Web Filter for Your Network
  • Administrators Guide 8.6 (Develop)
  • Administrators Guide 8.5 (Stable)
  • Administrators Guide 8.4 (Old Stable)
  • Administrators Guide 7.6 (Very Stable)
  • Version History
  • Frequently Asked Questions (FAQ)
    • Web Filtering
    • ICAP Errors
    • Squid and HTTPS / SSL Filtering
      • Why it is required to have self signed Root CA for HTTPS Decryption?
      • Possible Alternatives to Web Filtering Proxy
      • What filtering settings are recommended when NO HTTPS decryption is allowed?
      • SSL Filter and Mobile Apps
      • Issues with HTTPS filtering in Google Chrome
      • Squid Proxy Authentication
      • Why browser is being redirected to Web Safety UI running on Squid when I visit some sites?
      • How to fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY Squid error
      • Why I see “Cannot connect to site using HTTPS” browser message instead of usual “Site is blocked”?
      • Why HTTPS filtering exclusions do not work when Squid intercepts HTTPS connections transparently?
      • How to enable caching on Squid for Windows?
      • How to enable HTTPS decryption (SslBump) in Squid 3.5 for Windows?
      • How to allow non standard HTTP(S) ports through Squid?
      • How to allow SSH/FTP connections through proxy?
      • How to allow connections to domains without a dot?
      • Does Web Safety support WPAD/PAC proxy configuration?
      • How to deploy Root Certificate of Web Safety using Group Policy?
      • Squid Proxy is Slow
      • What is Host Header Forgery and why Squid shows this error?
      • Browsing slow? Deploy DNS caching server
      • Is it Possible to Configure Upstream Proxy?
      • Web Safety Sync Fails with Crypto/TLS error
    • Web UI
    • General Questions
  • Web Filter Tutorials
  • How to Build Squid
  • Other Projects
  • Archived (Obsolete) Articles
Web Safety
Download Virtual Appliance
Web Filter for Your Network
  • Docs »
  • Frequently Asked Questions (FAQ) »
  • Squid and HTTPS / SSL Filtering »
  • What filtering settings are recommended when NO HTTPS decryption is allowed?

What filtering settings are recommended when NO HTTPS decryption is allowed?¶

It is not allowed to decrypt HTTPS connections at the place of deployment (because we are not owner of the network). What settings are recommended to still filter network access?

The Web Safety is primarily designed to filter based on the content of pages transferred through network connections and thus ability to look into the traffic is important. Nevertheless, it is still possible to setup the application in such a way that it filters non encrypted HTTP protocol and domain names being connected to (think SNI filtering).

  1. Ensure your UI / Squid Proxy / HTTPS Decryption settings is set to Disabled as indicated on the following screenshot.

    ../../_images/https_filter_disabled.png

  2. In each of the filtering policies in UI / Web Filter / Policies / Policy / Advanced clear the [ ] Decrypt HTTPS / SSL Connections checkbox and [ ] Show blocked page for initial HTTPS connections checkbox as indicated on the following screenshot.

    ../../_images/policy_https_filtering_cleared.png

From now on your proxy will not decrypt HTTPS connections and connection to sites that trigger blocking by for example SNI (domain name in SSL certificate) will be just terminated. Note no standard blue blocked page will be shown to the user because showing it requires to have HTTPS decryption in place.

Next Previous

© Copyright 2023, Diladele B.V.