How to customize the block page message of pfBlockerNG
-
**Hello
is there any way to customize the block message of a blocked website and add the company logo and customize the message? my company wants to show that the blocked websites are actually done by them.
Also, another question, when blocking a website with pfBlockerNG, why it's showing the below error when trying to visit the website:
why it's not showing the below default blocking page for pfBlockerNG
thank you
-
Do a Google search for a tutorial about how HTTPS works over SSL.
That will show you with HTTPS over SSL, the remote host is verified using a known (and usually public) crypto certificate presented by the remote host. That way your browser can be 100% certain that when it asks for https://google.com, that it is really and truly google.com that answers because the Google server will respond with its SSL cert which your local browser can then verify by asking the public cert entity on the Internet (for instance, VeriSign).
In your case, pfBlockerNG is attempting to "intercept" the HTTPS request to the remote site and display a warning. pfBlockerNG does not have the correct SSL cert for the remote site, so it cannot authenticate as that site for the browser. The browser therefore displays the warning you see. Notice it also says the Cert is invalid
(NET::ERR_CERT_AUTHORITY_INVALID)because your local pfBlockerNG install is NOT twitter.com because it does not have the correct SSL cert.The warning screen works over HTTP because that transport protocol is clear-text (not encrypted) and thus there is no exchange of crypto certs required.
-
@bmeeks thank you for your satisfactory clarification about HTTPS over SSL, but this is not what I am looking for. what I want to achieve is to redirect the users to a custom block page and I am sure that can be done in Pfsense, but I don't know how, as I am new at this.
the below documentation will demonstrate my point better:
https://docs.umbrella.com/umbrella-user-guide/docs/redirect-to-a-custom-block-page#thank you
-
First I hope I'm not stepping on anyone's toes here, especially the developer of pfBlocker (pfB). My apologies in advance if I am.
Looking at the first picture there is a clue - 'NET::ERR_CERT_AUTHORITY_INVALID' - this seems to indicate the websites certificate is invalid for some reason. Search for that term for more info.
One of the reasons I believe the data for the site blocked is so that it would help in the 'White Listing' of the site if appropriate. A screen capture or print out would be most helpful to the person managing pfS/pfB.
Now on to editing the file.
From the top directory/folder of the pfSense box follow this path, at least for me on CE pfS v2.6.0 and find the file dnsbl_active.php
path >> /usr/local/www/pfblockerng/www/dnsbl_active.php
When you open the file for editing in a text editor and scroll down you will find it is basically just html.
What I would do is make a backup of the original file, and maybe rename it like - dnsbl_active.php.original
Then convert any images you want to use to base 64 - do a search for 'convert image to base64'
Save the conversion file as plain text.
Then create the html file you want to display to users and insert the conversion file, it is different than just inserting an image - search for - 'insert base64 image into html' - for how to.
Once the file is displaying how you want in a browser - then rename it to - dnsbl_active.php - and place it in the directory where the original file resides. Note this may not display properly on cell phones, tablets and so forth.
I realize the filename starts with dnsbl and I am not sure that this file is the same one used for IPv4/IPv6 block lists.
Be sure to make a back up of the new- dnsbl_active.php - file, as it may get overwritten as pfS/pfB updates are applied.
I am just a home user of pfS/pfB and am learning as I go. Though the above worked in my house.
Good Luck, Take Care and Enjoy!
-
@s-hasan-0 said in How to customize the block page message of pfBlockerNG:
what I want to achieve is to redirect the users to a custom block page and I am sure that can be done in Pfsense, but I don't know how, as I am new at this.
If you were not new at this, but an expert, you would not be able to do what you want.
And you wouldn't ask the question, as you are asking the impossible.When you want to visit https://www.twitter.com, you not want to wind up on some other site.
Because :
When you want to visit your bank, you do not want to wind up on some other site.
When you want to visit your tax declaration site, you do not want to wind up on some other site.
When you want to visit amazon you do not want to wind up on ebay.
