Blocking HTTPS and Streaming

agixdota

try non transparent mode  ;D

finalcut

squid3-dev with certificate

AMD_infinium05

@agixdota:

try non transparent mode  ;D

how is that supposed to work? transparent mode is necessary so all http traffic goes through the proxy

@finalcut:

squid3-dev with certificate

What additional configuration do i have to work on with that?

KOM

You can manually configure each of your clients to use the proxy if you don't want transparent mode, but that can be a real hassle if you have more than a few clients.

You need to generate a pfSense CA certificate and install it on each of your clients.  This is the part I'm working on and struggling with.

rjcrowder

@KOM:

You can manually configure each of your clients to use the proxy if you don't want transparent mode, but that can be a real hassle if you have more than a few clients.

You can use a wpad file if your clients correctly support auto detection of the proxy

@KOM:

You need to generate a pfSense CA certificate and install it on each of your clients.  This is the part I'm working on and struggling with.

This depends… if you want to filter based on the content of the https traffic then you will be a "man in the middle" and have to create the certs. If you just want to redirect https traffic to squid or dansguardian and filter by the URL, then you don't need the cert...

KOM

I thought that you had to use certs for anything to do with SSL.  The way it was explained to me, the SSL layer in the browser opens an encrypted tunnel directly to the server IP, and by the time it gets to Squid the original URL and domain are unknown, only the IP address.  People used to keep updated IP address lists for Facebook, Gmail, etc to get around this.

dgcom

@KOM:

I thought that you had to use certs for anything to do with SSL.  The way it was explained to me, the SSL layer in the browser opens an encrypted tunnel directly to the server IP, and by the time it gets to Squid the original URL and domain are unknown, only the IP address.

If you use non-transparent proxy, browser will ask proxy to resolve hostname - and that's where you can filter it out.
Sometimes, internal clients can't resolve any external names at all - everything has to go through proxy. This, of course, breaks all protocols, which proxy does not support.

KOM

Ah, non-transparent.  Now I get it.

Legion

If you just want to block a short, fixed list of things, can't you use aliases and firewall rules?

rjcrowder

@Legion:

If you just want to block a short, fixed list of things, can't you use aliases and firewall rules?

Absolutely. The hard part of doing it that way though is that some of the bigger sites can have multiple IP addresses and those addresses can change on a fairly regular basic. You really need something that keeps the list of addresses up to date if you are trying to block one of the large sites…