SquidGuard redirects alot

JonathanLee · Aug 18, 2023, 6:29 PM

Something is bonkered up with this

JonathanLee · Aug 18, 2023, 7:07 PM

@michmoor Have you looked at

https://forum.netgate.com/topic/119092/the-following-error-was-encountered-while-trying-to-retrieve-https-http/14
https://forum.netgate.com/topic/154743/how-to-configure-squidguard-for-https/7

They state

You have to append

url_rewrite_access deny CONNECT
url_rewrite_access allow all

to your squid custom options to make the redirect page work in SSL MITM mode.

Custom options (before auth)

I guess it blocked redirects with HTTPS SSL Intercept enabled

This is new to me I am testing this in a home lab environment.

michmoor · Aug 18, 2023, 8:07 PM

@JonathanLee Hmmmm
I didnt have to add anything to custom options before.
Ok let me try. Keep me updated on your home tests.

JonathanLee · Aug 18, 2023, 9:20 PM

@michmoor I get this error all the time on SSL Intercept enabled certificated devices, and port for pfsense firewall open or blocked in Squid Proxy

login-to-view

However, spliced devices have no issue accessing the error page.

michmoor · Aug 18, 2023, 10:12 PM

@JonathanLee if i change to use an internal error page i get this
IMO, Redirect mode is a buggy mess. Its hit or miss but mostly miss.

login-to-view

JonathanLee · Aug 18, 2023, 10:12 PM

@JonathanLee

Use this it fixed it ex url move and point it to the internal squid guard URL.

login-to-view

(ERRORS!!!!)

JonathanLee · Aug 21, 2023, 2:17 PM

@michmoor

https://forum.netgate.com/topic/182279/fixed-squidguard-redirect-page-for-error-codes-issues-with-https-ssl-interception

michmoor · Aug 18, 2023, 11:05 PM

@JonathanLee the only problem with that solution is that you have to make your management port available to everyone. In your case 8080

JonathanLee · Aug 18, 2023, 11:05 PM

@michmoor yep and that's a bigger problem

JonathanLee · Aug 18, 2023, 11:09 PM

This post is deleted!

michmoor · Aug 18, 2023, 11:35 PM

@JonathanLee lol oh boy. Not good !!

I think the limiting factor is that there is no good or secure way of providing a page to an end user explaining why they are blocked.
I’m using an external server and that works half the time. “Too many redirects”. But after some time later it works just fine again. No way to debug either

JonathanLee · Aug 18, 2023, 11:38 PM

@michmoor I agree,

I just discovered you can just add google into the redirect and it takes you back to the browser.

I think I will use this one for a while.

Test this or take the redirect back to the office homepage. This way it doesn't feel like a panopticon and users just end up where they started.

login-to-view

I didn't think it would work but it does.

michmoor · Aug 18, 2023, 11:56 PM

@JonathanLee yeah at least if someone can’t download something they will say “it keeps taking me to google” which is funny. I’ll try it out for awhile.
My daughter brought home a school laptop so I’m going to see if I can install a certificate and start “investigating “

JonathanLee · Aug 19, 2023, 12:10 AM

@michmoor you don't need the certificate as it works in transparent mode also. I only install certs on devices I own, everything else is splice mode. I do custom with both ssl intercept and transparent in use. FYI I also found that /usr/local/www/sgerror.php still is accessible even when using the external web redirect like google.com. I thought that was weird.

https://redmine.pfsense.org/issues/14696

It should not be accessible if its not in use right?

michmoor · Aug 19, 2023, 3:43 AM

@JonathanLee how is it accessible?
How are you accessing that path?
Transparent mode is iffy for clients. That /409 error stops websites from working.

JonathanLee · Aug 19, 2023, 3:54 AM

@michmoor I just use a custom option and block out the websites I don't want accessed. It splices and looks at the get request is all

Keep in mind this type of redirect could be "gaslighting" and cause "crazy making situations" if it just keep going to google over and over. I would recommend to use an official "this website is blocked page" and after to just redirect back to a company page and not just google. This provides clarity and transparency.

I changed mine back to the official block page.

login-to-view

michmoor · Aug 19, 2023, 12:17 PM

@JonathanLee I understand but it’s really not a secure option because of the opening of the management port to everyone.
Unfortunately there is an issue with an external redirect that I’m trying to debug. Might be php code related tho.
I think the best option is to just have the block page saying “unable to forward this request”.

michmoor · Aug 20, 2023, 5:43 PM

Still havent been able to solve the multiple redirect issue.
There is no rhbyme or reason as to why squidguard redirects this many times. I rechecked the php script and its good.
Its not a browser cache problem. Its a squid problem.

login-to-view

JonathanLee · Aug 21, 2023, 1:01 AM

@michmoor Do you have multiple Group ACL lists with the same IP address? That might cause issues.

michmoor · Aug 21, 2023, 1:01 AM

@JonathanLee No group ACL used. Just Target