Filtering SSL and Caching CDN in a School with pfSense+Squid+Dansguardian
I am using pfSense 2.1.5 + Squid 2.7 + Dansguardian in a school deployment, where every student has his/her own tablet. The reason I am still using Squid 2.7 is that students often have to download iBooks from iTunesU and Apple has organized iBook downloading the way a CDN does (i.e. each download gets a unique tag, identical content is accessed using different URLs, therefore books can't be cached straightfowardly). In order to cache them and avoid the nightmare of 500Mb books being re-downloaded 100-120 times a day, I am using a storeurl_rewrite_program in squid custom options which works perfectly with the appropriate custom rewriter.
I am also succesfully filtering Youtube on http with Dansguardian, by allowing only specific playlist ids: school desktops can't reach videos that a teacher hasn't specifically allowed in his own playlist (this is implemented Dansguardian url filtering with a regex looking for the playlists).
Till here, everything works perfect!
The problems started with the tablets: mobile Youtube always redirects to SSL encrypted and I can't filter it because I neither want to ban it altogether by a Site ACL in Dansguardian (since it has useful educational videos), nor can I filter SSL (since Squid 2.7 doesnt have a MiTM feature).
Therefore, with my current configuration, all Youtube videos (even inappropriate ones) can be reached by the students' tablets. The solution of youtube edufilter is a joke, because it doesn't function with https and can be easily bypassed.
So my problem is: if I install Squid 3 or Squid 3-dev, I will lose iBook caching (AFAIK, the storeurl_rewrite_program configuration directive has been discontinued in 3.1-3.3 and a new StoreID program reappears in 3.4). If I stay with Squid 2.7, I lose ssl (and therefore youtube) filtering.
Does anyone have a suggestion? Is there any way to rewrite store URLs in Squid 3.3 that I am not aware of? Or maybe a way to filter ssl with Dansguardian without squid 3 or squid 3-dev?
Is there any project to adopt Squid 3.4 to pfSense in the near future?
Thanks in advance for your help
Putting squid 3-dev in full production you may have issues with:
- Windows updates no connecting
- Adobe updates no connecting
- Other unknown update services that the students are running not being able to connect
- Some websites not working
- Tor browser (not being blocked)
However without squid 3-dev you will not be able to filter HTTPS sites (not much point in filtering if you can't do both).
I would setup a test computer before you put it in full production and try and resolve the caching with squid.
In the long run try and get squid 3-dev working.
Thank you for your answer. I didn't realise that Squid 3-dev has so many issues. I guess that filtering ssl and caching at the same time is not so trivial after all :)
The major issue that I have been trying to work out is update services like windows update being blocked.
Once that is worked out there should only be minor issues to resolve.
Excuse me sir, how to solved this problem (update windows with ssl bump squid3-dev)? :)