On 11 Oct 2017, at 21:05, Adam Cage <[email protected]> wrote: > Dear Chris, I need the Squid proxy to filter traffic working with > Squidguard. The guest cell phones will be authenticated to my WiFi, and > after that they can go to HTTP/HTTPS web sites with zero configuration > because I can't tell my guests to setup a CA certificate, a proxy IP and > port in their phone's browsers or whatever at all. So I need a transparent > proxy.
What you’re asking isn’t possible without installing a certificate on the client device(s) - and with good reason: you’re effectively performing a man-in-the-middle attack; something SSL/TLS was designed to prevent. In order to proxy SSL traffic, you need to effectively decrypt it at the proxy, then re-encrypt it using a new private key. Obviously you can’t re-encrypt it using the original key, because you don’t have access to the private key, hence the need for your own certificate installed on the client device. So you have two choices: either install the certificate on the client, or accept that you aren’t going to be able to do more than the most basic filtering on HTTPS traffic - that is to say, by IP address or FQDN. Kind regards, Chris -- This email is made from 100% recycled electrons _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
