Certificate Authority // Proxy http/https

BDMcGrew · Mar 27, 2019, 10:32 PM

Hi Guys!

I’m brand to new pfSense and trying to search out what I’m doing but it’s not going so well.

I’ve already got a working infrastructure and would like to use pfSense to begin with solely as a proxy server for http/https. More specifically I want to be able to log and analyze web traffic by IP and see what kinds of times each user is spending on work related tasks vs; games, etc. Yes, sadly, it has become that much of a problem that I have to spend this kind of time proving its a problem.

So far I have pfSense up and running in a VM with a single interface. I can turn on http proxy and it works but of course when I turn on https proxy I have to give a CA to use and I get security errors on the local browser since it’s a self-signed CA.

Is there a way I can install a root ca or some other authoritative non self signed ca that won’t cause a browser security warning?

I apologize if this question has already been asked or if I’m asking it wrong - I’m a storage guy, not a network guy; and doing this out of necessity, not desire.

My end goal is to set my firewall to reroute all http/https traffic to the proxy server without users knowing and then be able to generate usage reports for each ip.

Thanks in advance,

-brian

Grimson · Mar 27, 2019, 10:37 PM

RTFM: https://docs.netgate.com/pfsense/en/latest/book/certificates/index.html and yes you will have to add your own CA cert to all devices/browser used in your environment.

BDMcGrew · Mar 27, 2019, 10:47 PM

I've read the manual and I get what it's saying.

But I'm looking for a way to go to Symantec or GoDaddy and but a SSL certificate/ca and not have to push out a self-signed certificate to all the browsers.

Grimson · Mar 27, 2019, 10:50 PM

@BDMcGrew said in Certificate Authority // Proxy http/https:

But I'm looking for a way to go to Symantec or GoDaddy and but a SSL certificate/ca and not have to push out a self-signed certificate to all the browsers.

Dream on, becoming a globally trusted CA is very hard, takes a long time and costs lot of money. It also has nothing to do with pfSense.

stephenw10 · Mar 31, 2019, 5:40 PM

Yeah, you can't buy a CA from a global authority like that.

If you need to do full MITM SSL interception you need to push your own CA cert to the clients.
https://youtu.be/xm_wEezrWf4?t=636

Steve

BDMcGrew · Apr 2, 2019, 9:03 PM

Ok... I totally understand that now and it's clear.

But, I don't really need to be MITM or even inspect the traffic at all. My ultimate goal it simply to see what websites users are visiting, log access times and time spend surfing and report it. I do not need to inspect or view the content. I need to justify upgrading our gateway appliance with hard data and justify some content filters and access controls. Too many users wasting half their days on the web.

Can I do this with the proxy and not require any certificates?

stephenw10 · Apr 2, 2019, 10:06 PM

Yes you can see URLs in https (and http) traffic using Splice mode which is also explained in that hangout.

https://youtu.be/xm_wEezrWf4?t=935

Steve