How to Block HTTPS web sites



  • Hello,

    thanks in advance.

    I have Configured Squid guard (transparent Proxy) after reading this forum"https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense"

    My aim is to block some web sites like Facebook, Torrent, Youtube and some downloading.  i Have configured Squid Guard  and i am able to  block some web sites but it could not stop downloading.
    and when i configure SSL man in middle then its blocked all https websites by default even google for some user i really dont know why its happening.

    Kindly tell and suggest me if am missing something while configuration….



  • Are you doing this in a windows environment. Are you users connected to a Active directory system. if so just block the sites from your AD and it will push down as a group policy to your users.



  • @himanshu:

    Hello,

    thanks in advance.

    I have Configured Squid guard (transparent Proxy) after reading this forum"https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense"

    My aim is to block some web sites like Facebook, Torrent, Youtube and some downloading.  i Have configured Squid Guard  and i am able to  block some web sites but it could not stop downloading.
    and when i configure SSL man in middle then its blocked all https websites by default even google for some user i really dont know why its happening.

    Kindly tell and suggest me if am missing something while configuration….

    Post screenshot of squidguard with EXPANDED "TARGET CATEGORIES":

    • COMMON ACL
    • GROUP ACL

    Please post a screenshot of squid "GENERAL"



  • Currently the e2guardian package is not available in the pfsense ports but you can install from the freebsd ports.

    The SSL MITM support is off but they fixed the SSL Bump feature in the current version.  You can install it with a manual procedure that can be found in the e2guardian bounty thread near its final pages.
    https://forum.pfsense.org/index.php?topic=87526.msg638124#msg638124

    Keep reading the thread as there are some fixes to the procedure.

    Also should see this on how to filter HTTPS without MITM:
    https://github.com/e2guardian/e2guardian/issues/76



  • @jetberrocal:

    Currently the e2guardian package is not available in the pfsense ports but you can install from the freebsd ports.

    The SSL MITM support is off but they fixed the SSL Bump feature in the current version.  You can install it with a manual procedure that can be found in the e2guardian bounty thread near its final pages.
    https://forum.pfsense.org/index.php?topic=87526.msg638124#msg638124

    Keep reading the thread as there are some fixes to the procedure.

    Also should see this on how to filter HTTPS without MITM:
    https://github.com/e2guardian/e2guardian/issues/76

    Are you currently using E2 Guardian? What's your thoughts? Is it good enough to use for home or is it too buggy? It seems it's left kinda half baked, and it never really got finished. Which really is a shame, although I haven't tried it yet, from the description on its site…It seems like it would've been perfect for me (in a home environment).



  • The e2g in  the freebsd ports is not the last version but is good enough.  They fixed the https filtering in two ways.  You can filter using ssl bump or with mitm.
    Personally I prefer mitm because is easier to use but ssl bump works nicely.



  • I have to tell you that for transparent proxy you have to set e2g with no mitm.  I dont remember if squidguard can do transparent with mitm, but you do not need mitm with squidguard because it only uses blacklist/whitelist mode it does not have to read the page content.

    By the way transparent mode does not authenticate users so every user have to play on the same rules.  On e2guardian you can "authenticate" by IP so you can have the users to play with different rules by computer and using ssl dump can filter/block https pages the same as squidguard.



  • @jetberrocal:

    The e2g in  the freebsd ports is not the last version but is good enough.  They fixed the https filtering in two ways.  You can filter using ssl bump or with mitm.
    Personally I prefer mitm because is easier to use but ssl bump works nicely.

    Thanks a lot for your reply. I'd also want to do MITM if possible, I do have a captive portal on my network and all users are told to install the CA certificate so most errors should be avoided. Since E2 Guardian is now getting a few updates looking at their website…I will give it a shot for sure.


Log in to reply