Well… HTTP proxy can run in both explicit and transparent mode and this has nothing to do with SSL-Bump.
These are 2 different aspects and the only relationship is when you want/need to deal with HTTPS in transparent mode or if you want/need to analyse HTTPS content.

However, what needs to be understood is that from browser view point, proxy is either defined (whatever the way you define it) or not. If proxy is defined, then this is an explicit proxy. If not, this is transparent proxy. Which means that if proxy side, one can have both in parallel, client side (browser) you have only 3 choices with no overlap:

explicit proxy no proxy -> with transparent proxy intercepting no proxy... without proxy  ;D

If SSL-bump is configured (whatever proxy mode, explicit or transparent), trusting certificate generated to intercept HTTPS flow is mandatory to prevent warning messages.
This often means to deploy, client side, CA public key to be trusted.

Keep in mind we are only discussing technical aspects here, not all the legal aspects with HTTPS flow being broken and intercepted.

While designing your proxy, you have to determine whether your goal is to filter access (e.g. prevent facebook access) which doesn't require any SSL-bump, even for HTTPS, but does require explicit proxy or if you need/want to intercept HTTPS, which means SSL-Bump thus certificate.

Yeah I have no idea about that, sorry.

Exactly thats why I am posting this :). If you have a better solution then post it

nice one sir :)

Ive found the solution for me.  ;D I simply reinstalled squid. Now its working properly.

Cheers

Okay, I discovered that the problem might be with the web browser I'm using. I can bring up the report in Firefox, but not at all in Safari. Turning off SSL doesn't make a difference. Trying in a new user and clearing all caches and history doesn't do the trick either.

Thank you, I did this and it's the closest thing to working squid that I've seen yet. With these changes both lagado and chrome detect the proxy settings.
Unfortunately, squid (or at least squidguard) doesn't work.

If port 80 is open, then proxy files are transmitted, autoconfigure is completed and lagado and chrome report using the proxy settings. However, everything appears to be bypassing the proxy somehow? Apparently nginx is opening its listening port (nmap reports port 80 on my pfSense box opened by nginx) on my LAN, because with that configuration enabled, port 80 is opened, if I change the listen port, then that port is open (my rules block ports 80 and 443 except in a few specific circumstances). I still don't understand how this is allowing SSL (443 is closed, nginx didn't open it, and nmap doesn't report it opened) but not applying squidguard rules to SSL?

If I close port 80 after the proxy file has been downloaded, then it simply destroys the internet connection,

I tried forwarding all port 80/443 traffic to 127.0.0.1 on 3128 to force http&/s traffic to squid, but that didn't work either.

Any suggestions?

At this point I'd also be interested in a way to use shallalist on pfBlockerNG…. pfBNG does everything that I want from squid except shallalist, and it just works with no issues.

Hi,
Did you manage to solve this ? I'm facing the same problem, tried a couple of things but no luck so far …

I agree that it could definitely be improved, but I wanted to make sure you weren't under some false notion about what pfSense is and isn't.

same problem. anyone?

Hi Chris

Thank you very much for your answer. What is Squid configuring in background if I enable transparent mode?
Do I need to configure pfSense as follows, if I want, for example, forward traffic to port 5555 transparently to Squid?

INSIDE Interface: Source of Traffic
192.168.10.10: IP Address of the interface on which Squid is listening
3128: Squid port

Thank you
asan


Does anyone have a guide or tips on how to install mod_security on PFSense 2.3? Module is gone now and I suspect it is due to the change to nginx; there are builds f mod_security now for nginx so am wondering if anyone has tried using it for a reverse security proxy in latest pfsense?

Thanks

Curiously, what are "Rewrite Children" exactly? Individual processes that are redirecting traffic if needed or?

That's exactly what it is.  For every URL being processed by squid, it hands it off to a squidGuard child thread.  If you have lots of users and limited children, then your users web experience will be slower as they wait for a thread to be freed.