DansGuardian + SSL

marcelloc · Aug 8, 2013, 4:02 AM

The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

You will find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

bilbo · Oct 30, 2013, 6:41 PM

@marcelloc:

The ssl filtering feature is not complete on dansguardian 2.12 alpha code.

You will find a working ssl filtering feature on squid3-dev package but please read the forum topic first to get required missing libs from so.

Does this mean that at present it is not possible to content filter ssl traffic? Only URL filter ssl addresses with squid3 and squid guard?

Or can squid 3 dev man in the middle ssl be used in conjunction with Dansguardian to content filter the actual page content of ssl traffic? If so, how?

serialdie · Oct 30, 2013, 7:48 PM

I am interested on this setup as well.

Nachtfalke · Oct 30, 2013, 7:56 PM

squid3-dev can do SSL filtering. The thread is here:
http://forum.pfsense.org/index.php/topic,62256.0.html

So if squid can intercept the SSL traffic it should be no problem to filter it with squidguard or dansguardian. I am not using dansguardian.

bilbo · Oct 30, 2013, 8:41 PM

Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

serialdie · Oct 31, 2013, 2:54 AM

@bilbo:

Thanks for the reply, I have actually got the squid proxy ssl bit working and the certificate installed on the kids ipod etc and that works. I just dont know how to then feed the unencrypted traffic into dansguardian.

The way that dansguardian package setup specifies setup is to forward all http port 80 traffic to the DG port 8080 which then gets passed to the squid proxy. Wouldn't the gtraffic need to be directed to squid first?

I think the same logic applies. You will have to send the unencrypted tunnel back to Dansguardian via 8080.
I am going to try this over the week end.

bilbo · Oct 31, 2013, 11:08 AM

So traffic would have to go Lan > DG > Squid Unencrypted> DG > Squid Re encrypted > Internet

or Squid > DG > Squid > Internet?

How would do you plan to attempt it? Let me know how you get on.

serialdie · Oct 31, 2013, 1:09 PM

@bilbo:

So traffic would have to go Lan > DG > Squid Unencrypted> DG > Squid Re encrypted > Internet

or Squid > DG > Squid > Internet?

How would do you plan to attempt it? Let me know how you get on.

That's simple. It must go from WAN -> LAN -> Squid -> Dansguardian -> User. And back out uses the same logic.

User -> LAN -> Squid -> Dansguardian -> WAN

bilbo · Oct 31, 2013, 9:22 PM

With that setup the proxy doesn't intercept the ssl for me.

Browser <=> DG (8080) <=> (3128) Squid <=> Internet

In my mind it should be

DansGuardian
^ ¦¦
¦¦ v
Browser <=> Squid Proxy <=> Internet

No idea how to do that as a total newb to this.

Pr0xiMUS · Nov 16, 2013, 7:55 PM

Any new or success with this? My current configuration is:

HTTP traffic: browser -> DG (8080) -> squid (3128) -> net
HTTPS traffic: browser -> squid transparent 443 -> net

How to feed DansGuardian after squid SSL man in the middle proxy?