Re: [pfSense] Transparent proxy for WiFi users

2018-01-11 Thread WebDawg 
It could be web sockets, this could show you what I mean:

https://asana.com/guide/help/faq/connectivity#gl-websockets

You have to white-list some stuff sometimes to get it to work
correctly, but I think that is what I was intercepting vs inspecting.
This was an example white list I had for skype and asana:

asana.com sling.is apps.skypeassets.com login.skype.com pipe.skype.com
secure.skype.com config.skype.com api.skype.com ui.skype.com
s.gateway.messenger.live.com get.skype.com dsn13.d.skype.net
mobile.pipe.aria.microsoft.com a.config.skype.com www.skypeassets.com
dr.skype.net apps.skype.com api.asm.skype.com sync.app.asana.com

Try white-listing problem sites.

On Thu, Jan 11, 2018 at 10:30 AM, Roberto Carna
<robertocarn...@gmail.com> wrote:
> Dear, I've created a self signed CA Certificate in pfSEnse, in order
> to use it in the SSL Filtering / Spice All from Squid.
>
> This CA certificate is NOT installed in none of the device clients
> (notebooks, cell phones, etc), because is imposible to ask each WiFi
> user to install it.
>
> Everything works OK, except certains cases, for example:
>
> - Facebook app sometimes doesn't load the user profiles, I have to
> close Facebook and open it again
> - Mercadolibre is the same, it doesn't load the content and after that
> I have to close and open the app
>
> Why certain apps don't work OK until I close and restart them ???
>
> Thanks a lot again!!!
>
>
>
> 2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>:
>> Can you just do inspection on this and have it stop acting as a true proxy?
>>
>> Splice All:
>> This configuration is suitable if you want to use the SquidGuard
>> package for web filtering.
>> All destinations will be spliced. SquidGuard can do its job of denying
>> or allowing destinations according its rules, as it does with HTTP.
>> You do not need to install the CA certificate configured below on clients.
>> Content filtering (such as Antivirus) will not be available for SSL sites.
>>
>> On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> 
>> wrote:
>>> Interested in what sort of problems you are seeing.
>>>
>>> I use the same setup in a small environment let's call it home :) with many
>>> different devices and have not seen any issues.
>>>
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
>>> Duffner
>>> Sent: Tuesday, January 02, 2018 10:01 AM
>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>>> Subject: Re: [pfSense] Transparent proxy for WiFi users
>>>
>>>
>>>
>>>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>:
>>>>
>>>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>>>> in order to filter HTTP and HTTPS web content for different types of
>>>> WiFi clients on my company:
>>>>
>>>> - Android (different versions)
>>>> - Notebooks Windows 7/10
>>>> - Iphone
>>>> - Etc.
>>>>
>>>> In some cases, depending on the device Operating System, some apps
>>>> experiment problems, for example Facebook and some others.
>>>>
>>>
>>>
>>>
>>>
>>> Apps that do hardwired Key-Pinning (everything from Apple, Google and
>>> probably TFB, too) will not work.
>>> You have to make exemptions, AFAIK.
>>>
>>> Same for ebanking and related.
>>>
>>>
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

2018-01-11 Thread Roberto Carna 
Dear, I've created a self signed CA Certificate in pfSEnse, in order
to use it in the SSL Filtering / Spice All from Squid.

This CA certificate is NOT installed in none of the device clients
(notebooks, cell phones, etc), because is imposible to ask each WiFi
user to install it.

Everything works OK, except certains cases, for example:

- Facebook app sometimes doesn't load the user profiles, I have to
close Facebook and open it again
- Mercadolibre is the same, it doesn't load the content and after that
I have to close and open the app

Why certain apps don't work OK until I close and restart them ???

Thanks a lot again!!!



