Check HTTP and HTTPS are Transparently Filtered

Install Trusted Proxy Certificate

In order for HTTPS filtering to function correctly we must install the proxy certificate from /opt/websafety/etc/myca.der into Trusted Root Certification Authority on all workstations in our network. Please see the Install Trusted Certificates for instructions how to do it. The self signed root certificate to be installed is available from the login page of Web Safety.

../../_images/root_ca.png

Filter Normal HTTP

The following screenshots show that normal HTTP requests were filtered transparently out of the box without any additional configuration.

../../_images/http_filtered2.png

Decrypt and Filter HTTPS

To filter HTTPS we need to enable HTTPS decryption in Admin UI / Squid / HTTPS/ Mode. See Enable HTTPS Filtering in Admin UI article for more information. After enabling of HTTPS filtering access to HTTPS sites is also filtered correctly.

../../_images/https_filtered2.png

Resume

We now have the default gateway in our network capable of transparently filtering HTTP and HTTPS traffic. All workstations in our network trust the root certificate from proxy and thus get their HTTPS request decrypted and filtered. Browsing environment in our network became much safer.

Just in case here is the archive with all scripts mentioned in this article

Important

Block the QUIC protocol on your firewall, otherwise Chrome will be able to bypass the transparently redirected proxy when going to QUIC enabled sites, like google.com, youtube.com, etc. To block the QUIC protocol, add DROP rules for UDP protocol on port 80 and port 443 as shown below (somewhere above -A FORWARD -j DROP rule). See more info at http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol.

# disallow QUIC protocol
-A FORWARD -i ens33 -p udp --dport 80 -j DROP
-A FORWARD -i ens33 -p udp --dport 443 -j DROP

Some more ideas to implement