• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Show dnsbl_default.php for https sites

Scheduled Pinned Locked Moved General pfSense Questions
pfblockerngpfsensednsbl
3 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    diegobph
    last edited by Feb 3, 2021, 6:51 AM

    Hi,

    pfBlockerng-devel is not showing dnsbl_default.php for blocked websites using https protocol. It displays only when a website is using http protocol. How can I get it to display regardless of what protocol the site is using.

    Installation info:
    pfSense 2.4.5-RELEASE-p1
    pfBlockerNG-devel 3.0.0_8

    Thanks

    G 1 Reply Last reply Feb 3, 2021, 10:30 AM Reply Quote 0
    • G
      Gertjan @diegobph
      last edited by Feb 3, 2021, 10:30 AM

      @diegobph said in Show dnsbl_default.php for https sites:

      https protocol

      Fast answer : You don't want it to display.
      Next best answer : your browser does not accept the page it received from the pfBlockerNG web server. You can, of course, remove related security settings, and inform your browser to disable everything that involves security, like accepting self signed certificates and conflicting domain name and what it found in the certificate.

      Example : you blocked facebook.com.
      You can't visit faceboook.com using http. If a http server - port 80 - still exists, it will redirect to port 443, using certs.
      ok, your browser accepts the redirect, and now it gets a page from https://www.facebook.com
      It also receives a certificate that contains "I'm am *.facebook.com". Your browser has the capability to check that the certificate can be trusted.
      Take note : you and I can not make a certificate that says "I am *.facebook.com". That's where all the security is based upon.

      So, now, your question again :
      You visit some https site that you've blocked.
      Your browser wants a certs as it uses it to check if the embedded host names corresponds with the host name part of the URL you used to visit the site.
      If not ok, then you have a security violation, and it's game over.

      Try for yourself
      https://10.10.10.1
      this will show the dnsbl_default.php page as it is the default web page.
      Your browser will (and should) state a big warning page, that you might override. Do so (you trust web pages from your pfSense, right ?) and you see why.
      Again, this is a https (TLS) transmission) so : the host name in the cert (inspect it yourself) does not match the URL used (10.0.0.1) :=> browser not happy.

      To make things even shorter : take a tour on Youtube and see what "https" is really all about ;)

      And before you ask : over time, the build is pfBlockerNG build in web server that shows a nice page that says : "you can't visit this site" will get removed. It's close to useless.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Feb 3, 2021, 12:44 PM

        Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

        Steve

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received