Https filtering
-
So, in order to do https filter with squid, we need to create CA from our certificate manager.
Then you configure everything and wpad.So my question is, do we need to manually install or does the user need to install to its own browser the CA certificate ? If yes, is there any other way to let the user install the CA certificate by themselves without us installing the CA for them ? This is specially true for non-techy persons wherein they are part of the 3rd party users like the public wifi users.
-
You've got it completely wrong. If you're using WPAD then you don't need to install client certs. Client certs are only required for transparent proxy.
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
-
@KOM:
You've got it completely wrong. If you're using WPAD then you don't need to install client certs. Client certs are only required for transparent proxy.
It depends on what you want to do. Using the proxy directly or with WPAD the proxy only sees the target host and a CONNECT, it cannot see the contents of the pages or the full URL. For filtering by full URL or content scanning like AV, you still need to MITM the SSL connection with ssl bumping.
If you only need to filter by domain name then using WPAD or the proxy settings directly is sufficient.
-
I didn't think anybody really cared about that anymore when there no longer a content filtering package like DansGuardian. Valid point on the antivirus angle, but I still can't believe people run ClamAV on the firewall.
-
If you are in charge of the machines connecting to your SSL bumping Squid and these are joined to Active Directory for example, you can issue the Intermediate Root CA for your Squid from domain controller and nothing will need to be installed on the machines (as these already trust AD Root CA). Or you can push the Root CA to such machines using Group Policy.
On the other hand if you do not own the machines connecting to your proxy (like public Wi-Fi guests) you never can bump HTTPS traffic. Period.
-
yes I mean https filtering as my thread topic indicated.
I think my question is not answered. If I do https filtering, do I need to manually install the certificate the the users specially the public users like on public wifi ? If yes, is there a way to install the certificate without us doing the manual installation.
-
yes you need to install a CA certificate on machines you wish to filter. No, there isn't a way to do that automatically on guest systems you do not control.
-
yes you need to install a CA certificate on machines you wish to filter. No, there isn't a way to do that automatically on guest systems you do not control.
out of interest, because i am thinking of doing this on my home network (want to really properly block porn type sites inc using google images which is https) then if a kosher cert was bought, would this still need to be done or will it automatically trust the fw because it's got a cert from an already trusted location?
thanks
si -
There is no such thing as a "kosher" certificate for SSL interception (unless you're the Chinese government, if rumors are to be believed).
You must use a self-signed CA for SSL interception, and that CA must be installed on clients.
