• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DansGuardian + SSL

Scheduled Pinned Locked Moved pfSense Packages
11 Posts 6 Posters 14.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    clauded1
    last edited by Aug 6, 2013, 7:26 PM

    I'm testing DansGuardian 2.12 with Squid 3.1 on pfSense 2.1 RC1. The setup is working fine for HTTP. Now I'm trying to enable HTTPS filtering with DansGuardian without success.

    In DG, I installed a certificate for the option "SSL man in the middle Filtering" and selected "Filter ssl sites forging ssl certificates" in DG group option.

    I also added a NAT rule like this :

    LAN TCP LAN net * ! 192.168.1.1 443 (HTTPS) 192.168.1.1 8080

    When opening a https site I get this error in the browser: ssl_error_rx_record_too_long

    Any ideas how to make it work?

    1 Reply Last reply Reply Quote 0
    • M Offline
      marcelloc
      last edited by Aug 8, 2013, 4:02 AM

      The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

      You will  find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • B Offline
        bilbo
        last edited by Oct 30, 2013, 6:41 PM

        @marcelloc:

        The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

        You will  find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

        Does this mean that at present it is not possible to content filter ssl traffic? Only URL filter ssl addresses with squid3 and squid guard?

        Or can squid 3 dev  man in the middle ssl be used in conjunction with Dansguardian to content filter the actual page content of ssl traffic? If so, how?

        1 Reply Last reply Reply Quote 0
        • S Offline
          serialdie
          last edited by Oct 30, 2013, 7:48 PM

          I am interested on this setup as well.

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nachtfalke
            last edited by Oct 30, 2013, 7:56 PM

            squid3-dev can do SSL filtering. The thread is here:
            http://forum.pfsense.org/index.php/topic,62256.0.html

            So if squid can intercept the SSL traffic it should be no problem to filter it with squidguard or dansguardian. I am not using dansguardian.

            1 Reply Last reply Reply Quote 0
            • B Offline
              bilbo
              last edited by Oct 30, 2013, 8:41 PM

              Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

              The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

              1 Reply Last reply Reply Quote 0
              • S Offline
                serialdie
                last edited by Oct 31, 2013, 2:54 AM

                @bilbo:

                Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

                The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

                I think the same logic applies. You will have to send the unencrypted tunnel back to Dansguardian via 8080.
                I am going to try this over the week end.

                1 Reply Last reply Reply Quote 0
                • B Offline
                  bilbo
                  last edited by Oct 31, 2013, 11:08 AM

                  So traffic would have to go Lan  > DG > Squid  Unencrypted> DG > Squid Re encrypted > Internet

                  or Squid > DG > Squid > Internet?

                  How would do you plan to attempt it? Let me know how you get on.

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    serialdie
                    last edited by Oct 31, 2013, 1:09 PM Oct 31, 2013, 1:08 PM

                    @bilbo:

                    So traffic would have to go Lan  > DG > Squid  Unencrypted> DG > Squid Re encrypted > Internet

                    or Squid > DG > Squid > Internet?

                    How would do you plan to attempt it? Let me know how you get on.

                    That's simple. It must go from WAN -> LAN -> Squid -> Dansguardian -> User. And back out uses the same logic.

                    User -> LAN -> Squid -> Dansguardian -> WAN

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      bilbo
                      last edited by Oct 31, 2013, 9:22 PM

                      With that setup the proxy doesn't intercept the ssl for me.

                      Browser <=> DG (8080) <=> (3128) Squid <=> Internet

                      In my mind it should be

                      DansGuardian
                                                                        ^    ¦¦ 
                                                                        ¦¦    v
                                          Browser <=>  Squid Proxy  <=> Internet

                      No idea how to do that as a total newb to this.

                      1 Reply Last reply Reply Quote 0
                      • P Offline
                        Pr0xiMUS
                        last edited by Nov 16, 2013, 7:55 PM

                        Any new or success with this? My current configuration is:

                        • HTTP traffic: browser -> DG (8080) -> squid (3128) -> net

                        • HTTPS traffic: browser -> squid transparent 443 -> net

                        How to feed DansGuardian after squid SSL man in the middle proxy?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received