Content Filtering Question

  • I work in the I.T. department for a school district and any help you would be willing to offer would be appreciated.  I think this question could involve multiple packages so I' m posting it under general.

    I am trying to figure out the best way to do our content filtering.  Currently we manually set the proxy settings on every computer to go through our squid/guardian server.  I am trying to make this process more transparent for our users. There are other reasons for changing this to but I won't go into all of them.

    I know a transparent proxy can't filter https traffic.  I tried setting up a pac file to set the proxy settings but it seemed to only set the http settings, not https, on my test computer.

    So do we just need to purchase a solution or is there some way for us to filter all http/https traffic going through our pfsense firewall without having to manually set something on all the computers that go through it?

  • You won't be able to do content filtering on HTTPS even if it is proxied, it's encrypted. Commercial solutions can MITM the SSL but require installing a certificate on every machine. Maybe best off just using OpenDNS and setting things up accordingly so no other DNS servers can be used. That's your best free option and least invasive of any possible option.

  • Our current setup with Dansguardian where our computers browsers have our filter put in as the ssl proxy does filter https sites.  I don't know exactly how it works but I know if you have your browsers set to go through our filter for both http and https you can't get to an https site that we have blocked.

  • @cmb:

    Maybe best off just using OpenDNS and setting things up accordingly so no other DNS servers can be used.

    I do this on all my installs.  It works well.

    …You could push the proxy settings out via active directory if you have such a network.  Would prevent having to setup each computer.

  • We are almost entirely a Mac environment with Windows running on about 25% of the computers so it has to be a cross platform solution.

  • It looks to me like WCCP is what we are looking for.  The problem is that we do not have Cisco infrastructure so the other option we may have to go with is an inline filter with bridged network interfaces.

Log in to reply