Dansguardian SSL Blocking not redirecting

jetberrocal

I am new to Pfsense and Linux.  Please provide detailed answers.

I installed and configured Dansguardian to block some HTTPS links (facebook for example)

It does block the page but it does not redirect to the Access Denied page that use for the HTTP blocks, it just blocks and the browsers show connection error page.

Do you know how to make it redirect to a page when bloking HTTPS.

I have pfSense 2.1.5 RELEASE. Using squid3-dev and Dansguardian default packages

jetberrocal

@jetberrocal:

I am new to Pfsense and Linux.  Please provide detailed answers.

I installed and configured Dansguardian to block some HTTPS links (facebook for example)

It does block the page but it does not redirect to the Access Denied page that use for the HTTP blocks, it just blocks and the browsers show connection error page.

Do you know how to make it redirect to a page when bloking HTTPS.

I have pfSense 2.1.5 RELEASE. Using squid3-dev and Dansguardian default packages

In case you need to know.  I am using squid3-dev with https support enabled.

??? If you need more information to clarify the question please ask it.  As I said, I am new and do not know what you need in order to help me.

:( Also I want to clarify that even that I am forum member since 2010, actually my experience was for a really small project of less than a month and other version.

marcelloc

@jetberrocal:

It does block the page but it does not redirect to the Access Denied page that use for the HTTP blocks, it just blocks and the browsers show connection error page.

Without ssl interception, proxy server can't open ssl connection to show an access denied error page. That's why you see a connection error instead.

The only way to do this is with https ssl interception.

jetberrocal

@marcelloc:

@jetberrocal:

It does block the page but it does not redirect to the Access Denied page that use for the HTTP blocks, it just blocks and the browsers show connection error page.

Without ssl interception, proxy server can't open ssl connection to show an access denied error page. That's why you see a connection error instead.

The only way to do this is with https ssl interception.

Thank you for being available.  :)

On the Squid General Settings page I have:

Under "Squid General Settings" section:
"Proxy interface(s)" = LAN
"Proxy Port" = 3128
"Allow users on interface" = enable
Else default

Under "SSL man in the middle Filtering" section:
"HTTPS/SSL interception" = enabled
"SSL Intercept interface(s)" = LAN
"SSL Proxy port" =  Empty (I am not using transparent mode)
CA = Selfsigned Certificate created with and assinged to the pfsense Box
"Remote Cert checks" = (Do not verify remote certificate) selected
Else default

"Custom Settings" section:
Emtpy

On Dansguardian General Tab

Under "SSL man in the middle Filtering" section
CA = Same as Squid CA
Cert = webconfigurator (Selfsigned certificate created from the CA of the pfsense Box)

Report and Log Tab:

Reporting Section:

"Reporting level" = Use HTML template file
"Access denied CGI" = Empty
"Reporting Options" = (Show Weighted found) selected

??? What else do you need that I provide from my configuration to identify the problem?

jetberrocal

@marcelloc:

@jetberrocal:

It does block the page but it does not redirect to the Access Denied page that use for the HTTP blocks, it just blocks and the browsers show connection error page.

Without ssl interception, proxy server can't open ssl connection to show an access denied error page. That's why you see a connection error instead.

The only way to do this is with https ssl interception.

It is being a week since your reply.  Probably you are very busy, or maybe are on vacation or not filling well.  I hope your are OK.

Most threads that I found about about HTTPS SSL interception related to my case problem ends in silence without resolution.  The others are for transparent mode, squidguard or old Squid versions.

I really would like to know the solution to my case problem, but I really need help to solve it.  If it can not be solved, then tell me, do not leave it in silence.  Linux tradition is, no news is good news.  Silence is not a good answer.

Again.  What can I provide to better define the problem, and to diagnose the final answer?  :'(

killmasta93

Try this https://forum.pfsense.org/index.php?topic=72528.0

Let me know how it goes I will try it next week been new to pfsense its really different compared to ddwrt

jetberrocal

@killmasta93:

Try this https://forum.pfsense.org/index.php?topic=72528.0

Let me know how it goes I will try it next week been new to pfsense its really different compared to ddwrt

I was tempted to try Diladale but, I have decided for the moment to keep trying to use Dansguardian.

The suggested application does not have a pfsense package and it is a subscription based licence.  Looks good but after each upgrade it will probably break the instalation.  There is no support on the pfsense forum and every year you have to pay the subscription licence.

I still hope that my problem can be solved and Marcelloc can help me diagnose the problem and suggest the solution.  If not, I will test the upgrade to pfsense 2.2 and try E2guardian when becomes available.

exograpix

Hi,

I was not able to configure dans with squid with https filtering, and I feel there is no proper process too.

What we are working right now is pfsense 2.1.5, squid3-dev and squidguard combination and its working ok. I was not able to do it in later version of pfsense, so sticking to older version and waiting for e2guardian.

killmasta93

ohhh hmm..so its possible https (blocking facebook) version 2.1.5 with squid3-dev and squidguard combination?

exograpix

Yes it works fine, though require some tweaking in squid but working.

killmasta93

exograpix when you mean tweaking in squid do you mind if i ask how? or what did you tweak?  :)

jetberrocal

@exograpix:

Hi,

I was not able to configure dans with squid with https filtering, and I feel there is no proper process too.

