Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ssl filtering transparent and non-transparent

    Scheduled Pinned Locked Moved Bounties
    63 Posts 11 Posters 40.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      @xbipin:

      correct me if im wrong

      • goto CAs section and generate a new CA as create an internal CA (will any settings do or some specific settings only)

      Yes, internal CA or import existing CA used on you AD or something else

      @xbipin:

      • once done export that CA and use in client

      yes, Download CA CRT file and then import on internet explorer and firefox as a trusted ca.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • X
        xbipin
        last edited by

        i installed squid3-dev and imported those library files manually and squid started fine, then i tried installing squidguard and it would always end up in errors and crashes and crash dumps generated so ir ebooted the box and then it totally broke and i kept getting the below errors, had to factory reset and restore my old config, can u check whats the issue

        Fatal error: Cannot use string offset as an array in /usr/local/pkg/squid.inc on
         line 1977
        
        Fatal error: Cannot use string offset as an array in /usr/local/pkg/squidguard.i
        nc on line 1009
        
        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          If you are on 2.0.3, try this squid 3.3.5 from my repo.

          amd64
          http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

          i386
          http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

          always after squidguard install, you need to reinstall squid3/squid3-dev

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • X
            xbipin
            last edited by

            im on 2.1 RC0

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @xbipin:

              im on 2.1 RC0

              I'm waiting this freebsd port update to ask another pbi compilation.

              Current squid 3.3.4 squid version without specific patch crashes ssl negotiation on open ssl version used on 2.1 RC0

              3.3.4 patched and 3.3.5 does not has this bug.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • N
                ncolunga
                last edited by

                I add 0,25 BTC to the bounty.

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  @ncolunga:

                  I add 0,25 BTC to the bounty.

                  Thanks! ;D

                  You can send it to my paypal account marcellocoutinho@gmail.com

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • X
                    xbipin
                    last edited by

                    any news on when the port will be compiled with the necessary lib files and created into a pfsense downloadable package?

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @xbipin:

                      any news on when the port will be compiled with the necessary lib files and created into a pfsense downloadable package?

                      ~~Squid 3.3.5 is still pending on freebsd ports. I've sent the updated but it was forwarded to freebsd package maintainer.

                      After it is on freebsd ports, I'll ask another compile and maybe remove sasl auth to do not require libs that is not on pfsense install.~~

                      EDIT

                      It was updated yesterday.  :)

                      I'll ask another compile run.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • D
                        davidjtsteele
                        last edited by

                        Apparently, it may of been pulled off of the site, you must have transparental rights in order to get the ssl filter.

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          squid 3.3.5 is on official repo.

                          Missing libs are still missing and on 2.0.3 you need to enable ipv6 to squid be able to listen on it's ports.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • S
                            shawniverson
                            last edited by

                            $100 from here.  Looking for a new content filtering solution and ssl filtering is a must.

                            1 Reply Last reply Reply Quote 0
                            • V
                              vreid473
                              last edited by

                              I want to make sure I'm understanding how the ssl filtering works with squid + squidguard.  Here's what I've understood so far.  Please correct me if I have some of the points incorrect.  In particular, I am unclear about my numbers 2, 3, and the level of intrusiveness of https decryption in 4.

                              1.  You need squid3 + squidguard + some additional manual packages to install the software framework to get ssl filtering working
                              2.  You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??
                              3.  Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??
                              4.  Once the items above have been configured, then squid + squidquard will decrypt the https traffic, scan the contents for url + any content that may need a rewrite, and then block or allow the traffic and/or make the required rewrites.  In either case I am understanding that all of the https content gets decrypted, not just the destination data/header.

                              Thanks

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @vreid473:

                                2.  You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??

                                You need an interal CA certificate, not just a site certificate.

                                @vreid473:

                                3.  Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??

                                As a trusted certificate authority(CA) so any certificate that squid creates using configure CA will be trusted by client's browser

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bilbo
                                  last edited by

                                  Is there a pfsense version of DG that supports this yet?

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    @bilbo:

                                    Is there a pfsense version of DG that supports this yet?

                                    not yet. Dansguardian code is not being updated for a while on sourceforge.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      ncolunga
                                      last edited by

                                      ¿Does this work properly on the squid 3.1.20 pkg 2.0.6 version available to pfsense 2.1 at this moment?

                                      Thank you.

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        No, just on squid3-dev

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          ncolunga
                                          last edited by

                                          Thank you.

                                          I will try to configure it on the dev version then.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.