Block HTTPS site without WPAD or installing a CA certificate.



  • Hi,

    I am currently trying to move away from Sophos to Pfsense, so far so good
    almost every feature i use in Sophos is present in Pfsense except i can’t get one thing to work.

    i’ve set up Pfsense 2.3.2 with the following packages:

    • Squid (3.5).
    • squidGuard (1.4).
    • Snort (not really relevant for this issue).

    In Sophos i use an option to block websites (facebook, twitter), this works for http and https.
    https is configured as "URL filtering only", this has some disadvantages like no content or virus scanning on https sites but that doesn’t matter to much for this case,
    I am only interested in blocking websites which works.

    I am trying to achieve the same thing with Pfsense but i am having trouble setting this up,
    i’ve tried:

    • Enabling SSL filtering, the result: certificate error on every HTTPS page (but squidguard rules work).
    • Disabling SSL filtering, works but HTTPS sites aren’t being blocked (HTTP sites are).
    • Tried multiple “Custom ACLS (Before Auth)” lines but the results are always the same, either
      HTTPS filtering works with certificate error on every HTTPS site or HTTPS filtering doesn’t work.

    I have no control over the “end-users” devices or routers so WPAD or installing a (CA) certificate
    isn’t an option for me (nor is needed in the current Sophos deployment).
    I am using squid in transparent mode.

    Does anybody know if what i am currently doing with Sophos is possible with Pfsense?
    If so what am i doing wrong?



  • I have no control over the “end-users” devices or routers so WPAD or installing a (CA) certificate isn’t an option for me

    WPAD typically doesn't require any interaction with the user's device.  Most current operating systems have an auto-detect proxy feature enabled, and this is what WPAD is used for.  The exception is android which does not support WPAD for some reason, so for these devices you must manually configure the proxy.



  • @dilu1:

    In Sophos i use an option to block websites (facebook, twitter), this works for http and https.
    https is configured as "URL filtering only", this has some disadvantages like no content or virus scanning on https sites but that doesn’t matter to much for this case,
    I am only interested in blocking websites which works.

    I'm very prone to learn how this would work  8)