https transparent proxy
-
I am running pfsense on a location where we dont have access to the users computers all the time. The users just put a common password for the wifi and connect. There is no AD or anything for the users to connect just a simple password (not the best security method, but that is what I have to work with). DHCP is on the firewall. I am looking for a way to prevent viruses within the network through an http/https proxy. The only issue is that I need to push the firewall cert to the clients. Not sure how to do this without manually installing it. Is there a way to push the firewall cert to the clients via DHCP or some other method on the firewall that will trust the CA on the firewall?
-
@mrjoli021 If you're just using the proxy for URL filtering, you don't need transparent mode or to install a cert on every client.
Run squid in explicit mode. Push the proxy via DHCP or configure WPAD so your clients can autodiscover the proxy. Now you can filter URLs without having to install a cert on every client.
-
@mrjoli021 if you plan on inspecting https traffic using squid that's not possible without doing a MITM unencryption of the traffic and even then your users are going to see warnings in their browsers even if you install your own certificates. This will just alarm your users and flood you with complaints.
If you want to reduce the chances of your users connecting to malicious sites configure DNS to use the Quad9 servers.
