DansGuardian + SSL

clauded1

I'm testing DansGuardian 2.12 with Squid 3.1 on pfSense 2.1 RC1. The setup is working fine for HTTP. Now I'm trying to enable HTTPS filtering with DansGuardian without success.

In DG, I installed a certificate for the option "SSL man in the middle Filtering" and selected "Filter ssl sites forging ssl certificates" in DG group option.

I also added a NAT rule like this :

LAN TCP LAN net * ! 192.168.1.1 443 (HTTPS) 192.168.1.1 8080

When opening a https site I get this error in the browser: ssl_error_rx_record_too_long

Any ideas how to make it work?

marcelloc

The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

You will  find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

bilbo

@marcelloc:

The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

You will  find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

Does this mean that at present it is not possible to content filter ssl traffic? Only URL filter ssl addresses with squid3 and squid guard?

Or can squid 3 dev  man in the middle ssl be used in conjunction with Dansguardian to content filter the actual page content of ssl traffic? If so, how?

serialdie

I am interested on this setup as well.

Nachtfalke

squid3-dev can do SSL filtering. The thread is here:
http://forum.pfsense.org/index.php/topic,62256.0.html

So if squid can intercept the SSL traffic it should be no problem to filter it with squidguard or dansguardian. I am not using dansguardian.

bilbo

Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

serialdie

@bilbo:

Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

I think the same logic applies. You will have to send the unencrypted tunnel back to Dansguardian via 8080.
I am going to try this over the week end.

bilbo

So traffic would have to go Lan  > DG > Squid  Unencrypted> DG > Squid Re encrypted > Internet

or Squid > DG > Squid > Internet?

How would do you plan to attempt it? Let me know how you get on.

serialdie

@bilbo:

So traffic would have to go Lan  > DG > Squid  Unencrypted> DG > Squid Re encrypted > Internet

or Squid > DG > Squid > Internet?

How would do you plan to attempt it? Let me know how you get on.

That's simple. It must go from WAN -> LAN -> Squid -> Dansguardian -> User. And back out uses the same logic.

User -> LAN -> Squid -> Dansguardian -> WAN

bilbo

With that setup the proxy doesn't intercept the ssl for me.

Browser <=> DG (8080) <=> (3128) Squid <=> Internet

In my mind it should be

DansGuardian
                                                  ^    ¦¦ 
                                                  ¦¦    v
                    Browser <=>  Squid Proxy  <=> Internet

No idea how to do that as a total newb to this.

Pr0xiMUS

Any new or success with this? My current configuration is:

• HTTP traffic: browser -> DG (8080) -> squid (3128) -> net

• HTTPS traffic: browser -> squid transparent 443 -> net

How to feed DansGuardian after squid SSL man in the middle proxy?