Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid https filtering with wpad

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverik1
      last edited by

      I thought wpad was supposed to allow me to filter https requests. I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

      I have since implemented wpad but maybe I am confused about https filtering as I do not see it working. Within squid.inc I have defined a personal acl:

      acl badwords regex -i  "/home/squid/badwords.txt"
      http_access deny badwords
      

      This allows me to filter web searches for any of the specified words I consider inappropriate. This works fine on non "https" search engines like Bing. But when using on Google or Yahoo which use "https" it fails to work.

      Is this something that is not capable of working in the way I want it to?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I thought wpad was supposed to allow me to filter https requests.

        WPAD helps your clients discover the web proxy by themselves, nothing more.

        I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

        Not quite.  If you want to provide content filtering in HTTPS sessions, you can't run Transparent without installing a cert on every client to prevent MitM attack warnings.  Specifying a proxy removes the requirement for a cert, and WPAD helps with the location of the proxy via auto-discovery.

        Do you know for sure that HTTPS is going through the proxy?  Have you disabled ports 80,443 on LAN to enforce proxy usage?

        1 Reply Last reply Reply Quote 0
        • M
          maverik1
          last edited by

          @KOM:

          I thought wpad was supposed to allow me to filter https requests.

          WPAD helps your clients discover the web proxy by themselves, nothing more.

          I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

          Not quite.  If you want to provide content filtering in HTTPS sessions, you can't run Transparent without installing a cert on every client to prevent MitM attack warnings.  Specifying a proxy removes the requirement for a cert, and WPAD helps with the location of the proxy via auto-discovery.

          Do you know for sure that HTTPS is going through the proxy?  Have you disabled ports 80,443 on LAN to enforce proxy usage?

          I understand that in order to use transparent proxy for https I would have had to go the MitM way. I am not comfortable with having to install certs on each client.  I have disabled port 80 and 443 on the LAN and have verified traffic is going through the proxy by using one of those proxy detection sites.

          So what do I do from here to use that custom acl with https?

          1 Reply Last reply Reply Quote 0
          • M
            maverik1
            last edited by

            I guess what I am looking for isn't possible. With https the payload is encrypted thus making it impossible to filter keywords.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              have verified traffic is going through the proxy by using one of those proxy detection sites.

              Don't do it that way.  SSH in or connect via console and look at /var/squid/logs/access.log (going from memory here).  Every URL fetched will be written here if squid is working properly.  Verify that it is processing your HTTPS URLs.

              With https the payload is encrypted thus making it impossible to filter keywords.

              I thought it could if SSLBump was enabled during compile.  SSH in again and run squid -v to see what options it was compiled with.  I haven't played with this at all since I only need URL filtering and not keyword filtering.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.