Filtering SSL and Caching CDN in a School with pfSense+Squid+Dansguardian
-
Hi everyone.
I am using pfSense 2.1.5 + Squid 2.7 + Dansguardian in a school deployment, where every student has his/her own tablet. The reason I am still using Squid 2.7 is that students often have to download iBooks from iTunesU and Apple has organized iBook downloading the way a CDN does (i.e. each download gets a unique tag, identical content is accessed using different URLs, therefore books can't be cached straightfowardly). In order to cache them and avoid the nightmare of 500Mb books being re-downloaded 100-120 times a day, I am using a storeurl_rewrite_program in squid custom options which works perfectly with the appropriate custom rewriter.
I am also succesfully filtering Youtube on http with Dansguardian, by allowing only specific playlist ids: school desktops can't reach videos that a teacher hasn't specifically allowed in his own playlist (this is implemented Dansguardian url filtering with a regex looking for the playlists).
Till here, everything works perfect!
The problems started with the tablets: mobile Youtube always redirects to SSL encrypted and I can't filter it because I neither want to ban it altogether by a Site ACL in Dansguardian (since it has useful educational videos), nor can I filter SSL (since Squid 2.7 doesnt have a MiTM feature).
Therefore, with my current configuration, all Youtube videos (even inappropriate ones) can be reached by the students' tablets. The solution of youtube edufilter is a joke, because it doesn't function with https and can be easily bypassed.
So my problem is: if I install Squid 3 or Squid 3-dev, I will lose iBook caching (AFAIK, the storeurl_rewrite_program configuration directive has been discontinued in 3.1-3.3 and a new StoreID program reappears in 3.4). If I stay with Squid 2.7, I lose ssl (and therefore youtube) filtering.
My questions:
-
Does anyone have a suggestion? Is there any way to rewrite store URLs in Squid 3.3 that I am not aware of? Or maybe a way to filter ssl with Dansguardian without squid 3 or squid 3-dev?
-
Is there any project to adopt Squid 3.4 to pfSense in the near future?
Thanks in advance for your help
Panos
-
-
Putting squid 3-dev in full production you may have issues with:
- Windows updates no connecting
- Adobe updates no connecting
- Other unknown update services that the students are running not being able to connect
- Some websites not working
- Tor browser (not being blocked)
However without squid 3-dev you will not be able to filter HTTPS sites (not much point in filtering if you can't do both).
I would setup a test computer before you put it in full production and try and resolve the caching with squid.In the long run try and get squid 3-dev working.
Helpful links
https://forum.pfsense.org/index.php?topic=73640.0
https://forum.pfsense.org/index.php?topic=79389.0 -
Thank you for your answer. I didn't realise that Squid 3-dev has so many issues. I guess that filtering ssl and caching at the same time is not so trivial after all :)
-
The major issue that I have been trying to work out is update services like windows update being blocked.
Once that is worked out there should only be minor issues to resolve. -
Excuse me sir, how to solved this problem (update windows with ssl bump squid3-dev)? :)