Https web filtering WITHOUT certificate warnings?



  • Hi there,

    I've been searching and trying to get https web filtering working for a while now. I'm currently managing a whole bunch of Fortigate UTM's that do https url/web filtering WITHOUT the need for an AD or installing certificates or setting up proxies on user devices. Users also don't get security warnings.

    Is it possible to get the same thing working on pfSense? I would like to move to pfSense but web filtering is a must and as I'll be managing hundreds of installations with thousands of users in a BYOD setting asking users to import certificates or set up proxies is simply not going to work.

    I've tried this guide but it doesn't work.
    https://forum.pfsense.org/index.php?topic=112335.0


  • Netgate

    And what feedback do these users get from these fortigates when they try to visit a blocked HTTPS site?



  • @Derelict:

    And what feedback do these users get from these fortigates when they try to visit a blocked HTTPS site?

    A certificate error. Its set to proxy based filtering. As far as I know for web filtering it uses ssl certificate inspection and the Fortigate will only look at the header to pass or block a url, thus not triggering an error when the url is allowed.


  • Netgate

    You want squid peek and splice. Moving to Cache/Proxy.


  • Banned

    The https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html works exactly like this - do not enable HTTPS filtering but do block categories or by domain names. When user tries to connect to remote site that is blocked using HTTP - it sees the 'access denied' page; if connection is made using HTTPS the connection is silently reset or 'access denied' with certification warning is shown to the user.

    You will not be able to look into the contents though - blocking bad searches on google and you tube will not work.



  • @Derelict:

    You want squid peek and splice. Moving to Cache/Proxy.

    That easy huh :D

    Looks like I got it working. Just need to see if I can get safe search working as well.

    Is there a paid service that provides a good blacklist for squid?  I tried the shalla free one but that doesn't really hold a candle to the Fortinet blacklist. I didn't expect the same results but when I block cars and half of the Toyota domains are still working because they don't use .com or whatever, that won't be good enough.

    @sichent:

    The https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html works exactly like this - do not enable HTTPS filtering but do block categories or by domain names. When user tries to connect to remote site that is blocked using HTTP - it sees the 'access denied' page; if connection is made using HTTPS the connection is silently reset or 'access denied' with certification warning is shown to the user.

    You will not be able to look into the contents though - blocking bad searches on google and you tube will not work.

    I found out about Diladele before and I am considering looking into them but that tutorial requires pushing certificates. Maybe it works if you simply enable the https proxy in squid though.


  • Banned

    Exactly - if you do not enable HTTPS filtering - no certificates need to be pushed; the blocked HTTPS sites are then show the "SSL warning" - but that is not a problem if you prohibit access to them. Moreover - you can just drop the connection for blocked HTTPS site - as described at https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html



  • I think you are misunderstanding me.

    I don't want to block https websites but I don't want/can't push certs either.


  • Netgate

    So don't filter HTTPS and it won't be forwarded through squid at all.



  • @DutchSamurai:

    I think you are misunderstanding me.

    I don't want to block https websites but I don't want/can't push certs either.

    Just out of curiosity…  Are you using this in a business or home environment? Without filtering HTTPS, web filtering these days is a shambles. As more and more websites are moving to HTTPS, even free certificates from Lets Encrypt are available. If I were you, I'd use the Splice all feature in Squid, as it can block HTTPS sites without any certificates.



  • Its a project for work so I do need the https filtering but as its BYOD I can't push certs. Splice all works, its just that there is no url database that comes close to what Fortigate offers. I didn't expect it would work as well, the databases being provided for free after all.

    So I do want https filtering I just don't want to push certs but all sichent posts assume I'm ok with certs ;)

    In short: Splicing blocks https but the lack of a solid (paid) database means pfsense won't be an alternative to our Fortigates.