Etc etc.So, this part is very important :
@bmeeks said in How to customize the block page message of pfBlockerNG:
your local pfBlockerNG install is NOT twitter.com
and no one can over ride this.
If you could do so, TLS would be broken. And you won't that to happen.You'll be think : But wait, is is then useful to see these "pfBlockerNG page blocked pages" ?
Yes, of course.
But only for http:// (non TLS) web pages.
You'll be saying : but these do not exist anymore in 2022.
And you are correct ;)I'll advise you to :
Disable / not use the "block page message" facilities of pfBlockerNG.
Just use
and before you ask, no, this is not a "pfSEnse can't do this" issue.
You, me and no one can / should break TLS. -
@s-hasan-0 said in How to customize the block page message of pfBlockerNG:
@bmeeks thank you for your satisfactory clarification about HTTPS over SSL, but this is not what I am looking for. what I want to achieve is to redirect the users to a custom block page and I am sure that can be done in Pfsense, but I don't know how, as I am new at this.
the below documentation will demonstrate my point better:
https://docs.umbrella.com/umbrella-user-guide/docs/redirect-to-a-custom-block-page#thank you
Cisco's Umbrella cloud product uses a cloud-based proxy server to accomplish the redirect/blocking. That means your local machines (phones, desktops, and servers) must be provided with the proxy server's SSL cert and told to trust it. The local browser connects first to the proxy server for any outbound web requests because it is configured to always ask the proxy for remote URLs. The proxy server then establishes the actual SSL connection to the requested remote site (twitter.com in your example) for itself. As the data comes back from twitter.com over SSL, the proxy server decrypts it, can inspect the cleartext if configured to do so, then re-encrypts the traffic using the proxy server's own SSL cert and returns it to your local browser (remember the browser on your local machines has been told to trust the proxy server's SSL cert implicitly). This is called man-in-the-middle (MITM) SSL interception. The proxy server can also choose to block the attempted website access and return an error message to the user by redirecting them to a custom block page. But that only works because the local clients have been given an SSL cert for the proxy server and told to trust it.
Yes, you can configure this on pfSense, but it requires installing a proxy server package and configuring the MITM certs and distributing them to all of your local assets.
The error message screen you posted in your original post is coming direct from the Chrome web browser. It is not coming from pfSense nor from pfBlockerNG. Chrome is saying "I asked for https://twitter.com, but something else answered that I cannot authenticate as being twitter.com, and I therefore do not trust the site that responded". Chrome cannot authenticate the pfBlockerNG "block website" because it does not have an SSL cert identifying it as "twitter.com". And it never can because it would need twitter.com's private SSL key in order to do that.
The Cisco product whose documentation you linked is a totally different level of beast. It requires you to place additional trusted SSL certs on all of your local client devices, and then configure those devices to route all of their web requests through a proxy server. For the Cisco product, that seems to be their cloud-based server they provide as part of the package you can purchase from them. With that proxy server in place, your local web browsers ask the proxy server to get the website data for them and then relay it to them over a second trusted SSL connection using the proxy server's SSL cert.
Lastly, you can alter the content of the default "blocked website" page in pfBlockerNG. But that page will only display when your users are accessing an HTTP site in cleartext (without SSL encryption). Since almost no website today uses plain HTTP, that "blocked website" page is hardly every going to be called upon.
-
Sorry I listed the wrong file to edit as dnsbl_active.php
The correct file to edit is dnsbl_default.php
Sorry for any confusion.
Take Care and Enjoy!
-
@s-hasan What your company should do is create a domain with an SSL certificate, example https://block.xzy.com (xyz is the company name) and substitute that page for the pfBlockerng so that when clients go to a page on the company's block list they get the company's beautiful design website apologizing that company policy doesn't allow clients to visit the domain they're attempting to reach.
-
for the suggestion.
But I have question
If you, and thus your browser, wants to visit a blocked domain name, let's say https://www.microsoft.com, do you think a browser would accept a web page coming from a server that says "Hi, I'm https://block.xzy.com" ?
