Logging URLs
-
Hi,
I am new to PfSense and need to get something done for the boss. I am looking to log websites that users visit in the office. I heard about something called Squid to do this but I am not to familiar with this method. Any ideas anyone? Thanks!
-
Install squid from packages and point all your devices to the proxy or use squid in transparent mode but transparent mode works on http not https, for transparent mode on https you will need ssl certs on every device, and with squid you can only view what IP (of device) has gone where. Another way could be use opendns and log sites visited but again you will not know who visited what just the sites visited (NAT REASONS )
-
Thank you so much for responding….When you say point all my devices (users) to the proxy, I would have to go to their machines and set that up? Also, I would have to install a valid ssl cert on each of their machines as well?
-
Hi sorry I did not clear it for you in the first post.
Yes you will have to go to the browser in every machine and point it to the proxy server (squid). As for the cert you will have to create a cert in pfsense then export it and install it in every machines browser. -
Hmmm, I would probably have to find a different method, as this method would take a lot in my place of business. Do you have any other suggestion as far as pfsense is involved?
-
Using pfsense there isn't any better way
-
While you could push the proxy to your clients via group policy if your an AD shop.. Or with simple autodiscovery WPAD for example.
If your wanting to do mitm for https sites all your clients would have to trust the CA creating the https certs. Snooping on https is opening up a whole can of worms that for sure your business management would really need to sign off on.
-
Thanks for your response. Really not trying to attempt a MITM attack. All we want to do is log what websites users are going to.
-
So been a while since I played with squid, but normally if all your doing is passing the https through squid via a connect you should be able to get the log of the base url, but you would not get the full url..
So you might see forum.pfsense.org 443 in the log but not say https://forum.pfsense.org/index.php?topic=127335.0
I would have to fire up squid and test if you need help in doing this. If you wanted the full url showing index.php?topic=127335.0 you would need to do the mitm thing. This is when your client would have to trust the ca proxy is using to generate the the fake cert to use..
look here for your options of https through squid
http://wiki.squid-cache.org/Features/HTTPS -
Doesn't have to be the full url. I can take what I can get from this point.
-
Thanks for your response. Really not trying to attempt a MITM attack. All we want to do is log what websites users are going to.
You won't be able to see what https websites users are going to without something like a MITM. The requests are encrypted.
-
Squid peek/splice can log the HTTPS domain visited, but not the complete URL.
This can be done in transparent mode without installing and trusting CAs on every client or dealing with WPAD, etc.
-
Thanks this help a lot