Ssl filtering transparent and non-transparent
-
On squid, it works! ;D
with interception disabled
1359780382.176 0 172.16.3.65 NONE/000 0 CONNECT ssl.gstatic.com:443 - HIER_NONE/- - 1359780382.474 0 172.16.3.65 NONE/000 0 CONNECT www.gstatic.com:443 - HIER_NONE/- -
with interception enabled squid logs https url request.
1359779615.201 19 172.16.3.65 TCP_MISS/304 316 GET https://www.google.com.br/images/nav_logo117.png - HIER_DIRECT/74.125.234.191 - 1359779615.263 71 172.16.3.65 TCP_MISS/304 224 GET https://www.google.com.br/xjs/_/js/s/c,sb,cr,cdos,vm,tbui,mb,wobnm,klc,kat,esp,bihu,kp,lu,m,amcl,erh,hv,lc,ob,rsn,sf,sfa,shb,tbpr,hsm,j,p,pcc,csi/rt=j/ver=rXkZsHYxGmc.en_US./am=BA/d=1/sv=1/rs=AItRSTPxL_E1JO7l3HoY7bnG_Sb4_ggcyw - HIER_DIRECT/74.125.234.191 - 1359779615.434 0 172.16.3.65 NONE/000 0 CONNECT www.google.com.br:443 - HIER_NONE/- - 1359779615.511 0 172.16.3.65 NONE/000 0 CONNECT www.gstatic.com:443 - HIER_NONE/- - 1359779615.523 17 172.16.3.65 TCP_MISS/304 224 GET https://www.google.com.br/xjs/_/js/s/sy8,gf,tng,sy43,sy56,sy44,sy59,sy37,sy45,sy94,sy6,sy36,sy38,sy64,sy82,sy93,sy106,sy107,sy119,sy7,sy13,mbtt,wta/rt=j/ver=rXkZsHYxGmc.en_US./am=BA/d=0/sv=1/rs=AItRSTPxL_E1JO7l3HoY7bnG_Sb4_ggcyw - HIER_DIRECT/74.125.234.191 - 1359779615.557 0 172.16.3.65 NONE/000 0 CONNECT www.google.com.br:443 - HIER_NONE/- - 1359779615.713 154 172.16.3.65 TCP_MISS/204 303 GET https://www.google.com.br/csi? - HIER_DIRECT/74.125.234.191 image/gif
-
which version of squid?
Or does this work on both squid2 and squid3 ? -
which version of squid?
Or does this work on both squid2 and squid3 ?starts working on squid 3.1
-
Are you talking about full content (not just connect host) using dansguardian for ssl including the dynamic certificate generation to avoid the security warnings? I understand that the clients would have to trust my root via other means. Also I'd need to keep all the current functionality that your squid3 package has. If so I could put up $100 for this.
-
Yes, full content filtering. On squid3, full URL filtering with squidguard. dansguardian will need more work as the source does not has a full working config.
-
So yes, then I'd put up $100. How much are you looking for to get dansguardian set up with it?
-
Would this be easily adapted to IMspector as well?
-
Would this be easily adapted to IMspector as well?
Imspector has already his working mitm function for jabber/ssl.
-
So yes, then I'd put up $100. How much are you looking for to get dansguardian set up with it?
First I need to get it working. The bounty could help me to speed up the process.
-
So yes, then I'd put up $100. How much are you looking for to get dansguardian set up with it?
First I need to get it working. The bounty could help me to speed up the process.
Oh, I haven't done a bounty before. I wasn't sure if you needed more people to put some money up first or not. Is the $100 enough to be worth it for you to do it? If so I can send it to you tomorrow. If not then would I send to the escrow to see if we get some other people to get it high enough? I know you already put a lot of work into your packages for free which is great. I wish I had more to offer but I'm trying to get this set up for home so no company backed funds. :(
-
I wasn't sure if you needed more people to put some money up first or not. Is the $100 enough to be worth it for you to do it? If so I can send it to you tomorrow.
It will be great if more sysadmin that needs this feature donate a value.
I'm not asking for a specific value, but how nice a ssl filtering feature will be on pfsense gui?
BTW If you have in mind that this donation is to help on development instead of be sure it will be fixed, you can send it to me.Thanks for your help on it.
-
I asked about an escrow but I guess you have to have the full required amount before they will do an escrow. However right now we don't have a goal for it.
-
i need this for squid and squidguard, dont require it much but will support development - $25
bytheway the current squid in packages is 2.7.9 pkg v.4.3.3 so would this be also upgraded to 3?
-
on behalf of a client add another $25
-
ssl filtering in a non-transparent network would be nice!
but with HAVP or eq. Virus Scanning it would be a awesome! ;Dgreetings Oli
-
marcelloc, could you give us a goal amount for this that would prioritize this feature set for you?
-
marcelloc, could you give us a goal amount for this that would prioritize this feature set for you?
The package is almost done, I'll ask for package compilation and publish.
-
bytheway, we would need to remove squid 2 and upgrade to squid 3 right?
would we still be able to use squid guard? -
bytheway, we would need to remove squid 2 and upgrade to squid 3 right?
would we still be able to use squid guard?Yes!
on pfsense 2.0.3 you need to install first squidguard and then squid3
on pfsense 2.1 the package structure is new and you can first install squid3 and then squidguard -
is squid3 and squidguard currently stable compared to squid2 on 2.1 as i only use squid2 with squiguard on it currently