Sorry but in case of using SSL Peek/Splice you say I cannot get a standard “site blocked” page, just a broken SSL negotiations for blocked sites. I think I can block URL's and not content into the SSL connections.
This is useful to filter facebook, twitter, gmail and other HTTPS sites, just taking into account the URL ??? What can't I block for example ??? Thanks a lot ! 2017-10-12 15:08 GMT-03:00 Adam Cage <[email protected]>: > Thanks to all, you help me a lot... > > Chris, when you said "accept that you aren’t going to be able to do more > than the most basic filtering on HTTPS traffic - that is to say, by IP > address or FQDN"...What do you mean exactly ? The IP or FQDN https > filtering will be made by Squid or Squidguard in this case? > > Thanks again, > > ADAM > > 2017-10-11 18:15 GMT-03:00 Chris Bagnall <[email protected]>: > >> On 11 Oct 2017, at 21:05, Adam Cage <[email protected]> wrote: >> > Dear Chris, I need the Squid proxy to filter traffic working with >> > Squidguard. The guest cell phones will be authenticated to my WiFi, and >> > after that they can go to HTTP/HTTPS web sites with zero configuration >> > because I can't tell my guests to setup a CA certificate, a proxy IP and >> > port in their phone's browsers or whatever at all. So I need a >> transparent >> > proxy. >> >> What you’re asking isn’t possible without installing a certificate on the >> client device(s) - and with good reason: you’re effectively performing a >> man-in-the-middle attack; something SSL/TLS was designed to prevent. >> >> In order to proxy SSL traffic, you need to effectively decrypt it at the >> proxy, then re-encrypt it using a new private key. Obviously you can’t >> re-encrypt it using the original key, because you don’t have access to the >> private key, hence the need for your own certificate installed on the >> client device. >> >> So you have two choices: either install the certificate on the client, or >> accept that you aren’t going to be able to do more than the most basic >> filtering on HTTPS traffic - that is to say, by IP address or FQDN. >> >> Kind regards, >> >> Chris >> -- >> This email is made from 100% recycled electrons >> >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
