Squidguard blocking problem
-
I'm trying to block a couple of sites, but it seems that if I use https it bypasses the filter and allows access. Say I'm trying to block the domain abc.com. If I use http://abc.com it is intercepted and I get the "site is blocked" message. If I change to https://abc.com I can reach the site just fine. Does anyone know what configuration setting I'm missing that would fix this?
-
hi,
I guess you are using the squidguard package to block URL.
Squidguard use Squid to get the targeted URL.
The thing is, squid can easily read an http connection but not an https connection.
Https build a secured tunnel over http using SSL with the web server.Once it's done, all trafic is encrypted, so Squid (and so squidguard) can't read it.You have two options :
-Check the IP related to those website and block them : example here http://forum.pfsense.org/index.php?topic=46265.0
- Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-ssl-decryption-overview.html
http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https
Cheers.
Damien
- Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
-
hi,
I guess you are using the squidguard package to block URL.
Squidguard use Squid to get the targeted URL.
The thing is, squid can easily read an http connection but not an https connection.
Https build a secured tunnel over http using SSL with the web server.Once it's done, all trafic is encrypted, so Squid (and so squidguard) can't read it.SSL encrypts the data, not the address so I had thought that squid/squidguard should be able to block one as well as the other. Apparently, the problem is that redirecting port 443 traffic through the proxy would interfere with the SSL connection and so it's not done. You can work around this by setting up your own certificate as explained in the last links that you gave:
- Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-ssl-decryption-overview.html
http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https
-Check the IP related to those website and block them : example here http://forum.pfsense.org/index.php?topic=46265.0
This is with firewall rules, not with squid/squid guard. I'll have to look into this more.
Thanks for your reply. I think I understand it better now.
Dan
- Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
-
SSL encrypts the data, not the address
??? what you call the "address" is facebook right, wich is a DNS resolution. DNS is layer 7. SSL encrypt everything after layer 3. That's why you can't block it by name .
Apparently, the problem is that redirecting port 443 traffic through the proxy would interfere with the SSL connection and so it's not done.You can work around this by setting up your own certificate
yes it's what I've said ! But its not the fastest and easiest way to do to it.
that's why I recommanded to do it with firewall rules ;)
I hope I were helpfull ;D ;D