What we are working right now is pfsense 2.1.5, squid3-dev and squidguard combination and its working ok. I was not able to do it in later version of pfsense, so sticking to older version and waiting for e2guardian.

I have the same filling as I found many threads with people asking for help on the same problem, but they receive silence as their answer. Every time it says that it can not be done with transparent proxy, implying that it can be done with explicit proxy mode, but no one share the secret of how to do it.

Following the path of Squidguard I would like to know how to use both at the same time.  For instance use squidguard for HTTPS traffic only and Dansguardian for HTTP traffic only, with the same Squid proxy server.  Since Dans has more feautures than Squidguard, I would used it for HTTP traffic, but then since it seems that does not work satisfactorily for HTTPS, replace it with Squidguard for the HTTPS traffic which people has being succesfull with it.

By the way, on pfsense 2.2.2 I am also having problems with Dansguardian not parsing the conf files after an upgrade from pfsense 2.1.5.  Installing pfsense 2.2.2 from scrach and then installing packages from scratch I found problems with Freeradius.  I think will have to wait  for a more mature pfsense 2.2 version not only for e2guardian but for the other packages.

killmasta93

jetberrocal i know how you feel  :( Tomorrow im going to downgrade to 2.1.5 and going to install  e2guardian though ssh and will let you know how it goes. I feel like there's not much help just people pointing to wiki guides. I come from ddwrt and man…people are more helpful. BTW 2.2.2 nat rules are not working as well.

jetberrocal

I made some trial and error on my Dansguardian groups and finally I reached a point where I am closer to a working HTTPS Blocking with succesfull redirection.

I was missing in the group configuration to select "Filter ssl sites forging SSL Certificates"  :-[

Now I get a Dansguardian denied page with the error "Certificate supplied by server was not valid"

Looking for that error in the forum I found the thread :

https://forum.pfsense.org/index.php?topic=43786.msg243541#msg243541

It goes to a dead end. But thread is for pfsense 2.0 and older Dans package.

:)  At this point I may reach a workable point, but there are some missing pieces.  If I add the sites to the exception list it will pass.  So I can select in a inverted mirror all the categories not selected in the banned list.  This will make it work like Squidguard.  If I could add all the categories to the gray list instead of the exception list, it will allow the categories but still do content filtering.  The HTTP sites will pass as normal.

The missing piece are:

1. HTTPS sites are still block on the gray list because of the error "Certificate supplied by server was not valid". When doing SSL interception, the certificate is always replace by squid, so if posible, find a way to cancel this error on all HTTPS sites.
2. How to add the categories to the gray list (No the thousands of sites individually)

Maybe you can indentify other missing peices, but if not I think this could be feasible. From the security stand point, the experts can advice.

I do not know how to do it, I am more a GUI user, that is why I use pfsense instead of building a Debian or Ubuntu system.

jetberrocal

:'( Actually the missing piece 1 is already an option but is broken.

Access Lists - Group options:
"Check Server SSLCertificates (Off)"

:( I tried to follow the thread and installed the CAs certificates from Mozilla Firefox but it still does not work.

This means, that Dansguardian SSL Filtering is broken for Transparent AND Non-Transparent mode.

At least until someone proves me wrong.

It does blocks the HTTPS Sites but with a Connection Error page in the Browsers instead of by a proffesional block page like the HTTP Block page, and probably it does not do Content Filtering Dans way just URL/Site Filtering.

If you are OK with this blocking mode in your Clients/Organization/Business then go ahead.  For HOME maybe is OK.

killmasta93

Personally i just did http with squid and squidGuard and https with pfBlockerNG as you said it does not look as professional but if you think about a person usually when they type on the url its always facebook.com it goes to http but if they go to google and type facebook then yes its https. One thing i could not block was youtube the way i wanted to. Not even though IP i had to do DNS overide but that blocks everyone unfortunately.    :(

jetberrocal

@killmasta93:

Personally i just did http with squid and squidGuard and https with pfBlockerNG as you said it does not look as professional but if you think about a person usually when they type on the url its always facebook.com it goes to http but if they go to google and type facebook then yes its https. One thing i could not block was youtube the way i wanted to. Not even though IP i had to do DNS overide but that blocks everyone unfortunately.    :(

I am still on pfsense 2.1.5, has no pfBlockerNG on packages list.

killmasta93

I upgraded to 2.2.2 but you can use pfblocker but pfBlockerNG way much better

Higgins

Hi Guys,

i do not understand the behaviour of dansguardian wit NO ssl-interception.

Fact is, that dansguardian has decided, that the required URl is inappropreiate. This must be a decission on behalf of URL, IP or something else OUTSIDE the SSL connection.

So why should dansguardian not be able to redirect the request?

This seems a bug in dansguardian for me.

Greetings