SquidGuard HTTPS filtering without ssl?

kontras20 · May 2, 2017, 7:17 PM

Hi Everyone,
I'm new in the forum and with pfsense also :)
My goal is to setup web filtering at a Wifi hotspot.
I have a set up with transparent proxy and SquidGuard configured.
HTTP filtering is working well but I would like to filter HTTPS sites also. I searched on forum and found that if I want to do that, I have to enable SSL filtering, create a cert and import it to all client PCs. Am I right?
My problem is that I don't want to use SSL filtering because this is about a HotSpot installation, so I cannot just send certificates to everyone. As far as Ι know they did that in the past with another Pfsense Installation so I assume that I am just searching for it wrong :P.
Any ideas how can I do that?

Thanks in advance
Regards,
Michael

pfsensation · May 2, 2017, 9:41 PM

Use the splice all feature in Squid, then you can block HTTPS sites without any certificates being handed over to clients.

kontras20 · May 3, 2017, 8:22 PM

Hi.
Thank you for your response.
Unfortunatelly spice all feature is enabled but still https sites are not blocking.

pfsensation · May 3, 2017, 8:53 PM

@kontras20:

Hi.
Thank you for your response.
Unfortunatelly spice all feature is enabled but still https sites are not blocking.

Have you tried manually setting the proxy up on a client and trying? My guess is that your clients are bypassing the proxy. Setup WPAD, and block port 443/80 to disallow access without going through your proxy.

JSONSec · May 6, 2017, 7:22 PM

I have a similar issue. Splice All enabled, yet when I enable it all HTTPS fail. It's driving me nuts.

gersonofstone · May 10, 2017, 9:57 PM

@JSONSec:

I have a similar issue. Splice All enabled, yet when I enable it all HTTPS fail. It's driving me nuts.

all memory used?

kontras20 · May 12, 2017, 8:58 PM

Hi. Sorry for the delay. I have configure it with wpad and working. But I have some questions again. It seems that android phones could not connect to the access point. After checking I realize that android phones does not get automatically the proxy settings through the router. Is it possible to force all traffic go through my proxy without setting the proxy server in the android phone ?
Thanks in advance

KOM · May 15, 2017, 5:25 PM

Android is the only one that does not support WPAD. Better to have manual instructions for those users instead of reworking your entire solution.

technicalcsti · May 16, 2017, 1:29 PM

@JSONSec:

I have a similar issue. Splice All enabled, yet when I enable it all HTTPS fail. It's driving me nuts.

Same problem here.

If I Use explicit proxy in the config all is ok, but in transparent mode with Splice All enabled, HTTPS fails.