Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proxy HTTPS filtering

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 932 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heli0s
      last edited by

      I have an interface that is connected to a wireless router and is used as a guest network. I'd like to setup a system (proxy) that will block users on that network from surfing "bad" sites. I have two questions:

      1. Is there a manual/how-to out there that shows how to setup a proxy that will do that?
      2. With #1 in mind, since a lot of these websites work on HTTPS, would I need to do something special to do a MITM SSL stripping to be able to filter the traffic?
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          I have an idea.  Put that guest network on a separate interface.
          Create a limiter to limit the damage the "guests"can do to your bandwidth.
          If they just can't behave themselves, kill their access every time they do things you have told them not to.

          1 Reply Last reply Reply Quote 0
          • H
            Heli0s
            last edited by

            @Derelict:

            The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill.

            I'm fine with throwing cert errors, as long as I can achieve the blocking.

            I have an idea.  Put that guest network on a separate interface.
            Create a limiter to limit the damage the "guests"can do to your bandwidth.
            If they just can't behave themselves, kill their access every time they do things you have told them not to.

            Is there a way to use the limiter to completely block traffic instead of just limiting it?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.