Newbie HTTPS question
-
Enabling https inspection with self-signed SSL cert means having to install certification on every device to avoid the pesky error messages from browsers.
Can you use a lets encrypt cert to do https if not what is recomended
-
@sysoverload said in Newbie HTTPS question:
Can you use a lets encrypt cert to do https
That's right.
But, be aware, it's not a free ride : you can only ask a trusted certificate from acme when you use a real domain name - a domain name that you bought / rent / own.
"pfsense.lan.net" or *lan.net" or *.lan.net" (wild card) won't do because you do not "own" that domain name.With a wild-card cert you can load the cert on any device you have on your LAN, like printers, etc.
-
It doesn't work like that...
Lets say your client wants to go to https://www.google.com, the proxy has has to hand back a cert that says its for www.google.com, Or your browser is going to bitch.
How do you think acme could do that?
-
Hummm. I guess I was reading " to do https" => accessing the GUI using https ....
-
Maybe - but the use of "https inspection"
Seems more like he is asking how to inspect https via proxy.. If all he wants is his browser to not balk at his web gui access then yeah that is simple enough to do with acme.
-
@johnpoz said in Newbie HTTPS question:
s say your client wants to g
looking for a way to block https sites without having to install a cert on every device behind it
-
You can block without trusting.. You have to use explicit (I believe), ie the client has to point to the proxy.. It will send the connect command for https, so proxy know where trying to go, and can either allow or deny based on that host name...
What you can not do is allow say www.domain.com but block www.domain.com/something without doing mitm... Since onlly the host is sent in the connect.
There is a hangout that I believe goes over this stuff - let me see if can find it.
edit: here you go
https://www.netgate.com/resources/videos/squid-squidguard-and-lightsquid-on-pfsense-24.html
edit: Also if all your looking to do is block access to sites, be it http or https wouldn't pfblocker be another option?
