OK Chris, thanks a lot.....I'm using Squid + Squidguard now in transparent mode.
HTTPS filter with Squidguard now works OK, but HTTP doesn't. I followed a basic tutorial using port 3128 for HTTP and 3129 for HTTPS, but I can't find solve the problem. Can you suggest me something to review ? Thanks a lot, ADAM 2017-10-19 15:35 GMT-03:00 Chris L <[email protected]>: > > > On Oct 19, 2017, at 8:36 AM, Adam Cage <[email protected]> wrote: > > > > Dear Volker and others, > > > > If I just inspect on host name only, do I have to create a CA and > > Certificate to install in the proxy server of pfSense anyway ??? > > > > Thnks a lot, > > > > ADAM > > You do have to create a CA and tell squid to use it but it is not used to > spin up certificates and it does not have to be installed to the clients’ > trusted stores if you are only using peek/splice. > > I am not sure if the requirement is due to the GUI form or squid itself. > End result is the same regardless. > > > > > > > 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann <[email protected]>: > > > >> On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: > >> > >>> This is useful to filter facebook, twitter, gmail and other HTTPS > sites, > >>> just taking into account the URL ??? What can't I block for example ??? > >> > >> Look at squidguard rules - they're in 3 sections: hosts only, URLs, and > >> general regexp. With http all 3 of them work (within the bugginess of > >> squidguard and pfsense anyway). > >> > >> With https the URL is encrypted, except for the host name part. I.e. the > >> SSL connection to the server is established on the host part only, and > >> the client sends the full URL only over the SSL connection once > >> established. > >> > >> So you have 2 options for https: > >> > >> 1) Full MITM attack, requiring client cert installs on all clients so > >> that the clients establish encrypted connections with the key of your > >> attack server (aka firewall) instead, and you have a chance of > >> inspecting the content. > >> > >> 2) Inspect on host name only, that part is not encrypted. > >> > >> As everything is moving to http it's becoming seriously difficult to use > >> squidguard as outgoing filter to get rid of all the shitvertising and > >> privacy invading user tracking rubbish (which wastes my time, bandwidth > >> and money for absolutly zero gain to me). > >> > >> Volker > >> > >> -- > >> Volker Kuhlmann is list0570 with the domain in header. > >> http://volker.top.geek.nz/ Please do not CC list postings to me. > >> _______________________________________________ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > >> > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
