Web filter https



  • Is there a way of blocking sites by category when they use https?  Basically I need to block porn sites at a church and am unable to force all the people to use a proxy (unless it is transparent).  Can this be accomplished somehow?  Is there perhaps a blacklist I could download and use to get most of what I want that way?



  • I have been playing around with squidGuard and the Shalla blacklist.  Whenever I go to an https version of a porn site, the http parts of the site are blocked, but the https parts come through (makes for interesting looking pages i.e. missing stylesheets).  Ideas on how to get this working?



  • Much easier on you and more stable for pfsense if you just use a DNS service like opendns to filter content.


  • Moderator

    Blocking via DNS is just part of the solution…

    https://forum.pfsense.org/index.php?topic=88407.msg489190#msg489190



  • set squid on non transparent and apply wpad auto config proxy (https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid)
    squidguard can block https if squid non transparent. CMIIW….........



  • will WPAD work with phones and tablets, as that is 99% of the clients who are connecting.  I am not able to go around configuring everyone's devices because they come and go (like a public wifi).



  • I'd make a "best effort" to filter DNS without breaking internet as squid is so efficient at doing.

    People need to realize that unless you get into white listing, which I don't recommend, you can't have good internet and 100% censorship.



  • I know I can't have 100% censorhsip.  Right now we are using Untangle (free version) and it is working out fine for the web filter.  I did look into the openDNS solution, but they want lots of $$ for about 800 users even though we are a non-profit organization.

    Ideally, I would like to just block all https versions of sites that are currently listed in the blacklist I installed.  Is that somehow possible?  This would be a good enough solution for us that would not cost a ton of $$.


  • LAYER 8 Netgate

    The world is changing.  Get used to it.  You can't filter HTTPS other than DNS or IP address filtering.  Nobody can, no matter what they charge.



  • HEHE - They want a ton of money?

    They offer a free service, as does others.

    So, lets say your pfsense uses opendns for resolution and filtering (for free).

    Then you force all DNS requests on port 53 to hit your pfsense box for DNS.

    Your pfsense is caching DNS requests and there will be a ton of overlap in the requests even with hundreds of users.

    So as far as opendns is concerned, your pfsense box is one single user, not hundreds.

    Try it.



  • interesting idea.  How would I force all DNS 53 to go to the pfsense machine?  I guess I thought they already were with having DHCP turned on, and in transparent proxy mode.  I'm guessing by your response there is something more to it than that.

    Thank you all for your help on this issue too.  Network / routing is not my strong suit.



  • First of all, I'd bet you are not getting better than 6% cache hit with squid.  So, not a bandwidth saver.  Plus it either misses HTTPS altogether or breaks it.

    So, for me at least, a year of using it taught me its better not to use it.

    Its for the most part a completely unnecessary layer of latency and complexity.


  • LAYER 8 Netgate

    @drick78:

    interesting idea.  How would I force all DNS 53 to go to the pfsense machine?  I guess I thought they already were with having DHCP turned on, and in transparent proxy mode.  I'm guessing by your response there is something more to it than that.

    Thank you all for your help on this issue too.  Network / routing is not my strong suit.

    Like the attached.

    Note that if this becomes widespread, all the VPN providers will start offering DNS on alternate ports, the client software will catch up, and you'll be playing whack-a-mole again.

    ![Screen Shot 2015-02-14 at 10.24.45 PM.png](/public/imported_attachments/1/Screen Shot 2015-02-14 at 10.24.45 PM.png)
    ![Screen Shot 2015-02-14 at 10.24.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-14 at 10.24.45 PM.png_thumb)



  • The is a java tool that does dns filtering by acls and/or blacklists but I can't remember the name right now.

    SSL filtering works fine but need manual install of ca certificate on devices.

    I guess wpad is not that simple on mobile devices too.



  • @marcelloc:

    I guess wpad is not that simple on mobile devices too.

    I know it doesn't work with android out of the box, but you can set the proxy serve. iPhones tho can, you have to select auto in the proxy config for the wifi connection



  • After reading all the wonderful replies and discussing it with the church board member I have been working with, we have decided that since most people with phones have their own data plans, the filtering here is not really that useful, so we will stick with the standard blacklist and not go any more complex than that.  If someone really wants to get to such websites, they can anyways, so why complicate the setup when it is easily bypassed.


  • LAYER 8 Netgate

    ^ Amen

    Though wasn't there a case way back when against AOL or Prodigy or someone that basically said, "If you attempt to protect your users by filtering content and something slips through you're liable but if you make no attempt there is no expectation of protection on the user's part so you're not liable for the content served?"  Or something like that?


  • Rebel Alliance Developer Netgate

    @Derelict:

    Though wasn't there a case way back when against AOL or Prodigy or someone that basically said, "If you attempt to protect your users by filtering content and something slips through you're liable but if you make no attempt there is no expectation of protection on the user's part so you're not liable for the content served?"  Or something like that?

    I'm no lawyer (obviously), but you may be thinking of what is now typically called "common carrier" status, which generally only applies to ISPs and the like.



  • I have also found that my networks work better when I'm not the one trying to cripple them (-:


Log in to reply