Squid vs. pfBlocker For Content Blocking
-
Hello, all!
After spending many, many hours with Squid to come up with a workable solution without needing to go to each individual user's computer and configure them all seperately, I am now considering other options…
I am working at a low-budget mission school, and my current task is to set up web blocking.
My one hurdle is HTTPS blocking. I finally managed to get it blocking HTTPS, but there's that little thing about certificate errors... That can't be happening here. I am needing to figure out some other solution for it.
I tried pfBlocker a few days ago, and it seemed to do what I need to do... I asked on another forum whether there was any problem with using pfBlocker for content blocking, but nobody addressed my question (they all just went off on tangents, recommending other solutions that would not work in our situation (such as OpenDNS)).
It looks like the main limitation of pfBlocker is that there aren't as many block categories (due to the variety of block lists). Are there any other problems with it? I may just try using it for HTTPS blocking, and Squidguard for HTTP blocking.
Thanks!
ElectroPulse -
Hi,
you said you got it working with squid to block http and https without any configuration on the client, right?
So you are running squid3 in transparent mode, right?If this is the fact, you just have to place the CA in the browsers certificate store so that the users will not get any certificate warning when browsing an https website.
SquidGuard is ideal for blocking URLs and there are many blacklists on the web with many different categories. This is the way you should go.
pfblocker is more for blocking IP ranges or countries but not for special sites.
What you can do, if you just want to block some sites you can create an Host-Alias. There you can put in some domains which should be blocked. But be careful, you need to add subdomains, too.
-
Hi,
you said you got it working with squid to block http and https without any configuration on the client, right?
So you are running squid3 in transparent mode, right?If this is the fact, you just have to place the CA in the browsers certificate store so that the users will not get any certificate warning when browsing an https website.
SquidGuard is ideal for blocking URLs and there are many blacklists on the web with many different categories. This is the way you should go.
pfblocker is more for blocking IP ranges or countries but not for special sites.
What you can do, if you just want to block some sites you can create an Host-Alias. There you can put in some domains which should be blocked. But be careful, you need to add subdomains, too.
Thank you for the reply!
Yes, I believe it's set up as transparent… Still not ENTIRELY sure of the definition of the term (the intercept HTTPS/SSL checkbox is how I am doing it).
The problem with having to put the cert in the browser's certificate store, is that for every new HTTPS website they visit, they get that. And if they're using IE, it doesn't even give them an option to add it.
Also, another problem with it: We are wanting Facebook unblocked at certain times of the day. The problem is, when it's unblocked, the CSS is stripped from the website if it's being viewed in Firefox or Google Chrome. Only IE still keeps the correct formatting for the website (and it's the only one that makes you click through the warning every time, and makes the URL bar red). Any idea what's up with this?
Another thing I don't like about it... For bank websites and other things that the users really should have secure, there's no way for the end user to tell the difference between the Squid and a man-in-the-middle attack without reading the certificate, is there? I can guarantee most of the people here won't read the certificate to determine whether it's legit or not... And since Squid looks at all HTTPS traffic, it isn't just the sites that need blocked that get the certificate error, unfortunately...
-
Hi,
"transparent" and "intercept" ist the same. But on squid3 GUI you set an CA cert. This CA cert must be in the trusted browser store and then there shouldn't be any warning for https websites anymore. For IE this should be easy as far as I know. That's something I read here in the forum - I never used this until now because of lack of time.
If you do not like to filter banking websites you can try to put these sites into and Host alias and put these alias into the "bypass for these destination IPs".
For blocking websites you can use squidguard and select time rules. So blocking websites in general and allow/whitelist facebook for several times.
-
Hi.
we have 300PCs and 15 Access points for Wifi in our College all are connected with the internet so I installed Pfsense 2.4.2 in Hyper-V. I need your help in configuring Squid guard and Pfblocker to control Internet access. please share the procedure you followed in your configuration. my mail-ID is sysadmin@gcrjy.ac.in