Daer Volker, thanks for your great explanation. So I will use the host name only at least for this moment, in order to start some tests. Because we doesn't want to install any certificate in the WiFi clients, we want a 100% transparent connection.
Regards, ADAM 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann <[email protected]>: > On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: > > > This is useful to filter facebook, twitter, gmail and other HTTPS sites, > > just taking into account the URL ??? What can't I block for example ??? > > Look at squidguard rules - they're in 3 sections: hosts only, URLs, and > general regexp. With http all 3 of them work (within the bugginess of > squidguard and pfsense anyway). > > With https the URL is encrypted, except for the host name part. I.e. the > SSL connection to the server is established on the host part only, and > the client sends the full URL only over the SSL connection once > established. > > So you have 2 options for https: > > 1) Full MITM attack, requiring client cert installs on all clients so > that the clients establish encrypted connections with the key of your > attack server (aka firewall) instead, and you have a chance of > inspecting the content. > > 2) Inspect on host name only, that part is not encrypted. > > As everything is moving to http it's becoming seriously difficult to use > squidguard as outgoing filter to get rid of all the shitvertising and > privacy invading user tracking rubbish (which wastes my time, bandwidth > and money for absolutly zero gain to me). > > Volker > > -- > Volker Kuhlmann is list0570 with the domain in header. > http://volker.top.geek.nz/ Please do not CC list postings to me. > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
