OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: ruggerio on December 25, 2018, 01:35:08 pm
-
Hi,
After reading lots about SNI and setting up my transparent proxy, i expected that squid recognized a eicar ssl-virus according to sni, but it didn't.
How can i test this?
Thx!
-
So, for other beginners like me, here a brief conclusion about SNI. If i am wrong, feel free to post your comments, so i will correct this small howto.
1) What is SNI?
In fact, it is just a field sent within your request to a webserver. Your browser has to support it. With this information, it doesn't matter, which ip is behind (e.g. www.google.com, which has a huge list or virtual hosting services).
2) What can i do with SNI?
You can filter webcontent based on the hostname. If using remote access lists in in squid, as e.g. UCF or shallalist, you will be able to filter out evil things :)
3) How do i do that?
Enable at least http and ssl-proxy on both ports. Port 3129 seems really to be needed for SNI. If using your proxy as a transparent one, do not forget to insert port forwarding and network rules on the firewall. Squid will then filter the https-traffic on port 3129 for the SNI-information in the header.
4) how can i test if its working?
if enabled the proxy and the remote lists (you have also chosen the according filters within), go to you remote access list provider and search for a websiten within a category you chosen.
Paste then the according URL in a new (best private) browser window. Calling it without ssl, squid will give you a reject message. Change then from http to https and repeat. Now, you will get a error about ssl-error-too-long (i had always those).
Go to your proxy protocoll and check access. You now should see the URL with :443 (for SSL) appended and a denied message.
HTH