Pfsense, alias and subdomains needed
this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:
my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
this makes sense, because i want to block all outbound except some internet sites, two of them need https!
so squid is wrong for my configuration, right?
this is my configuration:
i installed a new "clean" pfsense, latest version
under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here "destinationALIAS"
under Firewall--> Rules--> LAN:
i deactivated the standard ipv4 and ipv6 rules
i created a new rule:
destination: single host or alias - name choosen "destinationALIAS"
but why i cannot use subdomains? they are blocked....
i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.
if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
is there a simple way to get subdomains working?
edit: configuration specified
in my ACLs. This takes care of any domain and subdomain.
How are you blocking or allowing secure http (https)?
thanks for your reply!
In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
I got secure http (https) not to work with squid…so i dont want to block it.
I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
The following input errors were detected:
.*domain.org is not a valid host alias.
Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.
ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?
according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
Please post if you have any success, if you use it.