Https blocking how to here
Just thought I would share on how we set up pfSense to block https sites as I have seen this discussed quite a bit .
If you do a search here using WPAD is probably a very good/best option.
I used a different approach, using the following to make https sites blocked transparently using squid /squidGuard
You need to have Windows Server setup with Active Directory.
So for many this setup will not be a viable option.
1. Simply setup squid using the transparent options described in the How To on the pfSense site.
2. Add an OU for your domain at whatever level you want https sites blocked.
For us I used the Students OU,but you could use the root OU of your domain to make everyone strict to this rule.
3. add the options for this OU for Internet Explorer logon options.
Add your pfSense ip address and whatever port number you are running squid at.
(We use port 8080)
So the entry for the OU/IE connections options would look like 192.168.1.1 / port 8080
4. on the DC do an gpupdate.exe for the changes to take effect immediately.
5. Try logging in under a students name and https sites will be blocked now.
Sidenote: With this setup this works wonderfully at both remote buildings as well, FYI , via the pfSense boxes installed at each building. I am not sure why, but the "local" pfSense,machines use the block list even though the proxy setting via Active Directory is for one particular pfSense box / ip address. AKA: the "main school building".
Note: With the transparent proxy still enabled on squid even non-domain logged in machines will be filtered ,although the https sites(kids will find this out,believe me) will not be blocked.
will this work with blacklisturl?
I have so many problems running squid and squid guard on my pfsense box, that I'm looking for alternatives.
I don't know if it's my hardware or if it's just buggy but I can get squid and squid guard to work then all of a sudden after a few days / weeks it will start asking for a user name and pass when accessing websites. then the services stop and from that point on the only way i can get it to work again is formatting the box and reinstalling from scratch! waste of time and very unreliable.
I think the concept is really good but I need stability.
Thanks for posting that.
For the confused, what he's shown is how to configure the use of a Windows Group Policy to configure computers in the domain to configure proxy settings for HTTPS traffic. It is possible/recommended to do this for HTTP traffic as well, although the use of the transparent redirection of outbound HTTP traffic makes this unnecessary. The caveats of this configuration are that computers which do not connect to the domain do not get these proxy settings and so are able egress the network without filtering as long as they use SSL. A good way to enforce the use of the proxy settings is to block outbound SSL to the internet which does not originate from the proxy box itself.
Again, great post Barry! Might need to sticky it.