s1iT0%8 PiSense Web Filter - Fier HTTP(S) with SquidGuard | Open School Solutions i h PfSense Web Filter — Filter HTTP(S) wi SquidGuard Published by Stephan on January 23, 2018 As the system administrator of a school, you are constantly faced with the question of how far you £ ould fiter content from the Internet. This question must be answered wherever children and young »ple have access to the Internet, whether in schools, clubs, libraries, at home or any other public ‘itution, Opinions on this subject are very diverse. There is no 100% protection. Itis much more G+ dortant to teach children and young people how to use the Internet responsibly. This is a very big cnllenge and takes time, Parents and educators are faced with this task and often do not know how best to approach it. Especially in schools, where you can't always keep an eye on the screens, a web filter is a great help. In some countries, a web filter for schools is even required by law. But sometimes its just about blocking certain websites, such as Facebook, Netflix & Co. Therefore, in this tutorial | would like to show you how to set up a pfSense web filter. Preliminary Remarks pfSense is a widely used open source firewall that we use at our school. With the help of Squid (a proxy server) and SquidGuard (the actual web filter) we want to filter HTTP and HTTPS connections For this tutorial we first need an active pfSense installation. The firewall can be downloaded here and installed according to these instructions. How it works Filtering HTTP connections is very easy and quick to set up. Since these connections are unenc its possible to examine them well and therefore block thern completely or partially. Nowadays, nue hitps:openschoolsolutons.orgptsense-web-itr-fiter-hips-squidguard! easynmo%8 Sense Woo Fiter- Fite HTTP(S) wih SaudGuard| Open Schoo Solvtons and more websites (even those you would like to block) use HTTPS, i, e. an encrypted connection between the user's browser and the web server. Thanks to Let's Encrypt, anyone can now set up a free certificate for their website. This is a good thing in itself, because it increases security and makes many attacks impossible or more difficult. However, it also makes filtering for unwanted content more difficult. This “problem can be solved in two ways 1. man-in-the-middle attack One way is a conscious man-in-the-middle attack. The proxy server decrypts the HTTPS connection and rebuilds it. This allows them to view the connection and filter it accordingly. This concept is used by most web filter solution providers. The problem here is that this profound interference with the HTTPS connection means that the actual security provided by HTTPS is no longer guaranteed. A user can hardly recognize the difference if the certificate of the proxy server is trusted. But this security is deceptive. Even if this is the only way to speak of true content filtering, this solution is dangerous, very risky (implementation is not trival) and, depending on the country, incompatible with the prevailing laws (keyword data protection and privacy). Therefore, this route is not recommended for safety and ralreasons. * URL filter via SNI & another possibility is filtering via SNI (Server Name Indication). Before the certificate is queried between browser and web server and thus an encrypted connection is established, the browser sends the domain name (FQDN) that it wants to query. This part is not yet encrypted and can therefore be read by a (transparent) proxy and used for filtering. The following figure illustrates the TLS handshake. hitpssopenschoolsolutons.orgptsense-web-iler-fite-hips-squidguard! 209su7ro%e PtSense Web Filter -Fiter HTTP(S) with SqudGuard | Open School Solutions Client Server S ServerHello (ciphers, ...) TLS key exchange data exchange (HTTP or other) ¥ TLS handshake between client and server G You can easily see that the SNI is sent before the key exchange and the actual secure connection, We take advantage of this principle and in addition to the web filter for HTTP connections, we can also set up a URL filter for HTTPS connections without destroying HTTPS by a man-in-the-middle attack. Safe-Search for search engines Create firewall rules for DNS Since we can't look into an HTTPS connection, unwanted images and videos may appear in a Google search, for example. Google and other search engines therefore offer a secure mode (Safe-Search) because we want to force it. First we have to activate the DNS resolver in pfSense (under Services —> DNS Resolver) and then save and apply the changes hitpssopenschoolsolutons.orgptsense-web-iler-fite-hips-squidguard! 323