Captive Portal + squid + wpad + filter - Https
-
I have a network with about 200 full time clients plus an additional 250 part time clients (they leave and return… or visit once and never again). This network absolutely has to be filtered due to the nature of the clientele. I have squid in transparent mode running to filter http traffic, but it does not filter https traffic, which leaves a gaping hole in the content control on the network. I was hoping to be able to use captive portal to force the settings onto the client machines while they are connected using wpad. and then run the squid based filter not transparently thereby managing all traffic. Is this possible? Am I over thinking this? Are there better solutions? HALP!
--R -
On the LAN, block traffic going to any destination on port tcp/443 (except from your proxy server and/or unrestricted client IPs)
If someone has the proxy settings in their browser, it will never hit that rule since it's going to the proxy.
You can't force someone's browser settings to reset to "automatic" if they have been set to manual only or no proxy. If you have WPAD setup then it will work for those already set to automatic. Some browsers default to not try automatic configuration these days.
-
You could make a hint on the CaptivePortal start page, that only http traffic is allowed and if some wants to use https he hast to enter the proxy settings manually - if WPAD does not work.
I tried it without captive portal but with WPAD in the past and I am not sure if every actual browser accepts these settings.
For me it would be nice to see your wpad files and some hints how you configured it and which browsers (version) are working with wpad.
Sorry for hijacking this thread a little bit.
-
You could make a hint on the CaptivePortal start page, that only http traffic is allowed and if some wants to use https he hast to enter the proxy settings manually - if WPAD does not work.
I tried it without captive portal but with WPAD in the past and I am not sure if every actual browser accepts these settings.
For me it would be nice to see your wpad files and some hints how you configured it and which browsers (version) are working with wpad.
Sorry for hijacking this thread a little bit.
Much of that is covered here:
http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid -
On the LAN, block traffic going to any destination on port tcp/443 (except from your proxy server and/or unrestricted client IPs)
If someone has the proxy settings in their browser, it will never hit that rule since it's going to the proxy.
You can't force someone's browser settings to reset to "automatic" if they have been set to manual only or no proxy. If you have WPAD setup then it will work for those already set to automatic. Some browsers default to not try automatic configuration these days.
It's a little inelegant because we still need to retain access to the ssl services provided by google, but this actually works like a charm. Thanks!