That web server certificate, signed by a trusted certificate authority and valid dates etc, will not contain a SAN that says "microsoft.com" so your browser will say :
NO !If redirecting https was a thing, every bank, tax, government, whatever else site would have been spoofed by know, and the Internet as a communication tools would be forgotten before the end of the year.
IMHO : the pfBlockerng-devel web server on (default) 10.10.10.1 showing a blocked domain name, works very well for "http", that's the protocol nobody uses anymore these day, it's a thing of the past !
It would only works if the browser, or the entire device, was set up to use pfSense as a proxy, so pfSense would do the lookup of the https page on behalf of the device.
Now, the browser would accept whatever it receives from pfSense. It would show the content of the blocked https://www.microsoft.com : you would see the beautiful "https://block.xzy.com" telling you "microsoft.com" is not possible.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
Thank you guys
Yes, its only can be done through using pfsenes as aproxy server and install internal CA issued by pfsense on each and every device in the network, only then you can have your customised block page. I try it, but pfsense blocked me from the internet. The good thing that the default block page is different with proxy and pfsense is giving you an option to add administratior email as a contact in that page.However, I gave up on the this setup because my boss didnt like the idea of installing CA on each device in the network so, we abandoned on doing it, but it was a great experience.
Thank you very much guys again
I have learned alot from you
-
@gertjan I made an assumption that everyone with pfSense used it for DNS server...thanks for pointing that out.
-
@s-hasan said in How to customize the block page message of pfBlockerNG:
its only can be done through using pfsenes as aproxy server and install internal CA issued by pfsense on each and every device in the network,
No, you need the certificate only on pfSense...not on any other device...don't give up...it's pretty cool company policy to implement. You just need a firewall rule to force all devices (company computers) to use pfSense for DNS.
-
@nollipfsense said in How to customize the block page message of pfBlockerNG:
No, you need the certificate only on pfSense...not on any other device...don't give up...it's pretty cool company policy to implement. You just need a firewall rule to force all devices (company computers) to use pfSense for DNS.
This is not correct. For a cert generated by the internal CA on the firewall, you will have to install that cert on each device and tell the device to trust it. Only then will it trust the pfSense cert without attempting to verify it with a remote certificate authority.
With HTTPS, the browser must trust the cert it receives, or else be able to validate the received cert via one of the public authentication sites (Verisign or other similar ones). For an internal CA cert, you will need to install that cert on each internal device and tell the device to "trust" that cert (in other words, tell the browser not to go out and try to validate the cert with a public certificate authority - just take it as is).
Think about it for a moment -- if it was simply a matter of generating an internal cert of your own and then have any browser on any device trust it without validating it, scammers would be king of the world and there would be no way to stop them from impersonating any bank or financial institution in the world. Fortunately that's not how HTTPS works
. -
@bmeeks said in How to customize the block page message of pfBlockerNG:
For a cert generated by the internal CA on the firewall
Since it's a business, I assume they would get a paid SSL for less than $50 per year. For my business I pay about $25 per year. Apologize for not making that clear.
-
@nollipfsense said in How to customize the block page message of pfBlockerNG:
they would get a paid SSL for less
Why would you use a certificate that you have to pay ?
It's ok of course, but not needed.
No need for a certificate that has been signed by a known or trusted authority.
The CA that pfSEnse has to be imported (installed) into the (every !) device.
From that moment, it is trusted, signed by a known trusted certificate authority, or not. -
@s-hasan said in How to customize the block page message of pfBlockerNG:
However, I gave up on the this setup because my boss didnt like the idea of installing CA on each device in the network so, we abandoned on doing it, but it was a great experience.
@gertjan He said above that was a show stop and since its a business, and the cost is less than $50 per year, which would be less than $5 per month, not $50,000. The paid SSL must be the way to go if the company truly wants to implement a policy allowing only certain domain on their equipment at the office. I am sure with this info his boss would approve.
-
N NollipfSense referenced this topic on
