Pfsense, alias and subdomains needed
-
hello folks,
this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:
my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
this makes sense, because i want to block all outbound except some internet sites, two of them need https!
so squid is wrong for my configuration, right?my configuration works, but no subdomains are working :(
for example:
working:
http://domain.org
http://www.domain.org/someurl
https://domain.org
https://www.domain.org/someurlnot working:
http://subdomain.domain.org
https://subdomain.domain.orgthis is my configuration:
i installed a new "clean" pfsense, latest version
under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here "destinationALIAS"
under Firewall--> Rules--> LAN:
i deactivated the standard ipv4 and ipv6 rules
i created a new rule:
Action: Pass
interface: LAN
protocol: any
source: any
port: any
destination: single host or alias - name choosen "destinationALIAS"but why i cannot use subdomains? they are blocked....
i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
is there a simple way to get subdomains working?gr33z
edit: configuration specified
-
I use
.*domain.org
in my ACLs. This takes care of any domain and subdomain.
How are you blocking or allowing secure http (https)? -
Hello podilarius,
thanks for your reply!
In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
I got secure http (https) not to work with squid…so i dont want to block it.I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
Error:
The following input errors were detected:.*domain.org is not a valid host alias.
gr33z
-
Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.
-
Hello again,
ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?
gr33z
-
according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
Please post if you have any success, if you use it.