Squid Certificate https



  • pfsense 2.3.1
    squid transparent
    Captive Portal with Windows AD authentication

    For my domain computers I have deployed a certificate from my Sonicwall firewall via GPO to enable DPI-SSL. This enables to me to filter https traffic and log it. All logging and filtering for domain computers is done with Sonicwall/Analyzer.

    For my BYOD users, can I use this certificate on pfsense and somehow get users to accept the cert during their CP authentication window?

    At the minute I have Squid set to log websites via the Captive Portal logon name. This is great for http. All logging for BYOD is done on Pfsense. I am thinking if I get users to accept this cert from the pfsense I can then log https traffic.

    cheers



  • What you can do is host the certificate somewhere within your network, either on the pfsense web server or any other internal web server you have. Then you can edit the captive portal page to have a download button for the certificate, and ask users to install it.

    However, I don't know how much I recommend using Squid for HTTPS filtering. I'm not having very good luck with it myself, it seems to give all sorts of random problems such as slow browsing, or causing HTTPS websites to not work, certificate errors and all sorts. It seems to really be bodged together, on top of that… It doesn't really have SSL inspection. You're kinda limited to categorical blocking via domains.


Log in to reply