Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Show dnsbl_default.php for https sites

    Scheduled Pinned Locked Moved
    General pfSense Questions
    pfblockerng pfsense dnsbl
    3
    3
    985
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      diegobph
      last edited by

      Hi,

      pfBlockerng-devel is not showing dnsbl_default.php for blocked websites using https protocol. It displays only when a website is using http protocol. How can I get it to display regardless of what protocol the site is using.

      Installation info:
      pfSense 2.4.5-RELEASE-p1
      pfBlockerNG-devel 3.0.0_8

      Thanks

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @diegobph
        last edited by

        @diegobph said in Show dnsbl_default.php for https sites:

        https protocol

        Fast answer : You don't want it to display.
        Next best answer : your browser does not accept the page it received from the pfBlockerNG web server. You can, of course, remove related security settings, and inform your browser to disable everything that involves security, like accepting self signed certificates and conflicting domain name and what it found in the certificate.

        Example : you blocked facebook.com.
        You can't visit faceboook.com using http. If a http server - port 80 - still exists, it will redirect to port 443, using certs.
        ok, your browser accepts the redirect, and now it gets a page from https://www.facebook.com
        It also receives a certificate that contains "I'm am *.facebook.com". Your browser has the capability to check that the certificate can be trusted.
        Take note : you and I can not make a certificate that says "I am *.facebook.com". That's where all the security is based upon.

        So, now, your question again :
        You visit some https site that you've blocked.
        Your browser wants a certs as it uses it to check if the embedded host names corresponds with the host name part of the URL you used to visit the site.
        If not ok, then you have a security violation, and it's game over.

        Try for yourself
        https://10.10.10.1
        this will show the dnsbl_default.php page as it is the default web page.
        Your browser will (and should) state a big warning page, that you might override. Do so (you trust web pages from your pfSense, right ?) and you see why.
        Again, this is a https (TLS) transmission) so : the host name in the cert (inspect it yourself) does not match the URL used (10.0.0.1) :=> browser not happy.

        To make things even shorter : take a tour on Youtube and see what "https" is really all about ;)

        And before you ask : over time, the build is pfBlockerNG build in web server that shows a nice page that says : "you can't visit this site" will get removed. It's close to useless.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post