WebProxy with Signed Certificates

Started by lomax0990, July 26, 2023, 03:28:00 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
July 27, 2023, 10:01:59 PM #15
So one more question...

How do people handle BYOD situations for say like student cell phones were we can't install a certificate?

We have some DNS filtering in place but were hoping to proxy that traffic also.
July 27, 2023, 10:16:05 PM #16
Use a separate VLAN with plain Internet.

And VPN combined with MDM if these users must access company resources.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 27, 2023, 10:56:15 PM #17
What's your actual goal?

You can't and shouldn't proxy anyone's HTTPS traffic without their consent and cooperation. That's exactly what TLS is for, to prevent you from doing this.

If you want to block access to certain websites from your network, use IP blocklists. DNS filtering might work to some degree, too, but (thankfully) is becoming more and more ineffective with the spread of DoT / DoH.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 27, 2023, 11:20:01 PM #18 Last Edit: July 27, 2023, 11:22:12 PM by lomax0990
My goal is to allow students/staff to bring their own device but be able to block malicious sites, reverse proxies, porn, etc.

Then I would have other networks with different proxy rules.

These are already segmented by vlan. 

IP blocklists seems to defeat the point.  I can't possibly block all of the bad sites by an ip blocklist.
July 27, 2023, 11:46:57 PM #19
You can and should protect the devices owned and managed by your organisation, but not personal devices owned by students or staff. This is neither technically viable nor, frankly, your job. From their perspective, the WiFi they are allowed to use with personal devices is no different from any other public WiFi or mobile data (where no-one "protects" you either). Just make sure this network is isolated from the networks used by your organisation's devices.

If this is about accessing internal resources (not just the Internet) with personal devices, that's a whole can of worms on its own. Organisations which allow this typically require these devices to be managed by them, even though they are personally owned (MDM as suggested by Patrick).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 28, 2023, 11:38:36 AM #20
However institutions are expected to block content in their networks, even when not accessing internal resources.
So say a guest network. If users were able to access questionable content, there is potential for reputational damage; so it's less of not being the admin's job to protect the users' devices. I imagine this is where the OP is coming from.
OP, you might want to see what Zenarmor can do for you.
July 28, 2023, 12:31:56 PM #21
@cookiemonster "Reputational damage" to an institution because it provides a simple guest network with plain Internet access? Now I've heard everything.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 28, 2023, 01:13:06 PM #22
yup, maybe is different in different geopgraphies but where I am, the press is brutal. But it doesn't stop there.
There are statutory requirements too https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1105569/Online_safety_in_schools_and_colleges.Questions_from_the_Governing_Board__2022_.pdf
https://learning.nspcc.org.uk/research-resources/schools/e-safety-for-schools
https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges
So the relationship is that if the institution fails its duty, the goverment will intervene. The press will ensure it doesn't go unnoticed.
Print
Go Up Pages 1 2
User actions