• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSL Intercept

Cache/Proxy
3
6
1.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    Reeko
    last edited by Dec 6, 2021, 6:58 PM

    Hi pFolks =)

    I want to intercept SSL traffic for filtering content using a squid proxy server. I want to use the transparent mode, and filter the content in every device connected to my network, including mobile devices.

    Pieces of Advice?

    Thank you for any help you guys could get me

    G 1 Reply Last reply Dec 7, 2021, 1:35 PM Reply Quote 0
    • G
      Gertjan @Reeko
      last edited by Gertjan Dec 7, 2021, 1:37 PM Dec 7, 2021, 1:35 PM

      @reeko

      Allow me just to turn around the question :
      Do you think there is some one or something** that can do exactly that right now when you connect yourself to facebook, your bank, or other service that is considered 'private' and/or personal ?

      Do you think TLS - for example 'https' - is broken at that point ?
      And if it is, is this trick common knowledge ?

      What will work :
      On every device on your network you have to install certificates and proxy settings.
      So these devices will re route all their process (programs) communication to the known proxy. All request will get collected on the proxy (squid on pfSense) - and squid will repeat the requests on their behalf. The answers will get decrypted, re encrypted and send back to the requesting devices/processes.
      Not really transparent (at all).

      Squid using transparent mode, intercepting TLS ?
      I tend to affirm : Impossible - as users and service providers will not cooperate with you.
      Last but not least : if you manage to pull this one of, there will be agencies that will hire you "at any cost". That is, when you've done your life time in prison.

      Squid using transparent mode was easier to implement in the good old days when http went over port '80' and mails over port 143 110 etc.

      ** governmental agencies, or your ISP ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      R 1 Reply Last reply Dec 7, 2021, 4:02 PM Reply Quote 0
      • R
        Reeko @Gertjan
        last edited by Dec 7, 2021, 4:02 PM

        @gertjan

        Filter content = Block unwanted traffic such as porn sites, social networks, and so on. I don't know why you are talking about "broken SSL" or suggesting some sort of hacking. I want to block some content in my network using transparent mode because filtering mobile devices is a nightmare.

        I know that is necessary to push the SSL certificate through every single device in my network in order to decrypt the traffic and block what I need. My question is: If I get an SSL certificate from GoDaddy for example, could it work with Pfsense in order to use the transparent mode and avoid the browser warning when a user tries to navigate?

        Thanks in advance!

        J 1 Reply Last reply Dec 7, 2021, 4:13 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @Reeko
          last edited by Dec 7, 2021, 4:13 PM

          @reeko said in SSL Intercept:

          Block unwanted traffic such as porn sites, social networks, and so on

          This prob better done via just dns filtering.. Vs proxy the traffic. You could still run into issues with clients trying to use doh or dot or just their own dns. But those are more easy to deal with.

          While you can not get as granular with stuff like www.domain.tld/allowthis or www.domain.tld/blockthis

          Without full mitm interception of ssl you can not do such filtering anyway. While you can filter on domain when client send connect to proxy.. Filtering what you don't want clients to go to is easier via just dns based filtering.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          R 1 Reply Last reply Dec 7, 2021, 5:07 PM Reply Quote 0
          • R
            Reeko @johnpoz
            last edited by Dec 7, 2021, 5:07 PM

            @johnpoz Thank you for your answer.

            My question remains unanswered: If I get an SSL certificate from a trusted CA such as Verison or any other, could it work with pfsense? Blocking things with DNS is not efficient at all. I can block unwanted traffic using squid and squidguard pretty easily and it works very well. The problem is to use a trusted certificate to let the users navigate and avoid browser warnings and secure connections problems. Obviously, that certificate needs to be in every single host. That is clear. How to push it? I will workaround that. My main concern is if pfsense can use a trusted certificate when the user tries to navigate. That's it.

            J 1 Reply Last reply Dec 7, 2021, 6:17 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @Reeko
              last edited by johnpoz Dec 7, 2021, 6:20 PM Dec 7, 2021, 6:17 PM

              @reeko said in SSL Intercept:

              Blocking things with DNS is not efficient at all

              I have no idea why you would think that.. Its pretty simple to grab lists or create lists of blocked stuff.

              But here you go if your wanting to try it.
              https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
              Intercept HTTPS CONNECT messages with SSL-Bump

              Clients do not send connect messages when in "transparent' mode of interception of the traffic..

              You could try this
              https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense

              Good luck.. Maybe someone else will chime that does this.. Its not a common practice for sure. I haven't actually used proxy to try and do such filtering in many years. Not a fan of any sort of messing with any ssl traffic. If was going to do it, would use explict pointing to the proxy and use sslbump..

              You will have to trust your CA you create - there is no way to use a cert from 3rd party for such a thing because there is no way to create certs on the fly for www.somedomain.tld from already trusted CA.. So devices that can not be set to trust your CA will not work..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              5 out of 6
              • First post
                5/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.