Ssl filtering transparent and non-transparent
-
so is this possible in squi2 or squid3-dev
- transparent mode
- when user goes to any https site, check its domain, if allowed then allow it direct connection or through squid, if denied then block connection and/or give error message
- no client side config
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
-
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
You can use squid3-dev to transparent filter ssl and whitelist domains you allow.
sites/domains in whitelist does not get intercepted by ssl.
all other non allowed domains will alert certificate and then show squidguard block page. -
but then i got 2 groups on lan clients, one with limited access and the second with full access to the internet and squidguard checks which group client belongs to and then does the appropriate thing, the unrestricted clients just are allowed everything in which case their traffic need not be intercepted, only the ones that are restricted should be
-
currently on squid2 clients r blocked http connections to all domains except allowed ones but if they try like google or facebook etc using https they get access and the reason i cant block port 443 because few of the allowed domains only work on port 443 so i need to keep that open, jsut need a way to filter https domains as well
You can use squid3-dev to transparent filter ssl and whitelist domains you allow.
sites/domains in whitelist does not get intercepted by ssl.
all other non allowed domains will alert certificate and then show squidguard block page.can u elaborate on how the CA etc stuff needs to be configured and what is to be exported to client PC?
correct me if im wrong
- goto CAs section and generate a new CA as create an internal CA (will any settings do or some specific settings only)
- once done export that CA and use in client
-
correct me if im wrong
- goto CAs section and generate a new CA as create an internal CA (will any settings do or some specific settings only)
Yes, internal CA or import existing CA used on you AD or something else
- once done export that CA and use in client
yes, Download CA CRT file and then import on internet explorer and firefox as a trusted ca.
-
i installed squid3-dev and imported those library files manually and squid started fine, then i tried installing squidguard and it would always end up in errors and crashes and crash dumps generated so ir ebooted the box and then it totally broke and i kept getting the below errors, had to factory reset and restore my old config, can u check whats the issue
Fatal error: Cannot use string offset as an array in /usr/local/pkg/squid.inc on line 1977 Fatal error: Cannot use string offset as an array in /usr/local/pkg/squidguard.i nc on line 1009 -
If you are on 2.0.3, try this squid 3.3.5 from my repo.
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbzalways after squidguard install, you need to reinstall squid3/squid3-dev
-
im on 2.1 RC0
-
im on 2.1 RC0
I'm waiting this freebsd port update to ask another pbi compilation.
Current squid 3.3.4 squid version without specific patch crashes ssl negotiation on open ssl version used on 2.1 RC0
3.3.4 patched and 3.3.5 does not has this bug.
-
I add 0,25 BTC to the bounty.
-
I add 0,25 BTC to the bounty.
Thanks! ;D
You can send it to my paypal account marcellocoutinho@gmail.com
-
any news on when the port will be compiled with the necessary lib files and created into a pfsense downloadable package?
-
any news on when the port will be compiled with the necessary lib files and created into a pfsense downloadable package?
~~Squid 3.3.5 is still pending on freebsd ports. I've sent the updated but it was forwarded to freebsd package maintainer.
After it is on freebsd ports, I'll ask another compile and maybe remove sasl auth to do not require libs that is not on pfsense install.~~
EDIT
It was updated yesterday. :)
I'll ask another compile run.
-
Apparently, it may of been pulled off of the site, you must have transparental rights in order to get the ssl filter.
-
squid 3.3.5 is on official repo.
Missing libs are still missing and on 2.0.3 you need to enable ipv6 to squid be able to listen on it's ports.
-
$100 from here. Looking for a new content filtering solution and ssl filtering is a must.
-
I want to make sure I'm understanding how the ssl filtering works with squid + squidguard. Here's what I've understood so far. Please correct me if I have some of the points incorrect. In particular, I am unclear about my numbers 2, 3, and the level of intrusiveness of https decryption in 4.
1. You need squid3 + squidguard + some additional manual packages to install the software framework to get ssl filtering working
2. You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??
3. Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??
4. Once the items above have been configured, then squid + squidquard will decrypt the https traffic, scan the contents for url + any content that may need a rewrite, and then block or allow the traffic and/or make the required rewrites. In either case I am understanding that all of the https content gets decrypted, not just the destination data/header.Thanks
-
2. You need a real ssl certificate (versus self-signed) to install on the pfsense host to be able to get ssl filtering functionality to work correctly without throwing error messages on the client browsers??
You need an interal CA certificate, not just a site certificate.
3. Do you also need to install the ssl certificate in #2 onto each host that will be filtered onto each client browser as a trusted certificate??
As a trusted certificate authority(CA) so any certificate that squid creates using configure CA will be trusted by client's browser
-
Is there a pfsense version of DG that supports this yet?
-
Is there a pfsense version of DG that supports this yet?
not yet. Dansguardian code is not being updated for a while on sourceforge.
