Re: [pfSense] Transparent proxy for WiFi users
It could be web sockets, this could show you what I mean: https://asana.com/guide/help/faq/connectivity#gl-websockets You have to white-list some stuff sometimes to get it to work correctly, but I think that is what I was intercepting vs inspecting. This was an example white list I had for skype and asana: asana.com sling.is apps.skypeassets.com login.skype.com pipe.skype.com secure.skype.com config.skype.com api.skype.com ui.skype.com s.gateway.messenger.live.com get.skype.com dsn13.d.skype.net mobile.pipe.aria.microsoft.com a.config.skype.com www.skypeassets.com dr.skype.net apps.skype.com api.asm.skype.com sync.app.asana.com Try white-listing problem sites. On Thu, Jan 11, 2018 at 10:30 AM, Roberto Carna <robertocarn...@gmail.com> wrote: > Dear, I've created a self signed CA Certificate in pfSEnse, in order > to use it in the SSL Filtering / Spice All from Squid. > > This CA certificate is NOT installed in none of the device clients > (notebooks, cell phones, etc), because is imposible to ask each WiFi > user to install it. > > Everything works OK, except certains cases, for example: > > - Facebook app sometimes doesn't load the user profiles, I have to > close Facebook and open it again > - Mercadolibre is the same, it doesn't load the content and after that > I have to close and open the app > > Why certain apps don't work OK until I close and restart them ??? > > Thanks a lot again!!! > > > > 2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>: >> Can you just do inspection on this and have it stop acting as a true proxy? >> >> Splice All: >> This configuration is suitable if you want to use the SquidGuard >> package for web filtering. >> All destinations will be spliced. SquidGuard can do its job of denying >> or allowing destinations according its rules, as it does with HTTP. >> You do not need to install the CA certificate configured below on clients. >> Content filtering (such as Antivirus) will not be available for SSL sites. >> >> On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> >> wrote: >>> Interested in what sort of problems you are seeing. >>> >>> I use the same setup in a small environment let's call it home :) with many >>> different devices and have not seen any issues. >>> >>> -Original Message- >>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer >>> Duffner >>> Sent: Tuesday, January 02, 2018 10:01 AM >>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >>> Subject: Re: [pfSense] Transparent proxy for WiFi users >>> >>> >>> >>>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>: >>>> >>>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 >>>> in order to filter HTTP and HTTPS web content for different types of >>>> WiFi clients on my company: >>>> >>>> - Android (different versions) >>>> - Notebooks Windows 7/10 >>>> - Iphone >>>> - Etc. >>>> >>>> In some cases, depending on the device Operating System, some apps >>>> experiment problems, for example Facebook and some others. >>>> >>> >>> >>> >>> >>> Apps that do hardwired Key-Pinning (everything from Apple, Google and >>> probably TFB, too) will not work. >>> You have to make exemptions, AFAIK. >>> >>> Same for ebanking and related. >>> >>> >>> >>> >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Transparent proxy for WiFi users
Dear, I've created a self signed CA Certificate in pfSEnse, in order to use it in the SSL Filtering / Spice All from Squid. This CA certificate is NOT installed in none of the device clients (notebooks, cell phones, etc), because is imposible to ask each WiFi user to install it. Everything works OK, except certains cases, for example: - Facebook app sometimes doesn't load the user profiles, I have to close Facebook and open it again - Mercadolibre is the same, it doesn't load the content and after that I have to close and open the app Why certain apps don't work OK until I close and restart them ??? Thanks a lot again!!! 2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>: > Can you just do inspection on this and have it stop acting as a true proxy? > > Splice All: > This configuration is suitable if you want to use the SquidGuard > package for web filtering. > All destinations will be spliced. SquidGuard can do its job of denying > or allowing destinations according its rules, as it does with HTTP. > You do not need to install the CA certificate configured below on clients. > Content filtering (such as Antivirus) will not be available for SSL sites. > > On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> > wrote: >> Interested in what sort of problems you are seeing. >> >> I use the same setup in a small environment let's call it home :) with many >> different devices and have not seen any issues. >> >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer >> Duffner >> Sent: Tuesday, January 02, 2018 10:01 AM >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >> Subject: Re: [pfSense] Transparent proxy for WiFi users >> >> >> >>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>: >>> >>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 >>> in order to filter HTTP and HTTPS web content for different types of >>> WiFi clients on my company: >>> >>> - Android (different versions) >>> - Notebooks Windows 7/10 >>> - Iphone >>> - Etc. >>> >>> In some cases, depending on the device Operating System, some apps >>> experiment problems, for example Facebook and some others. >>> >> >> >> >> >> Apps that do hardwired Key-Pinning (everything from Apple, Google and >> probably TFB, too) will not work. >> You have to make exemptions, AFAIK. >> >> Same for ebanking and related. >> >> >> >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Transparent proxy for WiFi users
Can you just do inspection on this and have it stop acting as a true proxy? Splice All: This configuration is suitable if you want to use the SquidGuard package for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. You do not need to install the CA certificate configured below on clients. Content filtering (such as Antivirus) will not be available for SSL sites. On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> wrote: > Interested in what sort of problems you are seeing. > > I use the same setup in a small environment let's call it home :) with many > different devices and have not seen any issues. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer > Duffner > Sent: Tuesday, January 02, 2018 10:01 AM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: Re: [pfSense] Transparent proxy for WiFi users > > > >> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>: >> >> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 >> in order to filter HTTP and HTTPS web content for different types of >> WiFi clients on my company: >> >> - Android (different versions) >> - Notebooks Windows 7/10 >> - Iphone >> - Etc. >> >> In some cases, depending on the device Operating System, some apps >> experiment problems, for example Facebook and some others. >> > > > > > Apps that do hardwired Key-Pinning (everything from Apple, Google and > probably TFB, too) will not work. > You have to make exemptions, AFAIK. > > Same for ebanking and related. > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Transparent proxy for WiFi users
Interested in what sort of problems you are seeing. I use the same setup in a small environment let's call it home :) with many different devices and have not seen any issues. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer Duffner Sent: Tuesday, January 02, 2018 10:01 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Transparent proxy for WiFi users > Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>: > > Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 > in order to filter HTTP and HTTPS web content for different types of > WiFi clients on my company: > > - Android (different versions) > - Notebooks Windows 7/10 > - Iphone > - Etc. > > In some cases, depending on the device Operating System, some apps > experiment problems, for example Facebook and some others. > Apps that do hardwired Key-Pinning (everything from Apple, Google and probably TFB, too) will not work. You have to make exemptions, AFAIK. Same for ebanking and related. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Transparent proxy for WiFi users
> Am 02.01.2018 um 14:46 schrieb Roberto Carna: > > Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 > in order to filter HTTP and HTTPS web content for different types of > WiFi clients on my company: > > - Android (different versions) > - Notebooks Windows 7/10 > - Iphone > - Etc. > > In some cases, depending on the device Operating System, some apps > experiment problems, for example Facebook and some others. > Apps that do hardwired Key-Pinning (everything from Apple, Google and probably TFB, too) will not work. You have to make exemptions, AFAIK. Same for ebanking and related. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Transparent proxy for WiFi users
Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 in order to filter HTTP and HTTPS web content for different types of WiFi clients on my company: - Android (different versions) - Notebooks Windows 7/10 - Iphone - Etc. In some cases, depending on the device Operating System, some apps experiment problems, for example Facebook and some others. Which is the best solution in order to setup a TRANSPARENT proxy service in a heterogeneous scenario with diferenbt types of devices, and running in the best mode with the minimum number of problems??? Or do I have to move to a scenario with a defined proxy in another server, and automatically established in clients with DHCP ??? Thanks a lot, Roberto ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold