s1iT0%8 PiSense Web Filter - Fier HTTP(S) with SquidGuard | Open School Solutions
i
h
PfSense Web Filter — Filter HTTP(S) wi
SquidGuard
Published by Stephan on January 23, 2018
As the system administrator of a school, you are constantly faced with the question of how far you
£ ould fiter content from the Internet. This question must be answered wherever children and young
»ple have access to the Internet, whether in schools, clubs, libraries, at home or any other public
‘itution, Opinions on this subject are very diverse. There is no 100% protection. Itis much more
G+ dortant to teach children and young people how to use the Internet responsibly. This is a very big
cnllenge and takes time, Parents and educators are faced with this task and often do not know how
best to approach it. Especially in schools, where you can't always keep an eye on the screens, a web
filter is a great help. In some countries, a web filter for schools is even required by law. But sometimes
its just about blocking certain websites, such as Facebook, Netflix & Co. Therefore, in this tutorial |
would like to show you how to set up a pfSense web filter.
Preliminary Remarks
pfSense is a widely used open source firewall that we use at our school. With the help of Squid (a
proxy server) and SquidGuard (the actual web filter) we want to filter HTTP and HTTPS connections
For this tutorial we first need an active pfSense installation. The firewall can be downloaded here and
installed according to these instructions.
How it works
Filtering HTTP connections is very easy and quick to set up. Since these connections are unenc
its possible to examine them well and therefore block thern completely or partially. Nowadays, nue
hitps:openschoolsolutons.orgptsense-web-itr-fiter-hips-squidguard! easynmo%8 Sense Woo Fiter- Fite HTTP(S) wih SaudGuard| Open Schoo Solvtons
and more websites (even those you would like to block) use HTTPS, i, e. an encrypted connection
between the user's browser and the web server. Thanks to Let's Encrypt, anyone can now set up a free
certificate for their website. This is a good thing in itself, because it increases security and makes
many attacks impossible or more difficult. However, it also makes filtering for unwanted content more
difficult.
This “problem can be solved in two ways
1. man-in-the-middle attack
One way is a conscious man-in-the-middle attack. The proxy server decrypts the HTTPS connection
and rebuilds it. This allows them to view the connection and filter it accordingly. This concept is used
by most web filter solution providers. The problem here is that this profound interference with the
HTTPS connection means that the actual security provided by HTTPS is no longer guaranteed. A user
can hardly recognize the difference if the certificate of the proxy server is trusted. But this security is
deceptive. Even if this is the only way to speak of true content filtering, this solution is dangerous, very
risky (implementation is not trival) and, depending on the country, incompatible with the prevailing
laws (keyword data protection and privacy). Therefore, this route is not recommended for safety and
ralreasons.
* URL filter via SNI
&
another possibility is filtering via SNI (Server Name Indication). Before the certificate is queried
between browser and web server and thus an encrypted connection is established, the browser sends
the domain name (FQDN) that it wants to query. This part is not yet encrypted and can therefore be
read by a (transparent) proxy and used for filtering. The following figure illustrates the TLS handshake.
hitpssopenschoolsolutons.orgptsense-web-iler-fite-hips-squidguard! 209su7ro%e PtSense Web Filter -Fiter HTTP(S) with SqudGuard | Open School Solutions
Client Server
S ServerHello (ciphers, ...)
TLS key exchange
data exchange (HTTP or other)
¥ TLS handshake between client and server
G
You can easily see that the SNI is sent before the key exchange and the actual secure connection, We
take advantage of this principle and in addition to the web filter for HTTP connections, we can also set
up a URL filter for HTTPS connections without destroying HTTPS by a man-in-the-middle attack.
Safe-Search for search engines
Create firewall rules for DNS
Since we can't look into an HTTPS connection, unwanted images and videos may appear in a Google
search, for example. Google and other search engines therefore offer a secure mode (Safe-Search)
because we want to force it.
First we have to activate the DNS resolver in pfSense (under Services —> DNS Resolver) and then
save and apply the changes
hitpssopenschoolsolutons.orgptsense-web-iler-fite-hips-squidguard! 323