Integrate Squid and Web Safety

To integrate Web Safety and Squid, go to pfSense UI / Services / Squid Proxy Server, scroll all the way down and click the Advanced Options button as indicated on the following screenshot.

../../_images/advanced_options.png

Then type in Custom Options (Before AUTH) field.

# icap integration with Web Safety filter
include "/opt/websafety/etc/squid/icap.conf"
include "/opt/websafety/etc/squid/adaptation.conf"
../../_images/customacl.png

Scroll down, click Save button and restart Squid proxy.

../../_images/customacl_restart.png

Try to browse to some adult site and see that HTTP filtering works correctly.

../../_images/blocked_http.png

Now we need to enable SSL Filtering to make Web Safety filter the HTTPS requests too. Create a certification authority in pfSense / System / Cert Manager.

../../_images/camgr0.png ../../_images/camgr.png

Click Save.

../../_images/camgr1.png

This certificate will be used to bump the HTTPS connections. Go to pfSense UI / Services / Squid Proxy Server, scroll to SSL Man-in-the-Middle filtering and fill the fields as indicated on the following screenshot. Note we are not filling the port settings as we are not doing transparent HTTPS filtering for now. Save and restart Squid service.

../../_images/sslmitm.png

If you navigate to google.com now you will clearly see the HTTPS connection WAS decrypted. The browser shows a warning about SSL certificated. This is expected.

../../_images/warn.png

To get rid of this warning, we need to install the root CA certificate from pfSense box as trusted in your browser(s). Download the certificates from pfSense UI / System / Cert Manager and import it into trusted certificates storage as indicated on the following screenshots (instructions are for Google Chrome, Internet Explorer and Opera, instructions for Firefox are different as it uses its own certificate store and not the system wide one).

../../_images/export.png ../../_images/export1.png ../../_images/export2.png ../../_images/export3.png ../../_images/export4.png

After importing of certificate, reopen your browser, navigate to Google and make sure the certificate warning is away. If you click on the lock icon in the internet address box then it clearly indicates the google.com was signed by proxy’s certificate and not by original certificate by google.

../../_images/bumped.png

If you try to search Google with some adult only terms (e.g. NSFW) Web Safety blocks the access to explicit contents showing its denied page.

../../_images/blocked_https.png