Past, comers Signed, Benjamin E. Nichols http://www.squidblacklist.org
On Oct 19, 2017, at 2:21 PM, Adam Cage <[email protected]> wrote: > OK Chris, thanks a lot.....I'm using Squid + Squidguard now in transparent > mode. > > HTTPS filter with Squidguard now works OK, but HTTP doesn't. I followed a > basic tutorial using port 3128 for HTTP and 3129 for HTTPS, but I can't > find solve the problem. > > Can you suggest me something to review ? > > Thanks a lot, > > ADAM > > > > 2017-10-19 15:35 GMT-03:00 Chris L <[email protected]>: > >> >>> On Oct 19, 2017, at 8:36 AM, Adam Cage <[email protected]> wrote: >>> >>> Dear Volker and others, >>> >>> If I just inspect on host name only, do I have to create a CA and >>> Certificate to install in the proxy server of pfSense anyway ??? >>> >>> Thnks a lot, >>> >>> ADAM >> >> You do have to create a CA and tell squid to use it but it is not used to >> spin up certificates and it does not have to be installed to the clients’ >> trusted stores if you are only using peek/splice. >> >> I am not sure if the requirement is due to the GUI form or squid itself. >> End result is the same regardless. >> >> >> >>> 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann <[email protected]>: >>> >>>> On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: >>>> >>>>> This is useful to filter facebook, twitter, gmail and other HTTPS >> sites, >>>>> just taking into account the URL ??? What can't I block for example ??? >>>> >>>> Look at squidguard rules - they're in 3 sections: hosts only, URLs, and >>>> general regexp. With http all 3 of them work (within the bugginess of >>>> squidguard and pfsense anyway). >>>> >>>> With https the URL is encrypted, except for the host name part. I.e. the >>>> SSL connection to the server is established on the host part only, and >>>> the client sends the full URL only over the SSL connection once >>>> established. >>>> >>>> So you have 2 options for https: >>>> >>>> 1) Full MITM attack, requiring client cert installs on all clients so >>>> that the clients establish encrypted connections with the key of your >>>> attack server (aka firewall) instead, and you have a chance of >>>> inspecting the content. >>>> >>>> 2) Inspect on host name only, that part is not encrypted. >>>> >>>> As everything is moving to http it's becoming seriously difficult to use >>>> squidguard as outgoing filter to get rid of all the shitvertising and >>>> privacy invading user tracking rubbish (which wastes my time, bandwidth >>>> and money for absolutly zero gain to me). >>>> >>>> Volker >>>> >>>> -- >>>> Volker Kuhlmann is list0570 with the domain in header. >>>> http://volker.top.geek.nz/ Please do not CC list postings to me. >>>> _______________________________________________ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> Support the project with Gold! https://pfsense.org/gold >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
