Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
WebProxy with Signed Certificates
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: WebProxy with Signed Certificates (Read 3046 times)
lomax0990
Newbie
Posts: 11
Karma: 0
Re: WebProxy with Signed Certificates
«
Reply #15 on:
July 27, 2023, 10:01:59 pm »
So one more question...
How do people handle BYOD situations for say like student cell phones were we can't install a certificate?
We have some DNS filtering in place but were hoping to proxy that traffic also.
Logged
Patrick M. Hausen
Hero Member
Posts: 6837
Karma: 574
Re: WebProxy with Signed Certificates
«
Reply #16 on:
July 27, 2023, 10:16:05 pm »
Use a separate VLAN with plain Internet.
And VPN combined with MDM if these users must access company resources.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: WebProxy with Signed Certificates
«
Reply #17 on:
July 27, 2023, 10:56:15 pm »
What's your actual goal?
You can't and shouldn't proxy anyone's HTTPS traffic without their consent and cooperation. That's exactly what TLS is for, to prevent you from doing this.
If you want to block access to certain websites from your network, use IP blocklists. DNS filtering might work to some degree, too, but (thankfully) is becoming more and more ineffective with the spread of DoT / DoH.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
lomax0990
Newbie
Posts: 11
Karma: 0
Re: WebProxy with Signed Certificates
«
Reply #18 on:
July 27, 2023, 11:20:01 pm »
My goal is to allow students/staff to bring their own device but be able to block malicious sites, reverse proxies, porn, etc.
Then I would have other networks with different proxy rules.
These are already segmented by vlan.
IP blocklists seems to defeat the point. I can’t possibly block all of the bad sites by an ip blocklist.
«
Last Edit: July 27, 2023, 11:22:12 pm by lomax0990
»
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: WebProxy with Signed Certificates
«
Reply #19 on:
July 27, 2023, 11:46:57 pm »
You can and should protect the devices owned and managed by your organisation, but not personal devices owned by students or staff. This is neither technically viable nor, frankly, your job. From their perspective, the WiFi they are allowed to use with personal devices is no different from any other public WiFi or mobile data (where no-one "protects" you either). Just make sure this network is isolated from the networks used by your organisation's devices.
If this is about accessing
internal
resources (not just the Internet) with personal devices, that's a whole can of worms on its own. Organisations which allow this typically require these devices to be managed by them, even though they are personally owned (MDM as suggested by Patrick).
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: WebProxy with Signed Certificates
«
Reply #20 on:
July 28, 2023, 11:38:36 am »
However institutions are expected to block content in their networks, even when not accessing internal resources.
So say a guest network. If users were able to access questionable content, there is potential for reputational damage; so it's less of not being the admin's job to protect the users' devices. I imagine this is where the OP is coming from.
OP, you might want to see what Zenarmor can do for you.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: WebProxy with Signed Certificates
«
Reply #21 on:
July 28, 2023, 12:31:56 pm »
@cookiemonster "Reputational damage" to an institution because it provides a simple guest network with plain Internet access? Now I've heard everything.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: WebProxy with Signed Certificates
«
Reply #22 on:
July 28, 2023, 01:13:06 pm »
yup, maybe is different in different geopgraphies but where I am, the press is brutal. But it doesn't stop there.
There are statutory requirements too
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1105569/Online_safety_in_schools_and_colleges.Questions_from_the_Governing_Board__2022_.pdf
https://learning.nspcc.org.uk/research-resources/schools/e-safety-for-schools
https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges
So the relationship is that if the institution fails its duty, the goverment will intervene. The press will ensure it doesn't go unnoticed.
Logged
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
WebProxy with Signed Certificates