Forums

Resolved
0 votes
hi need some help

Ok here is the setup

clearos cpmmunity gateway

installed is webproxy and webaccess control

got it all to work time restrictions work so the proxy works great

Problem is cant access any https sites

I know people say this cant be done

But this is crazy especially as http is becoming redundent and https strict policy is going to become mandatory

I know it can be done as nethserver which is very similar as clearos there i sa option to enable ssl proxy

so i think the devs should make this a must in addressing this situation because to be honest what good is http only proxy today

Untill this gets developed does any one know how to get clearos proxy to work with ssl.

if any one has full instructions to accomplish this that would be superb

As i really need to get my kids of the internet at a certain times as they are staying up late after we go sleep and waking up at 2 in the morning and staying awake cant turn internet of as iam hosting webservers
Wednesday, September 05 2018, 07:09 PM
Share this post:
Responses (5)
  • Accepted Answer

    Thursday, September 06 2018, 08:02 PM - #Permalink
    Resolved
    0 votes
    As Michael says Gateway Management does time based access control as does the Web Access Control module in with the Proxy. Once the proxy is authenticated, I don't think you need SSL interception got it to work. If you use firewall rules, the times are UTC, not local, and I guess you'd use the PC/devices IP addresses rather than the one you've used in your example. Also note that FORWARD rules do not work with the proxy. My preference would be for Gateway Management
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 06 2018, 09:21 AM - #Permalink
    Resolved
    0 votes
    Ok im going to go with custom firewall rule been looking for a rule but cant get it to work this is what I have pulled together

    $IPTABLES -I FORWARD -s 12.12.12.210 -m time --timestart 10:10 --timestop 10:15 --weekdays Mon,Tue,Wed,Thu,Sat,Sun -j REJECT

    can some one tell me where iam going wrong
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 06 2018, 12:16 AM - #Permalink
    Resolved
    0 votes
    Use the Gateway Management App https://gateway.management/ which can be found in the ClearOS Marketplace. You will love it! :)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 05 2018, 08:50 PM - #Permalink
    Resolved
    0 votes
    Ok thanks for the reply.

    I totally agree 100% with keeping within compliance not only to protect the users using the network but also my customers once launched to protect them and myself to the best of our capabilities.

    And its not even to do with the £20 million pound minimum fine a data breach of some ones sensitive data can have devastating effects on ones self.

    So fundamentally what you are saying in real terms to keep within legislations and secure im not going to be able to use the web access control feature to boot my kids of the network at a certain time.

    So what approach do you suggest.

    Maybe a captive portal serving the wireless ap
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 05 2018, 07:47 PM - #Permalink
    Resolved
    0 votes
    HTTPS inspection has been a well known issue for some time. And yes, many solutions include while ClearOS doesn't. We feel we have leap-frogged the need for SSL inspection with Gateway.Management. Naturally, ClearOS is technically capable and there is nothing stopping someone from implementing this or even making an open source method, app in the marketplace, or patch that makes this easy on ClearOS. But before you go there, let me tell you why our governance team is opposed to this SSL intercept method of filtration.

    - We believe SSL interception works against the principles of safe Internet.
    - SSL interceptions requires that you de-validate the SSL certificate involved and requires that you force your users to accept a 'bogus' certificate not made by the content provider.
    - SSL intercept gateways are now prime targets for hacking due to their secondary objective now enabled by SSL intercept
    - In the case of compliance standards, SSL interception violates role-based access provisions and other exclusivity and logging requirements.
    - In some countries, SSL Interception is illegal under wire-tapping interpretations of the law.

    Imagine that you are a three-letter government agency and want to look at everyone's traffic on the internet in a decrypted way. You would be able to see their banking passwords in plain text as well as seeing their other online passwords. One way to do that is to get the user to accept a certificate that you have the key for. You can then cause the users to accept alternate software updates, alternate pages, you'd see all their traffic and content, and the client machines would be unable to know if or when their security layers were compromised:

    https://cdt.org/insight/is-breaking-web-encryption-legal/
    https://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/

    "Organizations should ultimately lean on legal counsel to provide reliable guidance on employee privacy policies, domestic and abroad. In-house counsel, however, cannot be expected to have up-to-date expertise on every privacy law in every province and country throughout the world. Outside counsel—typically large international law firms—can leverage attorneys with specific expertise in the country of interest. Legal referral services help organizations choose an appropriate law firm if in-house counsel is not available. Moving forward with an employee monitoring program without legal advice is certainly an option, though there is an inherit risk to this strategy if the organization is ever called in front of a court. The ethics of potentially violating the privacy rights of individuals in their country should hopefully be of moral concern, as well."

    We've spent a lot of time and resources to make DNS filtration a mature offering that works well and is easy to use.

    You can find out more about this leap frog in technology here:

    https://www.youtube.com/watch?v=ZOWpNPAdfLI

    ...and here:

    https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_gateway_management_business
    The reply is currently minimized Show
Your Reply