Pfsense 2.6 Squid3 & Squiguard
-
Guys
I run pfsense 2.6 and installed Squid 3 & Squidguard. I configured both services correctly I believe and services are started. My issue is squidguard is blocking porn sites etc… but when I allow a category , it continue to be blocked. I get a page displaying 'The site can't be reached. Refused to connectt. I want the int. error page to display instead of the site can't be reached message.
I am configured as a transparent proxy on the DMZ interface.
What am I doing wrong?
Thanks
Randy
-
Guys
I run pfsense 2.6 and installed Squid 3 & Squidguard.
I suppose this is a typo. You're runing 2.2.6 isn't it?
I am configured as a transparent proxy on the DMZ interface.
What am I doing wrong?To me, transparent proxy doesn't fit with filtering unless you have enabled SSL Bump (AKA MITM) which I don't like if you are not strongly obliged to deploy.
With transparent proxy w/o MITM, there is no way HTTPS is handled by proxy therefore there is NO way you could even allow or prevent https based domain to be accessible or denied.I also don't understand what "DMZ interfaces" means in your setting :-[
-
Thanks for your response.
Correct 2.6 was a typo. I am on 2.2.6.
Are you saying MITM needs to be enabled to accomplish what I am trying to do. I am not adverse to enabling it. I just want web filtering and decent logging.
I mean all clients are on my DMZ interface. They are the ones that can access the internet. My LAN clients do not access the internet.
Thanks
Randy
-
Are you saying MITM needs to be enabled to accomplish what I am trying to do. I am not adverse to enabling it. I just want web filtering and decent logging.
What I mean to say is that either you go for explicit proxy or you go for transparent proxy WITH SSL Bum (MITM) because transparent proxy without MITM will never handle HTTPS flow and a significant amount of URL you may want to filter is now based on HTTPS.
I'm not promoting SSL Bump neither but instead explicit proxy. With the help of WPAD, explicit proxy is not as painful as it looks to be ;)
Regarding logging : without authentication, and therefore explicit proxy (because there is no authentication with transparent proxy) you will only get log information related to IP, not user and, furthermore, it prevents any kind of profiling, meaning different filtering depending on users or groups membership.
I mean all clients are on my DMZ interface. They are the ones that can access the internet. My LAN clients do not access the internet.
Clearer. you DMZ concept was unclear to me :)
-
Ok.
I have Squid 3 & Squidguard both running. For example I have the ' porn' category denied but it blocks the site I get a page displaying 'The site can't be reached. Refused to connect. I want the block page instead of Refused to connect.
How do I do that.
Thanks
Randy