Ssl filtering seems impossible
-
@KOM:
Transparent mode is a pain in the ass. Explicit mode is best, and you don't need to screw around with certificates at all. I suspect your config is a borked mishmash of transparent and explicit settings. For example, in explicit mode, you do not need to worry about SSL MitM Filtering, so uncheck all of that stuff. From there, either set your proxy in your OS manually or configure WPAD for auto-discover of the proxy.
Hi KOM,
Thx for your answer.
The checkbox at "Transparent HTTP Proxy" is unchecked, "Enable SSL filtering" is checked, and I set the proxy explicitly in Firefox.
Is that what you mean with "explicit"? What could possibly be wrong otherwise?Thx
-
Uncheck Enable SSL filtering as well. Explicit means your PC is either told where the proxy is, or it can find it itself. With transparent mode, your PC is never ever aware that it's being proxied.
-
Well, for some reason it still doesn´t work.
I expect to be able to block e.g. https://www.google.com. As this URL is in the target rules of [blk_BL_searchengines], which is set to DENY, that should work, right?
I unchecked "Enable SSL filtering" and rebooted pfsense. I configured Firefox to use the same proxy on port 3128 for all protocols. I verified that some pages with ads have their ads now blocked, so the proxy IS working for http. Now firefox states "Unable to connect"…. when searching on https://www.google.com >:( -
@KOM:
Uncheck Enable SSL filtering as well. Explicit means your PC is either told where the proxy is, or it can find it itself. With transparent mode, your PC is never ever aware that it's being proxied.
Right… now my PC knows where the proxy is(I told it). But because SSL filtering is turned off, it doesn't accept ssl connections...
-
It's working. That's what you get with a blocked HTTPS connection. Can I assume other HTTPS sites work just fine?
-
You're kidding me… ;)
-
No it doesn't, and I have no clue
-
Not sure, need more testing. Give me 5 minutes
-
OMG, it IS working …
Sorry I was rude.
Still need to let this sink in.Thanks again
-
No problem. Services - Squidguard also has a Log tab where you can see it blocking stuff.
-
You seem to be using Firefox to test HTTPS filtering; please not FF does not use the system certificate storage as you indicated in your screenshot - you need to add trusted root certificate to FF own storage. See https://docs.diladele.com/administrator_guide_4_8/https_filtering/install_certificates/win_ff.html
