Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ssl filtering transparent and non-transparent

    Scheduled Pinned Locked Moved Bounties
    63 Posts 11 Posters 40.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xbipin
      last edited by

      is squid3 and squidguard currently stable compared to squid2 on 2.1 as i only use squid2 with squiguard on it currently

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        First squid3.3 devel release for pfsense is out.

        What I'm sure is not working is antivirus integration via i-cap.
        All other features should be working.

        on packages I'll describe main changes.

        att,
        Marcello Coutinho

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • T
          tester_02
          last edited by

          marcelloc

          I am just a home user but I love pfsense and the development community.  I have not done any pfsense donations for a while.  Can I send you a small token for your efforts?

          Please PM me with details (paypal?).

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @tester_02:

            Please PM me with details (paypal?).

            Thanks for you interest in donating! ;D

            I've sent you a pm

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              Since version 2.1.2 of squid3-dev ssl filtering is working fine on 2.1 without patches and on 2.0.x using squid 3.3.4_1 from my repo.  :)

              1368761856.278    210 192.168.0.3 TCP_MISS/200 978 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761856.699    442 192.168.0.3 TCP_MISS/200 19903 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
              1368761856.714    521 192.168.0.3 TCP_MISS/200 905 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761857.121    203 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
              1368761857.136    219 192.168.0.3 TCP_MISS/200 680 GET https://www.google.com.br/xjs/_/js/k=-im9hrMhEvY.en_US./m=wta/am=wA/r                                                                                 t=j/d=0/sv=1/rs=AItRSTMxcUTKX7_k7F3jagv1ABf8swPrOg - PINNED/189.86.41.119 text/javascript
              1368761858.327    632 192.168.0.3 TCP_MISS/200 915 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761859.649   1548 192.168.0.3 TCP_MISS/200 14473 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
              1368761859.661    228 192.168.0.3 TCP_MISS/200 850 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761860.026    220 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
              1368761860.970    397 192.168.0.3 TCP_MISS/200 851 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761861.121    388 192.168.0.3 TCP_MISS/200 856 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761861.223    311 192.168.0.3 TCP_MISS/200 855 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761861.410    397 192.168.0.3 TCP_MISS/200 860 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
              1368761862.720   1537 192.168.0.3 TCP_MISS/200 18542 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
              1368761863.104    222 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
              1368761865.464    232 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
              1368761866.209    507 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio                                                                                 n/octet-stream
              1368761866.684    479 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio   
              

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • X
                xbipin
                last edited by

                so we first uninstall squid 2.7.9 and squidguard 1.4.4 and then install squid3-dev and squidguard again?

                1 Reply Last reply Reply Quote 0
                • X
                  xbipin
                  last edited by

                  i tried on a remote nanobsd test box and after configuring squid3-devl, it doesnt start the service and ig et this error in system log

                  May 23 13:25:11 	php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'
                  
                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Sasl needs some extra limbs from FreeBSD that is not included on pfsense.

                    You can fetch it from any 8.1 FreeBSD or from my personal repo

                    http://e-sac.siteseguro.ws/pfsense/8/All/ldd

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      Additional info can be found here

                      http://forum.pfsense.org/index.php/topic,62256.0.html

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • X
                        xbipin
                        last edited by

                        can u add it to the package itself so my client can simply install it and get going rather than doing it manually?

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @xbipin:

                          can u add it to the package itself so my client can simply install it and get going rather than doing it manually?

                          Unfortunately no  :(

                          I can only point package files to binaries on official repo.

                          I'll ping jimp again to put it on files.pfsense.org.

                          I can send you a patch/script that download all required missing libs.
                          Then you paste it on command prompt.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • X
                            xbipin
                            last edited by

                            try if jimp can do that if not then ill do it manually so send me that script

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @xbipin:

                              try if jimp can do that if not then ill do it manually so send me that script

                              i386

                              fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
                              fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
                              fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
                              fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
                              fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
                              fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10
                              

                              amd64

                              fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
                              fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
                              fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/amd64/8/All/ldd/libheimntlm.so.10
                              fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
                              fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
                              fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10
                              

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • X
                                xbipin
                                last edited by

                                for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  @xbipin:

                                  for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?

                                  You need a CA for that.

                                  To do not alert each ssl site filtered, you need to install CA crt on each client.

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • X
                                    xbipin
                                    last edited by

                                    i didnt understand that but what i need it to do is i want to block access to all sites, http and https and only allow the listed ones using squid and squidguard. the ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      @xbipin:

                                      The ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?

                                      On current stable package(squid2 + squidguard), if you block domains and not urls and has clients browsers with proxy settings, then you can show squidguard error.

                                      ssl_filtering from current squid-dev includes squidguard error message on

                                      • transparente ssl connections using domains or urls acls

                                      • non-transparent mode using url acls

                                      With CA CRT installed on clients, you do not have Browsers cert alerts.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • X
                                        xbipin
                                        last edited by

                                        basically im just blocking all domains by default and allowing the ones listed in transparent mode, i dont want it to do any content filtering, its just u block all and allow the listed and for the allowed ones u dont filter or restrict, full access.

                                        currently on squid2 i allow domains and urls and its in transparent mode with no client side config and i squidguard gives errors as required but the problem is it does to port 80 only which is http, all i need is same but for port 443 (https) as well coz other than that all other ports r blocked for client using firewall rules

                                        1 Reply Last reply Reply Quote 0
                                        • X
                                          xbipin
                                          last edited by

                                          so is this possible in squi2 or squid3-dev

                                          • transparent mode
                                          • when user goes to any https site, check its domain, if allowed then allow it direct connection or through squid, if denied then block connection and/or give error message
                                          • no client side config

                                          currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            @xbipin:

                                            currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well

                                            You can use squid3-dev to transparent filter ssl and whitelist domains you allow.
                                            sites/domains in whitelist does not get intercepted by ssl.
                                            all other non allowed domains will alert certificate and then show squidguard block page.

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.