Re: [pfSense Support] can't block https://facebook.com via firefox

Wed, 23 Mar 2011 12:46:06 -0700 

Yehuda Katz <yeh...@ymkatz.net> ha escrito:


On Wed, Mar 23, 2011 at 2:56 PM, David Barbero <s...@loquefaltaba.com>wrote:


Alberto Mijares <amijar...@gmail.com> ha escrito:


Squid can not store in cache the content from https traffic; however,
you are still able to create ACL's to control the access to this
URI's.

Check out your ACL.



Squid cannot stored and cannot filtering https connetions, when the client
open a https conection the squid only make a tunnel from client to server,
don't see anything of content or URL (Only see destination IP), the only way
to block https connetions is filter by destination ip in pf or acl (I'm not
sure if this work properly with squid acl), but squid o squidguard can't
filter a SSL connection directly.



That is absolutely wrong, Squid (with SquidGuard)  in a TRANSPARENT
PROXY configuration can not filter https traffic.
If you are using explicit proxy settings in your browser, https (and just
about any other protocol) can be filtered.
As I said earlier in this thread, I have the exact configuration that the
original poster was looking for:
- SquidGuard filters according to a third-party blacklist of websites.
- All ports that are handled by Squid/SquidGuard, including 80 (http) and
443 (https) are redirected by the pfSense (using a NAT rule) to an error
page explaining how to set up a proxy in different browsers.
- We are not using Squid for the purpose of caching, only filtering (limited
hard drive space, otherwise we might)

If anyone wants specific details about how to set up this configuration, I
might be able to help you as my time allows.

- Yehuda
The thread talk of transparent proxy and I just talked about transparent proxy, so it is not wrong, that's right, if we put the direct proxy it would be wrong :P 

Cheers.

--
"Linux is for people who hate Windows, BSD is for people who love UNIX"
"Social Engineer -> Because there is no patch for human stupidity"

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Reply via email to