• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Https web filtering WITHOUT certificate warnings?

Cache/Proxy
4
11
6.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DutchSamurai
    last edited by Mar 23, 2017, 4:49 AM

    Hi there,

    I've been searching and trying to get https web filtering working for a while now. I'm currently managing a whole bunch of Fortigate UTM's that do https url/web filtering WITHOUT the need for an AD or installing certificates or setting up proxies on user devices. Users also don't get security warnings.

    Is it possible to get the same thing working on pfSense? I would like to move to pfSense but web filtering is a must and as I'll be managing hundreds of installations with thousands of users in a BYOD setting asking users to import certificates or set up proxies is simply not going to work.

    I've tried this guide but it doesn't work.
    https://forum.pfsense.org/index.php?topic=112335.0

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Mar 23, 2017, 5:33 AM

      And what feedback do these users get from these fortigates when they try to visit a blocked HTTPS site?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • D
        DutchSamurai
        last edited by Mar 23, 2017, 6:41 AM

        @Derelict:

        And what feedback do these users get from these fortigates when they try to visit a blocked HTTPS site?

        A certificate error. Its set to proxy based filtering. As far as I know for web filtering it uses ssl certificate inspection and the Fortigate will only look at the header to pass or block a url, thus not triggering an error when the url is allowed.

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Mar 23, 2017, 7:53 AM

          You want squid peek and splice. Moving to Cache/Proxy.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            sichent Banned
            last edited by Mar 23, 2017, 5:16 PM

            The https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html works exactly like this - do not enable HTTPS filtering but do block categories or by domain names. When user tries to connect to remote site that is blocked using HTTP - it sees the 'access denied' page; if connection is made using HTTPS the connection is silently reset or 'access denied' with certification warning is shown to the user.

            You will not be able to look into the contents though - blocking bad searches on google and you tube will not work.

            1 Reply Last reply Reply Quote 0
            • D
              DutchSamurai
              last edited by Mar 24, 2017, 8:14 AM

              @Derelict:

              You want squid peek and splice. Moving to Cache/Proxy.

              That easy huh :D

              Looks like I got it working. Just need to see if I can get safe search working as well.

              Is there a paid service that provides a good blacklist for squid?  I tried the shalla free one but that doesn't really hold a candle to the Fortinet blacklist. I didn't expect the same results but when I block cars and half of the Toyota domains are still working because they don't use .com or whatever, that won't be good enough.

              @sichent:

              The https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html works exactly like this - do not enable HTTPS filtering but do block categories or by domain names. When user tries to connect to remote site that is blocked using HTTP - it sees the 'access denied' page; if connection is made using HTTPS the connection is silently reset or 'access denied' with certification warning is shown to the user.

              You will not be able to look into the contents though - blocking bad searches on google and you tube will not work.

              I found out about Diladele before and I am considering looking into them but that tutorial requires pushing certificates. Maybe it works if you simply enable the https proxy in squid though.

              1 Reply Last reply Reply Quote 0
              • S
                sichent Banned
                last edited by Mar 24, 2017, 6:05 PM

                Exactly - if you do not enable HTTPS filtering - no certificates need to be pushed; the blocked HTTPS sites are then show the "SSL warning" - but that is not a problem if you prohibit access to them. Moreover - you can just drop the connection for blocked HTTPS site - as described at https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html

                1 Reply Last reply Reply Quote 0
                • D
                  DutchSamurai
                  last edited by Mar 25, 2017, 1:22 AM

                  I think you are misunderstanding me.

                  I don't want to block https websites but I don't want/can't push certs either.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Mar 25, 2017, 2:43 AM

                    So don't filter HTTPS and it won't be forwarded through squid at all.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfsensation
                      last edited by Mar 25, 2017, 7:59 PM

                      @DutchSamurai:

                      I think you are misunderstanding me.

                      I don't want to block https websites but I don't want/can't push certs either.

                      Just out of curiosity…  Are you using this in a business or home environment? Without filtering HTTPS, web filtering these days is a shambles. As more and more websites are moving to HTTPS, even free certificates from Lets Encrypt are available. If I were you, I'd use the Splice all feature in Squid, as it can block HTTPS sites without any certificates.

                      1 Reply Last reply Reply Quote 0
                      • D
                        DutchSamurai
                        last edited by Mar 27, 2017, 1:08 AM

                        Its a project for work so I do need the https filtering but as its BYOD I can't push certs. Splice all works, its just that there is no url database that comes close to what Fortigate offers. I didn't expect it would work as well, the databases being provided for free after all.

                        So I do want https filtering I just don't want to push certs but all sichent posts assume I'm ok with certs ;)

                        In short: Splicing blocks https but the lack of a solid (paid) database means pfsense won't be an alternative to our Fortigates.

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.