Hello,

It is not clear what you mean when you say "block in https". There are several possibilities:

terminate HTTPS connections so that browser warns the user "cannot establish connection" - yes it is possible allow HTTPS connection and show the 'this site is blocked' message to the user - you would need the SSL man in the middle allow HTTPS connections, decrypt it and block within site contents if something inappropriate found - you would need the SSL man in the middle and ICAP server like http://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html

Best regards,
Sich

Solved this problem a few minutes ago for my installation.
In my setup i have Pfsense 2.3.2, squid and squidguard.

The problem i've dealth with, was the certification error "http". After clicking everything possible in squid configuration i've found out it was the squidguard common ACL "blk_BL_adv"
I imagine that many users use the shallalist blacklist, at the very moment i disabled that rule everything in the Man in The Middle worked like charm.

I'm not a programmer nor a squid expert, if anyone in this forum can contact the squidguard developers maybe they will find out if i was lucky or if there's a problem with squidguard, shallalist and ssl filtering

Sorry for my poor english.
Bye

I only block porn.

Another post relevant question.
Is there a way to white list a domain? Perhaps this will circumvent the above issue.
I tried : Services -> SquidProxy ->  ACL -> Whitelist: *facebook.com but that does nothing. perhaps the syntax is wrong or this is not what it's for?

Thanks,

The .crt I was referring to WAS exported from pfSense self-signed CA i created exactly for use with squid SSL.
Isn't custom website the only way to have client easily interact with that certificate (install it). I mean that involves making said website available, which I am not sure exactly easier. Please correct me if I am wrong.

thanks, the troubleshoot web page helped

Found issue and corrected.

CJB

Unchecking the 'transparent client ip' feature solved my problem.

Thank you very much,

Regards,
Joe

thanks, good point.
Ill experiment more with this.

http://downforeveryoneorjustme.com/www.eletrobraspiaui.com

It's actually down, or appears to be down.

No idea

The squid config General page has an Advanced Options button that you can use to expand the section that allows you to enter custom parameters.

If the squid package isn't to your liking then I don't know why you don't just spin up a Linux box, compile squid with whatever options you need and then just use that.

@Nachtfalke:

Status –> System Logs --> Settings
Dsiable "Log packets matched from the default pass rules put in the ruleset"

OR

Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
So traffic will match this specific rule and will be allowed but not logged.

Well, your first suggestion stops all pass logging it seems. The second suggestion didn't work. I'm guessing since the traffic is on the lo0 interface?

Thats true the WPAD ignores that IP goes though for a moment I thought it was WPAD now that I have been doing a deep analyze its not it. Not even sure what to do now…

I found how to fix Captive Portal, so now I may try to use CP for squid authentication.

For anyone that read this thread, DHCP can be run on the Domain and CP will still work, it is not required to have DHCP in pfsense.

@jetberrocal:

@jetberrocal:

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected

Thank you for the idea. 
I was trying CP with authentication before and it did not work. (But that is another thread)

Just one more question.  With this I do not need the block rules anymore?

I answer my self the block rule question.  I removed them to test and it work without them.

Thank you for your reply

I tried two methods which are manually configuration and WPAD but neither chrome nor firefox don't works as expected although i was sure that chrome or firefox used proxy configuration. I captured traffic and could see the CONNECT www.facebook.com but squid didn't logged domain in log file.

Strange thing which i don't understand is if i close chrome or firefox, it works as expected.

Best regards

Dear All,

Please help on above.

Regards,

Yes, that gets the socket file created with the correct ownership and everything seems to be working perfectly for me now.

Thank you for the help PiBa.  You're awesome!