Check HTTP and HTTPS are Transparently Filtered
Install Trusted Proxy Certificate
In order for HTTPS filtering to function correctly we must install the proxy certificate from /opt/websafety/etc/myca.der into Trusted Root Certification Authority on all workstations in our network. Please see the Install Trusted Certificates for instructions how to do it. The self signed root certificate to be installed is available from the login page of Web Safety.
Filter Normal HTTP
The following screenshots show that normal HTTP requests were filtered transparently out of the box without any additional configuration.
Decrypt and Filter HTTPS
To filter HTTPS we need to enable HTTPS decryption in Admin UI / Squid / HTTPS/ Mode. See Enable HTTPS Filtering in Admin UI article for more information. After enabling of HTTPS filtering access to HTTPS sites is also filtered correctly.
We now have the default gateway in our network capable of transparently filtering HTTP and HTTPS traffic. All workstations in our network trust the root certificate from proxy and thus get their HTTPS request decrypted and filtered. Browsing environment in our network became much safer.
Block the QUIC protocol on your firewall, otherwise Chrome will be able to bypass the transparently redirected proxy when going to QUIC enabled sites, like google.com, youtube.com, etc. To block the QUIC protocol, add DROP rules for UDP protocol on port 80 and port 443 as shown below (somewhere above
-A FORWARD -j DROP rule). See more info at http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol.
# disallow QUIC protocol -A FORWARD -i ens33 -p udp --dport 80 -j DROP -A FORWARD -i ens33 -p udp --dport 443 -j DROP
Some more ideas to implement
- Read original Ubuntu router article at https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch