Ssl filtering transparent and non-transparent
-
i tried on a remote nanobsd test box and after configuring squid3-devl, it doesnt start the service and ig et this error in system log
May 23 13:25:11 php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'
-
Sasl needs some extra limbs from FreeBSD that is not included on pfsense.
You can fetch it from any 8.1 FreeBSD or from my personal repo
http://e-sac.siteseguro.ws/pfsense/8/All/ldd
-
Additional info can be found here
http://forum.pfsense.org/index.php/topic,62256.0.html
-
can u add it to the package itself so my client can simply install it and get going rather than doing it manually?
-
can u add it to the package itself so my client can simply install it and get going rather than doing it manually?
Unfortunately no :(
I can only point package files to binaries on official repo.
I'll ping jimp again to put it on files.pfsense.org.
I can send you a patch/script that download all required missing libs.
Then you paste it on command prompt. -
try if jimp can do that if not then ill do it manually so send me that script
-
try if jimp can do that if not then ill do it manually so send me that script
i386
fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10 fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10 fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10 fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10 fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10 fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10
amd64
fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10 fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10 fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/amd64/8/All/ldd/libheimntlm.so.10 fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10 fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10 fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10
-
for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?
-
for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?
You need a CA for that.
To do not alert each ssl site filtered, you need to install CA crt on each client.
-
i didnt understand that but what i need it to do is i want to block access to all sites, http and https and only allow the listed ones using squid and squidguard. the ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?
-
The ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?
On current stable package(squid2 + squidguard), if you block domains and not urls and has clients browsers with proxy settings, then you can show squidguard error.
ssl_filtering from current squid-dev includes squidguard error message on
-
transparente ssl connections using domains or urls acls
-
non-transparent mode using url acls
With CA CRT installed on clients, you do not have Browsers cert alerts.
-
-
basically im just blocking all domains by default and allowing the ones listed in transparent mode, i dont want it to do any content filtering, its just u block all and allow the listed and for the allowed ones u dont filter or restrict, full access.
currently on squid2 i allow domains and urls and its in transparent mode with no client side config and i squidguard gives errors as required but the problem is it does to port 80 only which is http, all i need is same but for port 443 (https) as well coz other than that all other ports r blocked for client using firewall rules
-
so is this possible in squi2 or squid3-dev
- transparent mode
- when user goes to any https site, check its domain, if allowed then allow it direct connection or through squid, if denied then block connection and/or give error message
- no client side config
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
-
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
You can use squid3-dev to transparent filter ssl and whitelist domains you allow.
sites/domains in whitelist does not get intercepted by ssl.
all other non allowed domains will alert certificate and then show squidguard block page. -
but then i got 2 groups on lan clients, one with limited access and the second with full access to the internet and squidguard checks which group client belongs to and then does the appropriate thing, the unrestricted clients just are allowed everything in which case their traffic need not be intercepted, only the ones that are restricted should be
-
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
You can use squid3-dev to transparent filter ssl and whitelist domains you allow.
sites/domains in whitelist does not get intercepted by ssl.
all other non allowed domains will alert certificate and then show squidguard block page.can u elaborate on how the CA etc stuff needs to be configured and what is to be exported to client PC?
correct me if im wrong
- goto CAs section and generate a new CA as create an internal CA (will any settings do or some specific settings only)
- once done export that CA and use in client
-
correct me if im wrong
- goto CAs section and generate a new CA as create an internal CA (will any settings do or some specific settings only)
Yes, internal CA or import existing CA used on you AD or something else
- once done export that CA and use in client
yes, Download CA CRT file and then import on internet explorer and firefox as a trusted ca.
-
i installed squid3-dev and imported those library files manually and squid started fine, then i tried installing squidguard and it would always end up in errors and crashes and crash dumps generated so ir ebooted the box and then it totally broke and i kept getting the below errors, had to factory reset and restore my old config, can u check whats the issue
Fatal error: Cannot use string offset as an array in /usr/local/pkg/squid.inc on line 1977 Fatal error: Cannot use string offset as an array in /usr/local/pkg/squidguard.i nc on line 1009
-
If you are on 2.0.3, try this squid 3.3.5 from my repo.
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbzalways after squidguard install, you need to reinstall squid3/squid3-dev
-
im on 2.1 RC0