Filtering HTTPS / SSL Traffic on pfSense 2.1 using Squid Proxy
-
SSL bump did not function at the first attempt, After enabling authentication under squid 3.3.10, adding users to squid and user manager in pfsense the ssl bump function started working.
-
Hi,
i have tested it in transparent mode without authentification.
squid does not filter https connection
any help?
Rgds
ps : using authentification, it works
-
Hi,
got it, for the latest version (2.1.2) add first lines in custom acl (before auth)
always_direct allow all
ssl_bump server-first all -
I had it working for version 2.1.2, but I would rather have the transparent proxy. I tried to use a NAT rule to forward to the proxy as the instructions to Dansguardian had done, but Diladele does not have the same structure. I will have to build an alternate experimental router to see if a rule for a different port will work. I do like the additional filtering and the secure search features too much to give up on this package. But I was pressed for time and had to get something else working.
Meanwhile, I have successfully installed Dansguardian with a transparent proxy. It seems to work well and I have successfully tested it with some of the sites missed by OpenDNS and Squidguard (Diladele was also successful). However I think that the blacklist that I loaded in completely shut down YouTube. My wife was very understanding :). I have also upgraded to 2.1.3 as of tonight. I had to only reinstall the Dansguardian package to get it working again.
If I can get time this weekend, I'll try to setup my second experimental router with Diladele. I sure would like some help with this!
-
I have the transparent proxy working for pfSense 2.1.3, but I'm not 100% sure of why it is working. I have some steps that I used to get this working.
1. Install pfSense 2.1.3
2. Install Diladele Software per Sichent's very helpful, detailed instructions
3. Grab the first DNS entry (after 127.0.0.1 if present) in the DNS servers portion of the Status->Dashboard page
4. Paste this DNS ip into the first DNS Server box in the DNS servers portion of the System->General Setup page
5. Save
6. Navigate to Services->Proxy server page
7. Check the Transparent HTTP proxy checkbox and apply to the LAN interface. All other settings in this section are defaults.
8. Save
9. Restart Squid
10. Disable the proxy server implementations in your browser.
11. Test that the Diladele software is working by accessing a porn site and also through google.If this does not work, please also try rebooting the router. I hope this can work for others.
-
Has there been any push to package and maintain this by anyone?
-
Great topic. Am trying to follow the steps but am having this error when installing ….Include file squid.inc could not be found for inclusion. I am using pfsense 2.1.3-RELEASE (amd64) running on FreeBSD 8.3-RELEASE-p16...help please
-
I have the transparent proxy working for pfSense 2.1.3, but I'm not 100% sure of why it is working.
…
If this does not work, please also try rebooting the router. I hope this can work for others.I don't believe you need to setup a static DNS, but what you put down should get http proxying/filtering working via squid.
This should not, however, transparently filter your https sites, so I would be surprised if it worked on google. (Though I am only caching, so if Diladele or it's dependencies enabled transparent ssl forwarding, I would not know)Notes for 'squid-dev 3.3.10 pkg 2.2.2' package (on pfSense 2.1.3-RELEASE (amd64) ):
1. The aforementioned library files have been added to the squid package and do not need to be manually installed.
2. You need to add 'always_direct allow all; ssl_bump server-first all' to the 'Custom Settings/Custom ACLS (Before_Auth)' section in 'Services ->Proxy Server'
3. The 'Custom Settings / Custom Options' field is now 'Custom Settings/Custom ACLS (Before_Auth)' (and (After_Auth)). So keep this in mind when reading sichent's 'Integrate Squid Proxy and Diladele Web Safety' instructions.To setup transparent https caching: (posting here because it seems relevant & I was unable to find it documented anywhere)
1. Follow the guide's instructions for creating and installing an internal certificate authority
2. Goto 'Services ->Proxy Server' and Check 'HTTPS/SSL interception'
3. Set 'SSL Intercept interface(s):' to 'loopback' & 'SSL Proxy port:' to '3129'. Then Select the CA you created (For most it should already be selected).
4. (squid-dev 3.3.10 pkg 2.2.2 specific) Scroll to 'Custom Settings/Custom ACLS (Before_Auth)' section and Add 'always_direct allow all; ssl_bump server-first all' or your preferred ssl_bump setting there. (This was added automatically in previous packages. It's removal is likely a bug)(This is needed for manually proxied connections as well)
5. Goto 'Firewall -> NAT' and Under 'Port Forward' Click the Plus Button to add a new entry.
6. Set
Interface: LAN | Protocol: TCP
Source: any any (you may wish to set this to a specific ip or alias. At least until you confirm it's working properly)
Destination: NOT (Check this)
Choose 'LAN address' OR 'Single Host/alias' and add pfsense's lan ip (Else squid will lock you out of pfsense because it doesn't like pfsense's self signed certificate, you may also wish to add pfsense's ip in to squid's bypass list)
Destination Port: from HTTPS to HTTPS
Redirect target IP: 127.0.0.1 | Redirect target port: (other) 3129Note:
0. I did not cover filtering or transparent http proxying (Just check 'Transparent HTTP proxy', select the lan Interface, and follow sichent's instructions for Diladele)
1. Squid currently has issues verifying some sites, for which an error page will be displayed. (ex. https://moto360.motorola.com/)
2. There should be little reason for you to need transparent https proxying (Add the proxy setting when installing the certificate).
3. Although Saffari recognizes user added CAs on IOS devices, other applications may not (notable eg. Google Chrome). Also It appears that you cannot add CAs to android devices.
