First post - but many evenings in - stuck on https filtering



  • I have been asked to set up a (simple) firewall to prevent downloads of binary files (exe, bin, zip, tar etc) for general users.
    To test this, I installed the latest Pfsense, Squid3 and Squidguard.

    All went reasonably well with the Target blocking in transparent mode - but it only works in HTTP sites. My test files are all in HTTPS sites.

    I have tried to get Transparent mode to work with an internal certificate, but whilst the instructions I've seen online suggest that my internal certificate will be translated to *.facebook.com (for example) - in practice I get errors from https sites that say the certificate doesn't match the website name.

    If I turn off transparent and try to specify proxy settings to 3128 this works for http but https still gives problems (with SSH and a certificate in place) and does not work at all without the SSH.

    Is it really this tricky? I know this is a PFSense forum but have I chosen the wrong tool?

    All or any help much appreciated as have spent too many evenings on a steep learning curve.

    Simon



  • Transparent mode is the Devil.  Explicit mode with WPAD is the way to go IMO.  Some clients like Android may need to be manually configured, but that's life.  No problem filtering HTTPS sites.  No need to manually install or push a server cert to all your LAN clients.  You may have a borked configuration if explicit mode is still giving you troubles.  Perhaps the SSL config you modified for transparent mode?

    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • Thanks.

    I guess I can just factory reset the installation and start again?



  • That's what I would do.


Log in to reply