• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Custom Block page w/ certificate

Scheduled Pinned Locked Moved pfBlockerNG
6 Posts 3 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    michmoor LAYER 8 Rebel Alliance
    last edited by Dec 21, 2022, 8:25 PM

    Is there a way to do http redirects, someone, in pfblockerNG so that when i use a custom VIP for rejected pages it gets sent to a web server in my domain, web.example.com which will redirect to a page with a proper ssl certificate and a custom blocked message?

    Otherwise i have to continue using the SSL cert from pfblocker for https site which breaks user experience and they have no idea they have been blocked due to policy.

    Firewall: NetGate,Palo Alto-VM,Juniper SRX
    Routing: Juniper, Arista, Cisco
    Switching: Juniper, Arista, Cisco
    Wireless: Unifi, Aruba IAP
    JNCIP,CCNP Enterprise

    V N 2 Replies Last reply Dec 21, 2022, 9:46 PM Reply Quote 0
    • V
      viragomann @michmoor
      last edited by Dec 21, 2022, 9:46 PM

      @michmoor
      If a browser calls https://web.example.com he expects an SSL certificate, which matches the requested host name, and will probably not accept any redirection from a server, before he got it.
      Since you don't have the proper certificate, that will not work.

      However, instead of blocking access you can set pfBlockerNG to generate reject-rules.
      If a destination is rejected the browser notices this immediately and report an error, and will not run into a timeout.

      M 1 Reply Last reply Dec 21, 2022, 9:52 PM Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @viragomann
        last edited by Dec 21, 2022, 9:52 PM

        @viragomann Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own.
        So typically ads.google.com would be intercepted by pfblocker and we get the bad ssl cert message. What should happen is the site gets caughted by pfblocker and pfblocker sends it to the VIP you configured in the settings. That webserver i believe should then redirect all web traffic to a domain blocked.iownthisdomain.com which has a proper SSL cert owned because ..well...you own the domain :)

        Otherwise the end user gets a bad ssl message or the site doesnt load but still the user doesnt know the reason..having a custom blocked message for the SSL page would be helpful.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        V 1 Reply Last reply Dec 21, 2022, 10:14 PM Reply Quote 0
        • V
          viragomann @michmoor
          last edited by Dec 21, 2022, 10:14 PM

          @michmoor said in Custom Block page w/ certificate:

          Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own

          I tried to explain above in a view words, why it doesn't work, when browser requests an https site. Yes redirecting works well for non-SSL requests though. So if the user requests http://ads.google.com you can redirect him to whatever you want, as well to an encrypted page.
          But nowadays, as many big websites are configured to use HSTS the most requests are https and the browser won't try http if he visited the site already before.

          If you intend to block local computers you may consider to setup the squid package. This can do what you're looking for, but its possibly much effort to configure each client to use the proxy server.

          1 Reply Last reply Reply Quote 0
          • N
            NollipfSense @michmoor
            last edited by Dec 22, 2022, 12:38 AM

            @michmoor See here:

            https://forum.netgate.com/topic/175949/how-to-customize-the-block-page-message-of-pfblockerng

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            M 1 Reply Last reply Dec 22, 2022, 5:08 PM Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @NollipfSense
              last edited by Dec 22, 2022, 5:08 PM

              @nollipfsense
              So I got this somewhat working actually. There is a nginix proxy that I have pfblocker sending the failed domains to. The proxy then has a default site configured where any domains get redirected to a custom web page with a valid cert.
              This is possible but would require a reverse proxy built in to pfblocker much like the light weight httpd server.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received