Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block HTTPS site without WPAD or installing a CA certificate.

    Cache/Proxy
    3
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dilu1
      last edited by

      Hi,

      I am currently trying to move away from Sophos to Pfsense, so far so good
      almost every feature i use in Sophos is present in Pfsense except i can’t get one thing to work.

      i’ve set up Pfsense 2.3.2 with the following packages:

      • Squid (3.5).
      • squidGuard (1.4).
      • Snort (not really relevant for this issue).

      In Sophos i use an option to block websites (facebook, twitter), this works for http and https.
      https is configured as "URL filtering only", this has some disadvantages like no content or virus scanning on https sites but that doesn’t matter to much for this case,
      I am only interested in blocking websites which works.

      I am trying to achieve the same thing with Pfsense but i am having trouble setting this up,
      i’ve tried:

      • Enabling SSL filtering, the result: certificate error on every HTTPS page (but squidguard rules work).
      • Disabling SSL filtering, works but HTTPS sites aren’t being blocked (HTTP sites are).
      • Tried multiple “Custom ACLS (Before Auth)” lines but the results are always the same, either
        HTTPS filtering works with certificate error on every HTTPS site or HTTPS filtering doesn’t work.

      I have no control over the “end-users” devices or routers so WPAD or installing a (CA) certificate
      isn’t an option for me (nor is needed in the current Sophos deployment).
      I am using squid in transparent mode.

      Does anybody know if what i am currently doing with Sophos is possible with Pfsense?
      If so what am i doing wrong?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I have no control over the “end-users” devices or routers so WPAD or installing a (CA) certificate isn’t an option for me

        WPAD typically doesn't require any interaction with the user's device.  Most current operating systems have an auto-detect proxy feature enabled, and this is what WPAD is used for.  The exception is android which does not support WPAD for some reason, so for these devices you must manually configure the proxy.

        1 Reply Last reply Reply Quote 0
        • C
          chris4916
          last edited by

          @dilu1:

          In Sophos i use an option to block websites (facebook, twitter), this works for http and https.
          https is configured as "URL filtering only", this has some disadvantages like no content or virus scanning on https sites but that doesn’t matter to much for this case,
          I am only interested in blocking websites which works.

          I'm very prone to learn how this would work  8)

          Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.