Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squidguard blocking problem

    pfSense Packages
    2
    4
    4.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dan34
      last edited by

      I'm trying to block a couple of sites, but it seems that if I use https it bypasses the filter and allows access. Say I'm trying to block the domain abc.com. If I use http://abc.com it is intercepted and I get the "site is blocked" message. If I change to https://abc.com I can reach the site just fine.  Does anyone know what configuration setting I'm missing that would fix this?

      1 Reply Last reply Reply Quote 0
      • T
        thedada
        last edited by

        hi,

        I guess you are using the squidguard package to block URL.
        Squidguard use Squid to get the targeted URL.
        The thing is, squid can easily read an http connection but not an https connection.
        Https build a secured tunnel over http using SSL with the web server.Once it's done, all trafic is encrypted, so Squid (and so squidguard) can't read it.

        You have two options :

        -Check the IP related to those website and block them : example here http://forum.pfsense.org/index.php?topic=46265.0

        • Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
          http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-ssl-decryption-overview.html
          http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https

        Cheers.

        Damien

        1 Reply Last reply Reply Quote 0
        • D
          dan34
          last edited by

          @thedada:

          hi,

          I guess you are using the squidguard package to block URL.
          Squidguard use Squid to get the targeted URL.
          The thing is, squid can easily read an http connection but not an https connection.
          Https build a secured tunnel over http using SSL with the web server.Once it's done, all trafic is encrypted, so Squid (and so squidguard) can't read it.

          SSL encrypts the data, not the address so I had thought that squid/squidguard should be able to block one as well as the other.  Apparently, the problem is that redirecting port 443 traffic through the proxy would interfere with the SSL connection and so it's not done. You can work around this by setting up your own certificate as explained in the last links that you gave:

          • Do an https proxy with certificates . As it you will have a a tunnel between user and pfsense and another between pfsense and the web site.
            http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-ssl-decryption-overview.html
            http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https

          -Check the IP related to those website and block them : example here http://forum.pfsense.org/index.php?topic=46265.0

          This is with firewall rules, not with squid/squid guard. I'll have to look into this more.

          Thanks for your reply. I think I understand it better now.

          Dan

          1 Reply Last reply Reply Quote 0
          • T
            thedada
            last edited by

            SSL encrypts the data, not the address

            ??? what you call the "address" is facebook right, wich is a DNS resolution. DNS is layer 7. SSL encrypt everything after layer 3. That's why you can't block it by name .

            Apparently, the problem is that redirecting port 443 traffic through the proxy would interfere with the SSL connection and so it's not done.You can work around this by setting up your own certificate

            yes it's what I've said ! But its not the fastest and easiest way to do to it.

            that's why I recommanded to do it with firewall rules ;)

            I hope I were helpfull  ;D ;D

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.