Https blocking how to here

brcisna

Hello All,

pfSense-1.2.3-RELEASE
squid
squidGuard

Just thought I would share on how we set up pfSense to block https sites as I have seen this discussed quite a bit .
If you do a search here using WPAD is probably a very good/best option.
I used a different approach, using the  following to make https sites blocked transparently using squid /squidGuard

Requisite:
You need to have Windows Server setup with Active Directory.
So for many this setup will not be a viable option.

1. Simply setup squid using the transparent options described in the How To on the pfSense site.
2. Add an OU for your domain at whatever level you want https sites blocked.
For us I used the Students OU,but you could use the root OU of your domain to make everyone strict to this rule.
3. add the options for this OU for Internet Explorer logon options.
Add your pfSense ip address and whatever port number you are running squid at.
(We use port 8080)
So the entry for the OU/IE connections options would look like  192.168.1.1  / port 8080
4. on the DC do an  gpupdate.exe for the changes to take effect immediately.
5. Try logging in under a students name and https sites will be blocked now.

Sidenote: With this setup this works wonderfully at both  remote buildings as well, FYI , via the pfSense boxes installed at each building. I am not sure why, but the "local" pfSense,machines use the block list even though the proxy setting via Active Directory  is for one particular pfSense box / ip address. AKA: the "main school building".

Note: With the  transparent proxy  still enabled on squid even non-domain logged in machines will be filtered ,although the https sites(kids will find this out,believe me) will not be blocked.

Take Care,
Barry

nambi

will this work with blacklisturl?

I have so many problems running squid and squid guard on my pfsense box, that I'm looking for alternatives.

I don't know if it's my hardware or if it's just buggy but I can get squid and squid guard to work then all of a sudden after a few days / weeks it will start asking for a user name and pass when accessing websites. then the services stop and from that point on the only way i can get it to work again is formatting the box and reinstalling from scratch! waste of time and very unreliable.

I think the concept is really good but I need stability.

Thanks

Guest

Barry,

Thanks for posting that.

For the confused, what he's shown is how to configure the use of a Windows Group Policy to configure computers in the domain to configure proxy settings for HTTPS traffic.  It is possible/recommended to do this for HTTP traffic as well, although the use of the transparent redirection of outbound HTTP traffic makes this unnecessary.  The caveats of this configuration are that computers which do not connect to the domain do not get these proxy settings and so are able egress the network without filtering as long as they use SSL.  A good way to enforce the use of the proxy settings is to block outbound SSL to the internet which does not originate from the proxy box itself.

Again, great post Barry!  Might need to sticky it.