2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>:
> Can you just do inspection on this and have it stop acting as a true proxy?
>
> Splice All:
> This configuration is suitable if you want to use the SquidGuard
> package for web filtering.
> All destinations will be spliced. SquidGuard can do its job of denying
> or allowing destinations according its rules, as it does with HTTP.
> You do not need to install the CA certificate configured below on clients.
> Content filtering (such as Antivirus) will not be available for SSL sites.
>
> On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> 
> wrote:
>> Interested in what sort of problems you are seeing.
>>
>> I use the same setup in a small environment let's call it home :) with many
>> different devices and have not seen any issues.
>>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
>> Duffner
>> Sent: Tuesday, January 02, 2018 10:01 AM
>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>> Subject: Re: [pfSense] Transparent proxy for WiFi users
>>
>>
>>
>>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>:
>>>
>>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>>> in order to filter HTTP and HTTPS web content for different types of
>>> WiFi clients on my company:
>>>
>>> - Android (different versions)
>>> - Notebooks Windows 7/10
>>> - Iphone
>>> - Etc.
>>>
>>> In some cases, depending on the device Operating System, some apps
>>> experiment problems, for example Facebook and some others.
>>>
>>
>>
>>
>>
>> Apps that do hardwired Key-Pinning (everything from Apple, Google and
>> probably TFB, too) will not work.
>> You have to make exemptions, AFAIK.
>>
>> Same for ebanking and related.
>>
>>
>>
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

2018-01-09 Thread WebDawg 
Can you just do inspection on this and have it stop acting as a true proxy?

Splice All:
This configuration is suitable if you want to use the SquidGuard
package for web filtering.
All destinations will be spliced. SquidGuard can do its job of denying
or allowing destinations according its rules, as it does with HTTP.
You do not need to install the CA certificate configured below on clients.
Content filtering (such as Antivirus) will not be available for SSL sites.

On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> wrote:
> Interested in what sort of problems you are seeing.
>
> I use the same setup in a small environment let's call it home :) with many
> different devices and have not seen any issues.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
> Duffner
> Sent: Tuesday, January 02, 2018 10:01 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] Transparent proxy for WiFi users
>
>
>
>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>:
>>
>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>> in order to filter HTTP and HTTPS web content for different types of
>> WiFi clients on my company:
>>
>> - Android (different versions)
>> - Notebooks Windows 7/10
>> - Iphone
>> - Etc.
>>
>> In some cases, depending on the device Operating System, some apps
>> experiment problems, for example Facebook and some others.
>>
>
>
>
>
> Apps that do hardwired Key-Pinning (everything from Apple, Google and
> probably TFB, too) will not work.
> You have to make exemptions, AFAIK.
>
> Same for ebanking and related.
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

2018-01-02 Thread Elijah Savage 
Interested in what sort of problems you are seeing.

I use the same setup in a small environment let's call it home :) with many
different devices and have not seen any issues.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
Duffner
Sent: Tuesday, January 02, 2018 10:01 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Transparent proxy for WiFi users



> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>:
> 
> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 
> in order to filter HTTP and HTTPS web content for different types of 
> WiFi clients on my company:
> 
> - Android (different versions)
> - Notebooks Windows 7/10
> - Iphone
> - Etc.
> 
> In some cases, depending on the device Operating System, some apps 
> experiment problems, for example Facebook and some others.
> 




Apps that do hardwired Key-Pinning (everything from Apple, Google and
probably TFB, too) will not work.
You have to make exemptions, AFAIK.

Same for ebanking and related.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

2018-01-02 Thread Rainer Duffner 


> Am 02.01.2018 um 14:46 schrieb Roberto Carna :
> 
> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
> in order to filter HTTP and HTTPS web content for different types of
> WiFi clients on my company:
> 
> - Android (different versions)
> - Notebooks Windows 7/10
> - Iphone
> - Etc.
> 
> In some cases, depending on the device Operating System, some apps
> experiment problems, for example Facebook and some others.
> 




Apps that do hardwired Key-Pinning (everything from Apple, Google and probably 
TFB, too) will not work.
You have to make exemptions, AFAIK.

Same for ebanking and related.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Transparent proxy for WiFi users

2018-01-02 Thread Roberto Carna 
Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
in order to filter HTTP and HTTPS web content for different types of
WiFi clients on my company:

- Android (different versions)
- Notebooks Windows 7/10
- Iphone
- Etc.

In some cases, depending on the device Operating System, some apps
experiment problems, for example Facebook and some others.

Which is the best solution in order to setup a TRANSPARENT proxy
service in a heterogeneous scenario with diferenbt types of devices,
and running in the best mode with the minimum number of problems???

Or do I have to move to a scenario with a defined proxy in another
server, and automatically established in clients with DHCP ???

Thanks a lot,

Roberto
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold