Ssl filtering seems impossible



  • Hi,

    Struggling with filtering ssl. Been searching and trying solutions from all over the web, nothing helped.
    I have squid and squidguard installed. Transparent mode doesn't work at all, so I do not use that. I have http and https filtering turned on in the squid settings, intercepting both http and https on port 3128. Squid works fine with regular http traffic, blocking various stuff like porn and ads (from in squidguard blacklists).
    I created a CA and exported the certificate to file, then imported it in the windows trusted root certificate authorities. I still can't do a regular google search (whcih defaults over ssl) or anything else involving ssl, like online banking.
    Attached a screenshot.

    Can this be done at all???



  • Some screenshots






  • Btw, I have also tested with Avast scanner turned off. That doesn't seem to be the culprit.



  • Transparent mode is a pain in the ass.  Explicit mode is best, and you don't need to screw around with certificates at all.  I suspect your config is a borked mishmash of transparent and explicit settings. For example, in explicit mode, you do not need to worry about SSL MitM Filtering, so uncheck all of that stuff.  From there, either set your proxy in your OS manually or configure WPAD for auto-discover of the proxy.



  • @KOM:

    Transparent mode is a pain in the ass.  Explicit mode is best, and you don't need to screw around with certificates at all.  I suspect your config is a borked mishmash of transparent and explicit settings. For example, in explicit mode, you do not need to worry about SSL MitM Filtering, so uncheck all of that stuff.  From there, either set your proxy in your OS manually or configure WPAD for auto-discover of the proxy.

    Hi KOM,

    Thx for your answer.
    The checkbox at "Transparent HTTP Proxy" is unchecked, "Enable SSL filtering" is checked, and I set the proxy explicitly in Firefox.
    Is that what you mean with "explicit"? What could possibly be wrong otherwise?

    Thx



  • Uncheck Enable SSL filtering as well.  Explicit means your PC is either told where the proxy is, or it can find it itself.  With transparent mode, your PC is never ever aware that it's being proxied.



  • Well, for some reason it still doesn´t work.
    I expect to be able to block e.g. https://www.google.com. As this URL is in the target rules of [blk_BL_searchengines], which is set to DENY, that should work, right?
    I unchecked "Enable SSL filtering" and rebooted pfsense. I configured Firefox to use the same proxy on port 3128 for all protocols. I verified that some pages with ads have their ads now blocked, so the proxy IS working for http. Now firefox states "Unable to connect"…. when searching on https://www.google.com  >:(



  • @KOM:

    Uncheck Enable SSL filtering as well.  Explicit means your PC is either told where the proxy is, or it can find it itself.  With transparent mode, your PC is never ever aware that it's being proxied.

    Right… now my PC knows where the proxy is(I told it). But because SSL filtering is turned off, it doesn't accept ssl connections...



  • It's working.  That's what you get with a blocked HTTPS connection.  Can I assume other HTTPS sites work just fine?



  • You're kidding me…  ;)



  • No it doesn't, and I have no clue



  • Not sure, need more testing. Give me 5 minutes



  • OMG, it IS working …
    Sorry I was rude.
    Still need to let this sink in.

    Thanks again



  • No problem.  Services - Squidguard also has a Log tab where you can see it blocking stuff.


  • Banned

    You seem to be using Firefox to test HTTPS filtering; please not FF does not use the system certificate storage as you indicated in your screenshot - you need to add trusted root certificate to FF own storage. See https://docs.diladele.com/administrator_guide_4_8/https_filtering/install_certificates/win_ff.html


Log in to reply