Custom Block page w/ certificate
-
Is there a way to do http redirects, someone, in pfblockerNG so that when i use a custom VIP for rejected pages it gets sent to a web server in my domain, web.example.com which will redirect to a page with a proper ssl certificate and a custom blocked message?
Otherwise i have to continue using the SSL cert from pfblocker for https site which breaks user experience and they have no idea they have been blocked due to policy.
Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor
If a browser calls https://web.example.com he expects an SSL certificate, which matches the requested host name, and will probably not accept any redirection from a server, before he got it.
Since you don't have the proper certificate, that will not work.However, instead of blocking access you can set pfBlockerNG to generate reject-rules.
If a destination is rejected the browser notices this immediately and report an error, and will not run into a timeout. -
@viragomann Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own.
So typically ads.google.com would be intercepted by pfblocker and we get the bad ssl cert message. What should happen is the site gets caughted by pfblocker and pfblocker sends it to the VIP you configured in the settings. That webserver i believe should then redirect all web traffic to a domain blocked.iownthisdomain.com which has a proper SSL cert owned because ..well...you own the domain :)Otherwise the end user gets a bad ssl message or the site doesnt load but still the user doesnt know the reason..having a custom blocked message for the SSL page would be helpful.
-
@michmoor said in Custom Block page w/ certificate:
Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own
I tried to explain above in a view words, why it doesn't work, when browser requests an https site. Yes redirecting works well for non-SSL requests though. So if the user requests http://ads.google.com you can redirect him to whatever you want, as well to an encrypted page.
But nowadays, as many big websites are configured to use HSTS the most requests are https and the browser won't try http if he visited the site already before.If you intend to block local computers you may consider to setup the squid package. This can do what you're looking for, but its possibly much effort to configure each client to use the proxy server.
-
@michmoor See here:
https://forum.netgate.com/topic/175949/how-to-customize-the-block-page-message-of-pfblockerng
-
@nollipfsense
So I got this somewhat working actually. There is a nginix proxy that I have pfblocker sending the failed domains to. The proxy then has a default site configured where any domains get redirected to a custom web page with a valid cert.
This is possible but would require a reverse proxy built in to pfblocker much like the light weight httpd server.
