Ssl filtering transparent and non-transparent

davidjtsteele

Apparently, it may of been pulled off of the site, you must have transparental rights in order to get the ssl filter.

marcelloc

squid 3.3.5 is on official repo.

Missing libs are still missing and on 2.0.3 you need to enable ipv6 to squid be able to listen on it's ports.

shawniverson

$100 from here.  Looking for a new content filtering solution and ssl filtering is a must.

vreid473

I want to make sure I'm understanding how the ssl filtering works with squid + squidguard.  Here's what I've understood so far.  Please correct me if I have some of the points incorrect.  In particular, I am unclear about my numbers 2, 3, and the level of intrusiveness of https decryption in 4.

1.  You need squid3 + squidguard + some additional manual packages to install the software framework to get ssl filtering working
2.  You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??
3.  Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??
4.  Once the items above have been configured, then squid + squidquard will decrypt the https traffic, scan the contents for url + any content that may need a rewrite, and then block or allow the traffic and/or make the required rewrites.  In either case I am understanding that all of the https content gets decrypted, not just the destination data/header.

Thanks

marcelloc

@vreid473:

2.  You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??

You need an interal CA certificate, not just a site certificate.

@vreid473:

3.  Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??

As a trusted certificate authority(CA) so any certificate that squid creates using configure CA will be trusted by client's browser

bilbo

Is there a pfsense version of DG that supports this yet?

marcelloc

@bilbo:

Is there a pfsense version of DG that supports this yet?

not yet. Dansguardian code is not being updated for a while on sourceforge.

ncolunga

¿Does this work properly on the squid 3.1.20 pkg 2.0.6 version available to pfsense 2.1 at this moment?

Thank you.

marcelloc

No, just on squid3-dev

ncolunga

Thank you.

I will try to configure it on the dev version then.