Squid HTTPS filtering



  • This is a two part question. First, I'd like to setup a proxy to be able to block access to certain websites based on category. I know that it's possible to do with SquidGuard or DansGuardian. However, my question is: can either of those do the same thing with HTTPS traffic? I've read the following guide:

    http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/

    But it talks about Diladele Web Safety instead of the other software packages that I've described. I'd like to stick with the two packages described (SquidGuard or DansGuardian since I had easier time finding information and guides on them). It's my understanding that it should be possible to setup one of those packages to filter HTTPS and thus be able to check if the website falls within a prohibited category. The only difference is that when a user goes to an HTTPS site, they will get a certificate error (which they can simply continue through).

    The second part of the question: On my network, all devices have a static DHCP IP lease somewhere between 192.168.1.10 and 192.168.1.100. When a new device is connected, it's given an address between 192.168.1.101 and 192.168.1.254. What I would like to do is make it so that everyone that has a static DHCP IP (below .100) can go "around" the proxy, while everyone that does receive a DHCP IP (over .100), has to go "through" the proxy. How would I go about doing that?



  • For 1st part:  I guess you need to import the internal-ca which you have created in your pfsense box into every client machine. If you integrate Diladele web safety then effective filtering can be enforced I am saying this because I have tested the filtering with just SquidGuard and SquidGuard+Diladele web safety. In my personal opinion their is no harm in using both SG+Diladele.

    For 2nd part:  Their is an option in SquidGuard in which you can specify the IP addresses which can bypass the proxy.



  • Lookup info on creating a wpad.dat file. It's not technically transparent, but it allows each computer to automatically be configured to use your proxy server. DansGuardian is quite nice, and very flexible as to capabilities, but is more complicated to setup and configure. SquidGuard has basic functionality, but it is far easier to get it going.

    If you need to enforce use of the proxy, you could try to block outgoing traffic on ports 80 and 443. If you do any of this, you will probably want to first switch the port used by pfSense's WebConfigurator to something non-standard so that you don't accidentally proxy traffic to the pfSense box.

    You can also use networkinggeek's answer.

    Neither solution is necessarily better or worse. It just depends on your network and your needs.


Log in to reply