4. As I am not using Diladele, I cannot confirm that it will work with this. (I believe it should)If I forgot/misconfigured a step or you have a better/more logical idea, please tell me (I am assuming that there is a better way to not redirect traffic to pfsence than using Port Forward NOT 192.168.1.1).
PS. I am new to PFsense and FreeBSD (almost a week after first install), So if you think you know a better way to do anything, you probably do. -
dear sir,
thank you very much i have 2 question
1- does this tutorial make squid cache https sites content such as facebook pages youtube in https mode
2- can i make browser version including the certificate generated by pfsense
-
I'm trying to block Facebook at teh office, I had no idea it would be such a task.
my confusion lies in the proxy settings on the browser. This isn't feasible for me to manually setup each client on the network to point ot a proxy.
We use Windows machines many use Firefox others use IE, what options do I have.
Maybe open dns is the better route?
-
Don't forget that by doing this, you're man-in-the-middling your own connections and breaking server authentication. Some major security issues have happened in the past over doing this. It is highly recommended against if you care about security. but if you don't care about security, it's a great way to limit what HTTPS sites LAN devices can connect to.
Once IPv6+IPSec starts becoming popular, I'm not sure you will be able to transparently proxy anymore, because port numbers will also be encrypted. Enjoy while you can.
-
Do you mind explaining this further? AM i compromising security using squid3 if so please explain or using open DNS?
Thank you,
-
Worked great for me! Few notes.
1. Diladele is a paid for subscription but you do get a trial by default.
2. To import CA on Android I used an app from the play store called Certificate Installer https://play.google.com/store/apps/details?id=it.nicola_amatucci.android.certificate_installer
3. Works nice since I also use this CA to self sign certs for websites and now they are all trusted.
4. Android will now show a warning about the network bring monitored, you can remove it with a Xposed module if you like.
5. It filtered explicit YouTube when using a browser on Android but it does not filter when using the YouTube App. I haven't checked the logs yet to see how the app is connecting or if there is a way to modify the rules/policies to filter when using the app.@nambi if you want to block Facebook as a whole just use dnsmasq and add faceboom.com and point it to some other IP.
-
Do you mind explaining this further? AM i compromising security using squid3 if so please explain or using open DNS?
Thank you,
All HTTPS proxies compromise security in order to gain surveillance abilities. Sometimes this is a requirement, like schools needing to filter what content students may access. But in doing so, the client loses the ability to validate what server they are connecting to because the proxy is connecting for them.
If you're in a business where you don't need the ability to validate remote HTTPS servers, then it's not an issue, but with more businesses moving services into the cloud, you need to be careful how to setup your networks.
Window's semi-recently had a security issue because Windows Update was being forced through transparent HTTPS proxies and malware took advantage of this and could infect other local machines and relatively easily convince other machines to install malicious software via Windows Update. Microsoft said (paraphrased)"They did this to themselves by using HTTPS proxies for Windows Update, which is a bad idea".
-
Hi,
if I use ssl interception, SquidGuard will be bypassed because of ssl_bump server-first all.
Has anyone found a solution to that problem?SSL inspection alone is a little bit useless in my opinion.
-
Thanks. You helped me figure out why 2.1.5 was not capturing SSL properly w/Squid3-dev and Diladele. Now all the parts work properly!
-
Could you please give us more information how you solved the problem so that other users may benefit from it.
-
Sorry im new here in pfsense. I can't access diladele
-
Could you please give us more information how you solved the problem so that other users may benefit from it.
I just followed sichent's guide and the other related posts in this thread.
One note, however… after using Diladele + Squid3-dev for around 2 months now, I had to disable SARG to get it to keep working consistently. For some reason, while also using the SARG package, I would get frequent disconnects of Squid. After a forced restart (of Squid), everything was fine for a couple of days, and then the proxy would spontaneously stop and I'd lose all filtering. Disabling SARG seems to have fixed the problem (running over 3 weeks now with no hiccups).
-
Could you please give us more information how you solved the problem so that other users may benefit from it.
I don't believe that I answered your question very well a few weeks ago. To be more specific, this is what helped me to get it working completely (in particular the HTTPS filtering):
To setup transparent https caching: (posting here because it seems relevant & I was unable to find it documented anywhere)
1. Follow the guide's instructions for creating and installing an internal certificate authority
2. Goto 'Services ->Proxy Server' and Check 'HTTPS/SSL interception'
3. Set 'SSL Intercept interface(s):' to 'loopback' & 'SSL Proxy port:' to '3129'. Then Select the CA you created (For most it should already be selected).
4. (squid-dev 3.3.10 pkg 2.2.2 specific) Scroll to 'Custom Settings/Custom ACLS (Before_Auth)' section and Add 'always_direct allow all; ssl_bump server-first all' or your preferred ssl_bump setting there. (This was added automatically in previous packages. It's removal is likely a bug)(This is needed for manually proxied connections as well)
5. Goto 'Firewall -> NAT' and Under 'Port Forward' Click the Plus Button to add a new entry.
6. Set
Interface: LAN | Protocol: TCP
Source: any any (you may wish to set this to a specific ip or alias. At least until you confirm it's working properly)
Destination: NOT (Check this)
Choose 'LAN address' OR 'Single Host/alias' and add pfsense's lan ip (Else squid will lock you out of pfsense because it doesn't like pfsense's self signed certificate, you may also wish to add pfsense's ip in to squid's bypass list)
Destination Port: from HTTPS to HTTPS
Redirect target IP: 127.0.0.1 | Redirect target port: (other) 3129