@doktornotor:

There is no need for MITM nor for installing certificates on clients when you explicitly set the proxy on clients. Squid will use CONNECT for HTTPS on sslports ACL to connect to HTTPS websites. If you want MITM, make the proxy transparent and stop configuring it on clients.

I want to be able to see HTTPS traffic for both inspection + caching. I've tried not configuring the proxy on clients and leaving on transparent mode. That's throwing errors too. Am I the only one having this issue?? I'm guessing the DNS alternative name isn't being mimicked by Squid properly. Since on Chrome mobile, that's an error it's saying "DNS alternative name invalid".

At the risk of stating the obvious: exemple is NOT the same thing as example. You keep producing that typo over and over and over again. When you keep obfuscating your setup and producing collateral typos in the way, it's impossible for others to debug anyway.

You've already been told how to debug in the post directly above.

thank you!!

Of course with your suggestion i am thinking in try the authenticator in my cenario. If works fine it´s the better option update the versions and use the sync.

Appreciate the location.

Are they viewed from a terminal command, or through the WebUI?

@niko2:

For those who have not reached to get it working : here is the trick (working on pfsense 2.3) :
in general settings tab of squidguard, there is an "apply" button.
it is mandatory to click after any changes, event on other tabs.
ACL groups work for me !
hopes this help :)

Work like a charm !!!

You are welcome.

We have the same problem… we have installed a diladele webfilter on our pfsense using peek-n-splice for scanning ssl trafic. WPAD does not work with the iOS devices in our wlan. The clients have to install our CA-Cert if they want to use the wlan. The default browser on the mobile devices is using the crt and we can scan the traffic. But Apps like Facebook and Whatsapp does not use DNS - they use ips to connect to there services. If you enter these IPs into the "Bypass Proxy for These Destination IPs" field on the squid config page on the pfsense they will connect directly. But i think this is a bad solution to add all ips seperated by semikolon in this one line field... so i'm trying to add these direct to the squid conf... if you say the "alway_direct" acl does not work - there must be another ACL rule for this... anybody have an idea?

Hi PiBa,

dang I thought I realised it that way myself on an 1.7 HaProxy Cluster but you're obviously right - it's still not supported.  :-X Maybe I suggest this one to the haproxy community so they'll implement it first.

If Facebook now owns Instagram, could it be that some Instagram services are co-mingled with Facebook servers?  If you're blocking the "Facebook" domain, depending on how Instagram resolves, it may land on a blocked Facebook server.  Other times when pfSense is resolving Instagram it could resolve to a non-blocked (not Facebook) server.  I think I read that pfSense uses the first IP of a domain and it will re-resolve when it needs to.
(?)
Just a shot in the dark.

Ok found the issue, when you clear your cache and go to the SDK Download page it asks what country, you must select USA to not get the redirect issue.
With downloading adobe AIR I do no know why they are just liking to the homepage.

@RickTosch:

Hi there,

I hope my reply does not come across as a hijacking one.
Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
I guess I wont see much of a caching benefit?
The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too.

Can I ask please how you installed on Android?  I've installed my certificates, but when I disconnect from my wifi my devices 'connect' but on the devices they say they have no IP address.  They work with transparent HTTP but screw up when I add HTTPS, so I have to add them to the bypass filter.

Thanks in advance.

i know its been a while but i'll post my experience for future reference.

i had the same issue for quite some time and i solved it by making sure no peer (web server) had spaces on the names, i switches all the spaces to underscores and it was solved.

i can see you have a web server called "Win7 Test" … change that to "Win7_test" and that should do the trick. (at least it did it for me)

i hope it can solve the issue for at least some of you guys.

cheers.

i know its been a while but i'll post my experience for future reference.

i had the same issue for quite some time and i solved it by making sure no peer (web server) had spaces on the names, i switches all the spaces to underscores and it was solved.

i hope it can solve the issue for at least some of you guys.

cheers.