OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: Deku2 on April 27, 2021, 02:06:05 am

Title: web filtering https without mitm
Post by: Deku2 on April 27, 2021, 02:06:05 am

I want to use the web proxy filtering for ssl without doing the entire ca ssl mitm.  I don't need to inspect, cache or authenticate anything.  I just want to block people from going to youtube and social media sites.  That shouldn't require me doing anything within SSL.  However, I can't get it to work.  When I do the transparent proxy forward on the ssl port, it just breaks the internet.

help please
thanks

Title: Re: web filtering https without mitm
Post by: bartjsmit on April 27, 2021, 07:53:18 am

The only part of an HTTPS connection that is clear text is the DNS lookup. Don't bother with a transparent proxy, set youtube.com etc. on your DNS server to point to 127.0.0.1 instead and block your clients from using internet DNS servers by a firewall rule.

Beware that this will only stop casual users but will still let URL shorting services through.

Bart...

Title: Re: web filtering https without mitm
Post by: Deku2 on May 04, 2021, 01:51:42 am

Thanks, I'm trying to move to the unbound dns via DNSBL, but the lists are not as extensive as those for the proxy.  If I wanted to block all video streaming sites, it would be a very difficult task via DNSBL.  I just can't find good lists like you can with squid. 

Title: Re: web filtering https without mitm
Post by: bartjsmit on May 04, 2021, 08:00:47 am

If you have a URL list, run a script to pick out the FQDN's and add those to a DNS block list.

You're obviously running the risk of false positives (e.g. http://interesting.site.com/video) and you'll miss any IP address links in the Squid list. You'd need to add those to an alias you block on a firewall rule.

Bart...