Web Filter for Your Network
  • Administrator’s Guide 7.0 (Stable)
  • Administrator’s Guide 6.4 (Old Stable)
  • Version History
  • Frequently Asked Questions (FAQ)
    • Web Filtering
    • ICAP Errors
    • Squid and HTTPS / SSL Filtering
      • Why it is required to have self signed Root CA for HTTPS Decryption?
      • Possible Alternatives to Web Filtering Proxy
      • What filtering settings are recommended when NO HTTPS decryption is allowed?
      • SSL Filter and Mobile Apps
      • Issues with HTTPS filtering in Google Chrome
      • Squid Proxy Authentication
      • Why browser is being redirected to Web Safety UI running on Squid when I visit some sites?
      • How to fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY Squid error
      • Why I see “Cannot connect to site using HTTPS” browser message instead of usual “Site is blocked”?
      • Why HTTPS filtering exclusions do not work when Squid intercepts HTTPS connections transparently?
      • How to enable caching on Squid for Windows?
      • How to enable HTTPS decryption (SslBump) in Squid 3.5 for Windows?
      • How to allow non standard HTTP(S) ports through Squid?
      • Does Web Safety support WPAD/PAC proxy configuration?
      • How to deploy Root Certificate of Web Safety using Group Policy?
    • Web UI
    • Traffic Monitoring
    • General Questions
  • Web Filter Tutorials
  • How to build Squid
  • Docker and Squid
  • Archived (Obsolete) Documentation
Web Safety 7.0
Download Virtual Appliance
Web Filter for Your Network
  • Docs »
  • Frequently Asked Questions (FAQ) »
  • Squid and HTTPS / SSL Filtering »
  • What filtering settings are recommended when NO HTTPS decryption is allowed?

What filtering settings are recommended when NO HTTPS decryption is allowed?

It is not allowed to decrypt HTTPS connections at the place of deployment (because we are not owner of the network). What settings are recommended to still filter network access?

The Web Safety is primarily designed to filter based on the content of pages transferred through network connections and thus ability to look into the traffic is important. Nevertheless, it is still possible to setup the application in such a way that it filters non encrypted HTTP protocol and domain names being connected to (think SNI filtering).

  1. Ensure your UI / Squid Proxy / HTTPS Decryption settings is set to Disabled as indicated on the following screenshot.

    ../../_images/https_filter_disabled.png

  2. In each of the filtering policies in UI / Web Filter / Policies / Policy / Advanced clear the [ ] Decrypt HTTPS / SSL Connections checkbox and [ ] Show blocked page for initial HTTPS connections checkbox as indicated on the following screenshot.

    ../../_images/policy_https_filtering_cleared.png

From now on your proxy will not decrypt HTTPS connections and connection to sites that trigger blocking by for example SNI (domain name in SSL certificate) will be just terminated. Note no standard blue blocked page will be shown to the user because showing it requires to have HTTPS decryption in place.

Next Previous

© Copyright 2019, Diladele B.V.