering requires the proxy to be >> explicitly configured on respective devices and therefore won't work with >> a >> transparent proxy. >> >> Additional information on the CONNECT method: >> >> http://wiki.squid-cache.org/Features/HTTPS >> >> Cheers >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list >> > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid3 with https filtering
Hello all, Still m waiting good news for squid3 with https filtering properly works. Thanks Mohan On Wed, Jun 18, 2014 at 11:01 PM, Walter Parker wrote: > There is a way to auto configure the proxy settings on modern browsers, so > that you don't have to manually configure them individually > > WPAD and Proxy auto-config > http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol > http://en.wikipedia.org/wiki/Proxy_auto-config > > > Walter > > > On Wed, Jun 18, 2014 at 8:14 AM, A Mohan Rao wrote: > >> I m using squid3-dev and squardguard-squid3 with transparent proxy with >> https proxy. >> All works fine but gmail or goole not open. Other sites working good. >> When i try to access google or gmail its given certificate error. i >> checked my level best also many times create or delete certificates then >> also import that certificate on browser but still m having same problem... >> Really very appritiate and lots of thanks in advance if give any positive >> IDEA. >> >> Thanks >> Mohan >> +91 98260 61122 >> On Jun 18, 2014 1:02 PM, "Jan" wrote: >> >>> On 06/17/2014 05:32 PM A Mohan Rao wrote: >>> > actually i need to block https sites like https facebook or https >>> youtube >>> > etc with transparent proxy. >>> > >>> > now pls give any idea...! >>> >>> You may want to try using the CONNECT method in order to filter HTTPS >>> requests. Those happen before a secure connection is being established. >>> This way you can filter >>> >>> I usually run dansguardian which has a quite complex but very effective >>> way >>> of filtering SSL related traffic. >>> >>> From its documentation: >>> >>> "Blanket SSL blocking so you can block SSL anonymous proxies and allow >>> access to legitimate SSL sites such as banking by whitelisting" >>> >>> => http://dansguardian.org/ >>> >>> But be aware using CONNECT method based filtering requires the proxy to >>> be >>> explicitly configured on respective devices and therefore won't work >>> with a >>> transparent proxy. >>> >>> Additional information on the CONNECT method: >>> >>> http://wiki.squid-cache.org/Features/HTTPS >>> >>> Cheers >>> >>> >>> ___ >>> List mailing list >>> List@lists.pfsense.org >>> https://lists.pfsense.org/mailman/listinfo/list >>> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list >> > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by men of > zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Squid3-dev and Squidguard-squid3 with transparent proxy
Dear experts, Squid3-dev and Squidguard-squid3 with ssl transparent proxy really works yes or no. If no then can i again move to my previous setup squid and squid guard with only http transparent proxy. Thanks Mohan Rao IPS ACADEMY NETWORK ADMINISTRATOR INDORE (M.P.) INDIA ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
