Can SquidGuard work without wpad or manual proxy setup on a client?
-
Can SquidGuard work without wpad or manual proxy setup on a client?
I want to filter ALL traffic and block categories for all clients. -
Yes it can work without WPAD or proxy configuration. In order for this to work, your clients require an SSL certificate from the firewall.
Squid should be configured with Transparent HTTP Proxy enabled, and HTTPS/SSL interception enabled. SSL/MITM mode is Splice Whitelist, Bump Otherwise. You will need to create a Certificate Authority on your firewall to use for SSL. This SSL CA will need to propagate to all clients on your network or be installed manually in their computer's root certificate store. You can export the cert and key after creating the CA and then deploy to your PC's through Group Policy.
I also have the Remote Cert Checks options enabled to accept certs with errors and not verify. Because I am only doing this for blocking sites and auditing, I have Local Cache completely disabled.
On SquidGuard you'll have to set up blacklist, target categories, and Group ACL's if you want more control for specific groups of devices, otherwise just configure the Common ACL.
I have also made a custom error page. I installed IIS with PHP and bind it to HTTP and HTTPS. Then on my SquidGuard ACL I select Redirect Mode as "ext url err page". My URL is http://servername/index.php?
This allows SquidGuard to pass variables to the server for my custom block page. For example, my HTTP code in index.php has <?php echo $_GET['u'] ?> for showing the blocked URL. I found that the HTTPS sites that are blocked won't fully load the error page unless all my references in the HTML (to scripts/images, etc) are explicitly set to https://servername/resourceThere are some cool 403 Forbidden templates on codepen
-
@iamarobot But then you're still making changes on the user devices.
I don't have servers or anything in my setup.
Just a modem for internet, a firewall behind it, a switch and accesspoint and some pc's and laptops for users. Nothing else.
So no server, no NAS, nothing.
And also no verified CA.With a watchguard you can block it directly at the firewall, would be great to have something like that directly at the pfsense as well.
-
@nick-loenders said in Can SquidGuard work without wpad or manual proxy setup on a client?:
With a watchguard you can block it directly at the firewall, would be great to have something like that directly at the pfsense as well.
Maybe you need pfBlockerNG?
-
@nick-loenders said in Can SquidGuard work without wpad or manual proxy setup on a client?:
But then you're still making changes on the user devices.
When you enter the MITM road :
There is a huge learning curve.
Maintenance is an ongoing job.
You will find Internet not cooperative - neither your 'LAN 'clients. -
@gertjan Yes, apparently.
Though with a Watchguard device you can:
To make sure a site is always blocked, you can permanently add sites to the Blocked Sites list. You can block an IPv4 or IPv6 host IP address, network IP address or host IP address range, host name (one-time DNS lookup), or you can block a site by FQDN (includes wildcard domains).So it IS possible to do it the easy way.
I would wish pfsense makes something easy like that as well.Just a blocked websites feature and you add like youtube.com/ and everything is blocked and not that you need to search all ip's of all possible youtube pages and millions of ip's manually....
-
See what @viktor_g said.
-
If you do not have servers, is it safe to assume there are minimal amount of clients? You can create the CA on the pfsense firewall and then export that certificate and install it in the root store of the devices in order to use SquidGuard with HTTPS/MITM functionality. Otherwise SquidGuard has to be configured as a proxy to use HTTPS filtering. The HTTP filtering alone doesn't require further client configurations but most connections these days are through SSL.
Otherwise, you can configure the pfsense as DNS unbound resolver and utilize pfBlockerNG which can block TLD's, and connections based on source country/region (DNSBL). pfBlocker will also let you utilize lists such as Dshield and Spamhaus to filter out bad sites and domains by IP address.
Short of all that 'hassle', you might be more interested in a next-gen layer 7 firewall from a different vendor, but they are considerably more expensive and require maintenance contracts to continue functioning properly.