Filtering SSL and Caching CDN in a School with pfSense+Squid+Dansguardian



  • Hi everyone.

    I am using pfSense 2.1.5 + Squid 2.7 + Dansguardian in a school deployment, where every student has his/her own tablet. The reason I am still using Squid 2.7 is that students often have to download iBooks from iTunesU and Apple has organized iBook downloading the way a CDN does (i.e. each download gets a unique tag, identical content is accessed using different URLs, therefore books can't be cached straightfowardly). In order to cache them and avoid the nightmare of 500Mb books being re-downloaded 100-120 times a day, I am using a storeurl_rewrite_program in squid custom options which works perfectly with the appropriate custom rewriter.

    I am also succesfully filtering Youtube on http with Dansguardian, by allowing only specific playlist ids: school desktops can't reach videos that a teacher hasn't specifically allowed in his own playlist (this is implemented Dansguardian url filtering with a regex looking for the playlists).

    Till here, everything works perfect!

    The problems started with the tablets: mobile Youtube always redirects to SSL encrypted and I can't filter it because I neither want to ban it altogether by a Site ACL in Dansguardian (since it has useful educational videos), nor can I filter SSL (since Squid 2.7 doesnt have a MiTM feature).

    Therefore, with my current configuration, all Youtube videos (even inappropriate ones) can be reached by the students' tablets. The solution of youtube edufilter is a joke, because it doesn't function with https and can be easily bypassed.

    So my problem is: if I install Squid 3 or Squid 3-dev, I will lose iBook caching (AFAIK, the storeurl_rewrite_program configuration directive has been discontinued in 3.1-3.3 and a new StoreID program reappears in 3.4). If I stay with Squid 2.7, I lose ssl (and therefore youtube) filtering.

    My questions:

    • Does anyone have a suggestion? Is there any way to rewrite store URLs in Squid 3.3 that I am not aware of? Or maybe a way to filter ssl with Dansguardian without squid 3 or squid 3-dev?

    • Is there any project to adopt Squid 3.4 to pfSense in the near future?

    Thanks in advance for your help

    Panos



  • Putting squid 3-dev in full production you may have issues with:

    • Windows updates no connecting
    • Adobe updates no connecting
    • Other unknown update services that the students are running not being able to connect
    • Some websites not working
    • Tor browser (not being blocked)

    However without squid 3-dev you will not be able to filter HTTPS sites (not much point in filtering if you can't do both).
    I would setup a test computer before you put it in full production and try and resolve the caching with squid.

    In the long run try and get squid 3-dev working.

    Helpful links
    https://forum.pfsense.org/index.php?topic=73640.0
    https://forum.pfsense.org/index.php?topic=79389.0



  • Thank you for your answer. I didn't realise that Squid 3-dev has so many issues. I guess that filtering ssl and caching at the same time is not so trivial after all :)



  • The major issue that I have been trying to work out is update services like windows update being blocked.
    Once that is worked out there should only be minor issues to resolve.



  • Excuse me sir, how to solved this problem (update windows with ssl bump squid3-dev)?  :)