Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom Block page w/ certificate

    pfBlockerNG
    3
    6
    860
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Is there a way to do http redirects, someone, in pfblockerNG so that when i use a custom VIP for rejected pages it gets sent to a web server in my domain, web.example.com which will redirect to a page with a proper ssl certificate and a custom blocked message?

      Otherwise i have to continue using the SSL cert from pfblocker for https site which breaks user experience and they have no idea they have been blocked due to policy.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      V NollipfSenseN 2 Replies Last reply Reply Quote 0
      • V
        viragomann @michmoor
        last edited by

        @michmoor
        If a browser calls https://web.example.com he expects an SSL certificate, which matches the requested host name, and will probably not accept any redirection from a server, before he got it.
        Since you don't have the proper certificate, that will not work.

        However, instead of blocking access you can set pfBlockerNG to generate reject-rules.
        If a destination is rejected the browser notices this immediately and report an error, and will not run into a timeout.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @viragomann
          last edited by

          @viragomann Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own.
          So typically ads.google.com would be intercepted by pfblocker and we get the bad ssl cert message. What should happen is the site gets caughted by pfblocker and pfblocker sends it to the VIP you configured in the settings. That webserver i believe should then redirect all web traffic to a domain blocked.iownthisdomain.com which has a proper SSL cert owned because ..well...you own the domain :)

          Otherwise the end user gets a bad ssl message or the site doesnt load but still the user doesnt know the reason..having a custom blocked message for the SSL page would be helpful.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @michmoor
            last edited by

            @michmoor said in Custom Block page w/ certificate:

            Right but the thing is http sites works so in theory SSL sites should work assuming it gets redirected to a domain you own

            I tried to explain above in a view words, why it doesn't work, when browser requests an https site. Yes redirecting works well for non-SSL requests though. So if the user requests http://ads.google.com you can redirect him to whatever you want, as well to an encrypted page.
            But nowadays, as many big websites are configured to use HSTS the most requests are https and the browser won't try http if he visited the site already before.

            If you intend to block local computers you may consider to setup the squid package. This can do what you're looking for, but its possibly much effort to configure each client to use the proxy server.

            1 Reply Last reply Reply Quote 0
            • NollipfSenseN
              NollipfSense @michmoor
              last edited by

              @michmoor See here:

              https://forum.netgate.com/topic/175949/how-to-customize-the-block-page-message-of-pfblockerng

              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @NollipfSense
                last edited by

                @nollipfsense
                So I got this somewhat working actually. There is a nginix proxy that I have pfblocker sending the failed domains to. The proxy then has a default site configured where any domains get redirected to a custom web page with a valid cert.
                This is possible but would require a reverse proxy built in to pfblocker much like the light weight httpd server.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.