Content filtering using Diladele Web Safety - a service I can trust?



  • TLDR;  This is a post regarding Diladele Web Safety + pfsense for home use and not discussion about the moral/ethical implications of sniffing a users encrypted traffic.  I'm simply trying to keep my family safe.

    Background:

    I have the current version of pfsense 2.2.4 up and running using Squidguard with blacklists, but I have crafty teenagers and need the added level of https content filtering.  I've used Dansguardian in the past so I'm familiar with the setup and config but it doesn't address https.  I've tried Sophos software UTM for home, but it's crazy complicated to set up.  I'm close to purchasing a turn-key UTM appliance to get the content filtering.

    Has anyone used Diladele Web Safety?  I've scoured the interwebs and have seen lots of install/implementation posts, but no reviews.  Since they offer a service can they be trusted?  Are there alternatives I'm missing?  Can anyone provide an honest assessment?

    I'm planing on rolling back to 2.1.5 of pfsense to get it working, unless there's something in the roadmap for pfsense I'm not aware of.

    Any feedback is appreciated.



  • Why don't you just run Squid in non-transparent mode?

    You can use the WPAD auto-configure function to reduce any configuration work on the client side.
    See:  https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

    Just block HTTP and HTTPS to any destination except pfSense to force the use of the proxy.



  • Appreciate the reply.

    I've tried non-transparent mode but dealing with teenagers complaining they can't reach this or that site is an exercise in futility.  Squid in transparent mode suits my family needs and protects my sanity.  I don't mind installing CA certificates on all devices, I just need to monitor the https traffic.

    Can you suggest another solution?



  • If you're willing to go round and install certs on all devices, why not just set their proxy settings instead and run squid in explicit mode?  If you implement WPAD, you wouldn't even have to do that much for the most part.  WPAD is a simple standard that allows most devices to auto-detect the proxy on their own.  You can then process their HTTPS traffic without MitM warnings.  Pretty much everything either supports WPAD or manual proxy.  Android specifically does NOT support WPAD for some bizarre reason, but you can set the proxy per hotspot.  I really don't see any reason to use a commercial service when you could achieve similar results with squid, squidguard and a blacklist.  Another layer would be to configure their DNS to use OpenDNS Family Shield or Norton ConnectSafe.


Log in to reply