Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Https filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      genesislubrigas
      last edited by

      So, in order to do https filter with squid, we need to create CA from our certificate manager.
      Then you configure everything and wpad.

      So my question is, do we need to manually install or does the user need to install to its own browser the CA certificate ?  If yes, is there any other way to let the user install the CA certificate by themselves without us installing the CA for them ?  This is specially true for non-techy persons wherein they are part of the 3rd party users like the public wifi users.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        You've got it completely wrong.  If you're using WPAD then you don't need to install client certs.  Client certs are only required for transparent proxy.

        https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          @KOM:

          You've got it completely wrong.  If you're using WPAD then you don't need to install client certs.  Client certs are only required for transparent proxy.

          It depends on what you want to do. Using the proxy directly or with WPAD the proxy only sees the target host and a CONNECT, it cannot see the contents of the pages or the full URL. For filtering by full URL or content scanning like AV, you still need to MITM the SSL connection with ssl bumping.

          If you only need to filter by domain name then using WPAD or the proxy settings directly is sufficient.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I didn't think anybody really cared about that anymore when there no longer a content filtering package like DansGuardian.  Valid point on the antivirus angle, but I still can't believe people run ClamAV on the firewall.

            1 Reply Last reply Reply Quote 0
            • S
              sichent Banned
              last edited by

              If you are in charge of the machines connecting to your SSL bumping Squid and these are joined to Active Directory for example, you can issue the Intermediate Root CA for your Squid from domain controller and nothing will need to be installed on the machines (as these already trust AD Root CA). Or you can push the Root CA to such machines using Group Policy.

              On the other hand if you do not own the machines connecting to your proxy (like public Wi-Fi guests) you never can bump HTTPS traffic. Period.

              1 Reply Last reply Reply Quote 0
              • G
                genesislubrigas
                last edited by

                yes I mean https filtering as my thread topic indicated.

                I think my question is not answered.  If I do https filtering, do I need to manually install the certificate the the users specially the public users like on public wifi ? If yes, is there a way to install the certificate without us doing the manual installation.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  yes you need to install a CA certificate on machines you wish to filter. No, there isn't a way to do that automatically on guest systems you do not control.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    Mr.Si
                    last edited by

                    @jimp:

                    yes you need to install a CA certificate on machines you wish to filter. No, there isn't a way to do that automatically on guest systems you do not control.

                    out of interest, because i am thinking of doing this on my home network (want to really properly block porn type sites inc using google images which is https) then if a kosher cert was bought, would this still need to be done or will it automatically trust the fw because it's got a cert from an already trusted location?

                    thanks
                    si

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      There is no such thing as a "kosher" certificate for SSL interception (unless you're the Chinese government, if rumors are to be believed).

                      You must use a self-signed CA for SSL interception, and that CA must be installed on clients.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.