With a little help from my Friends ;-)

Dear All
I am a volunteer working for a small caritative organisation in France.
Our goal is to bring people with no knowledge of computer/smatrphone to be able to face there daily needs in a full internet world aka things that using email, searching the internet, etc…
In our office I would like to setup a firewall to prevent us from outside “bad guys” but also to be able to filter what is going out. In other words not letting people to go to "non good/dangerous " sites.
I have undertand that this filtering capability is available in IPFire using list that can be downloaded in the application.
One of my main concern is :
Is IPFire able to filter HTTP sites as well as HTTPS sites, as HTTPS is more and more used today ???
Despite the fact that I have read posts that is steel unclear for me ???
Also the method to implement it .
Please find attached a drawing of our actual network and where I would like to move it.
Thanks for your help
Pierre

Hie Pierre,

for this you can use the proxy of ipfire with url-filter in non-transparent-mode. Have a look at URL filter for HTTPS

Good morning and wellcome @pierrelyon

IPFire with proxy in transparent mode does not analyze https pages. In mode non-transparent, yes.

You can use PAC file to easy configure web-browsers.

In Firefox:

In Edge:

imagen

Another thing. Haven’t you thought about segmenting the Wifi by putting another network card and let the AP go through that network card? I have it that way and that way, via Wifi, only those I want access.

Regards.

Hello, I am the OP of URL filter for HTTPS. For me the URL-Filter in the HTTPS proxy works regardless of whether I activate the transparent mode or not. It is also what I have been told by @arne_f in URL filter for HTTPS. Who is mistaken here?

My understanding (probably wrong) is that HTTP is automatically redirected in transparent mode. HTTPS is not, therefore IF the encrypted connection is going trough the proxy, it get filtered. However, because it does not happen automatically, it gets filtered only if the client is going trough the proxy “voluntarily”, as in it is set to go trough the proxy. If we assume the network administrator has not such control on his users, the only way to make sure that everything is filtered is to block at the firewall level any connection that is going to the red interface without passing through the proxy. At that point when the affected user calls the admin asking why “internet is not working”, the admin will tell him/her how to set their computer so that they use the proxy.

Thanks All for your answer

Linus F. the situation you stated in your original post :
" The underaged students should be allowed to work and use the web unsupervised, which makes a filter mandatory"
is exactly the same as mine.
Did you came to an end on that ???
You didi you set it up???
I have see also the WAD file suggestion but this is not usuable because we have some people who connect to the network during the training using there onwn equipment and I don"t have pratical mean to configure all the browsers.

As far as I know, the only way is to set up the proxy and url filter and block any connection from the green/blue network to the red. At this point all your users will not be able to connect to internet. Then you have to disseminate the information on how to set up the proxy server in their operating system. I believe for a wifi connection you can use the captive portal to give such instructions on their web browser. Otherwise you send them an email. Or something like that.

Its not easy to get full WPAD autoconfig working for most of the clients.

You need a webserver in your local network (that run on port 80 and deliver the matching wpad.dat/proxy.pac in his document root) than you need a dns/host entry wpad.yourlocaldomain that points to this server and a dhcp wpad entry. (because some browsers use the dns entry and some the dhcp)

I don’t know how many PCs you’re talking about and what kind of systems are running on them, but maybe you should consider to run a domain controller to identically configure all clients. But this may still be problematic with laptops and of course smartphones. That’s why I only force non-wifi defices to use proxy configuration.

Why is that? Because of different os architectures? I run a domain controller on Windows Server 2016 which even works with Windows 2000 clients (just for testing purpose - I was surprised) so I hope there is a single, universal sollution at least for Windows clients. Also I hope that this will be the same for Android and iOS clients. This should be a good start.

Is there a howto do that with ipfire?

Because you need a webserver on port80 without this some dumb browser are not find the wpad.dat.

IPFire has no default webserver that run on port80 so you need an other server in your lan or you hafe to create a new vhost.

Never used that addon before: https://forum.ipfire.org/viewtopic.php?f=6&t=1882&sid=76d801572a404d30e0105023c99cb2d3&start=15

Shouldn’t that be a safe soution for the infastructure? Tiny/MiniCore + Webserver?

I just setup the clients (browser or OS-wide) to use 10.16.1.254:800 (ipfire) as proxy for all ports (including HTTPS). Then the url filter worked right away!

But a user could simply set the browser settings back to “no proxy”, which is why I added a firewall rule to block all HTTPS traffic.

That’s sufficient as far as I understand.