Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception

    Scheduled Pinned Locked Moved Cache/Proxy
    46 Posts 4 Posters 14.4k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dkzsys @periko
      last edited by dkzsys

      @periko said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

      @dkzsys I see u have add a lot of custom settings, squid will filter +/- 90% of the traffic.
      Now, this apple things maybe is inside that 10% that will reject to work behind a proxy.

      What version of pfsense u have?

      My recommendation:

      Resolve DNS IPv4 First doesn't work, is a obsolete is u are running pfsense 2.6+.
      Your alias in the bypass finish them with ';'
      Try splice all.
      Remove all that custom stuff.
      Select all in the "Remote Cert Checks and Certificate Adapt".
      Enable WPAD in your interface where u want to run squid.

      I don't have apple stuff that I can test, I will check evernote.

      Now, what is the problem with 'Evernote'?, I can try that app.

      Regards!!!

      Thanks for chipping in, Pedro @periko

      I am running pfSense Plus 23.05.1-RELEASE (amd64) (built on Wed Jun 28 03:57:27 UTC 2023 FreeBSD 14.0-CURRENT).

      Will try out your recommendations.

      Re a couple of your points:

      • "Try splice all." - do you mean, in addition to source ip address bypass, splice them all in squid config as well? Ignore this, figured out that you were referring to "SSL/MITM Mode" setting.

      • "Remove all that custom stuff." They were automatically added after installing suiqdGuard I think. I'll remove the config and uninstall squidGuard for now.

      Re Evernote, I had to whitelist "www.evernote.com", otherwise, the app is having sync issue with the server. On macOS app, it's a grey pop-up error box on the note page when I tried to update the note. For a failure scenario testing, it's easier to use this URL "https://www.tradingview.com/markets", as it worked on Mike's, and failed on mine and Jonathan's.

      perikoP 1 Reply Last reply Reply Quote 0
      • perikoP Offline
        periko @michmoor
        last edited by

        @michmoor It wont' affect at the end the client will need to reach the proxy.

        The only difference is that transparent pfsense will forward the traffic to the proxy in no none we need to allow the client reach the proxy, resume both options the client will need to reach the proxy.

        Regards!!!

        Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
        www.bajaopensolutions.com
        https://www.facebook.com/BajaOpenSolutions
        Quieres aprender PfSense, visita mi canal de youtube:
        https://www.youtube.com/c/PedroMorenoBOS

        1 Reply Last reply Reply Quote 0
        • perikoP Offline
          periko @dkzsys
          last edited by

          @dkzsys I need to get a apple to test, just curiosity, in a windows box evernote do the same thing?

          Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
          www.bajaopensolutions.com
          https://www.facebook.com/BajaOpenSolutions
          Quieres aprender PfSense, visita mi canal de youtube:
          https://www.youtube.com/c/PedroMorenoBOS

          D 1 Reply Last reply Reply Quote 0
          • D Offline
            dkzsys @periko
            last edited by

            @periko said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

            @dkzsys I need to get a apple to test, just curiosity, in a windows box evernote do the same thing?

            Let me try it on a windows VM and let you know. If you are interested in the broken SSL session, you can use "https://www.tradingview.com/markets" to test.

            Enable WPAD in your interface where u want to run squid.

            A question for your point above, do you mean enabling WPAD on the interface setting on pefsense (if so, do you mind letting me how to do it?), or enabling WPAD or PAD on the client machine (either os system setting, or browser setting)?

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • D Offline
              dkzsys @periko
              last edited by dkzsys

              @periko said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

              @dkzsys I see u have add a lot of custom settings, squid will filter +/- 90% of the traffic.
              Now, this apple things maybe is inside that 10% that will reject to work behind a proxy.

              What version of pfsense u have?

              My recommendation:

              Resolve DNS IPv4 First doesn't work, is a obsolete is u are running pfsense 2.6+.
              Your alias in the bypass finish them with ';'
              Try splice all.
              Remove all that custom stuff.
              Select all in the "Remote Cert Checks and Certificate Adapt".
              Enable WPAD in your interface where u want to run squid.

              I don't have apple stuff that I can test, I will check evernote.

              Now, what is the problem with 'Evernote'?, I can try that app.

              Regards!!!

              I have tried a few different config combinations, and the "Splice All" does most of the trick!

              71ec4fc6-8f4d-462a-86f4-3694a5f544f1-image.png

              Some observations with "Splice All":

              • "Remote Cert Checks" with only "Do not verify remote certificate"; and "Certificate Adapt" - none
                microsoft domains are mainly 409; but apple icloud gateway is getting 500.
              1695347891.621      0 10.0.1.11 NONE_NONE/409 4012 CONNECT outlook.office365.com:443 - HIER_NONE/- text/html
              1695347891.621      0 10.0.1.11 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
              
              1695347967.351     29 10.0.1.11 TCP_TUNNEL/500 7 CONNECT gateway.icloud.com:443 - ORIGINAL_DST/17.248.219.1 -
              
              • After enabling all in "Remote Cert Checks" and "Certificate Adapt"
                Both microsoft domains and icloud gateway are getting 409.
              1695348201.835      0 10.0.1.11 NONE_NONE/409 4003 CONNECT gateway.icloud.com:443 - HIER_NONE/- text/html
              1695348201.835      0 10.0.1.11 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
              

              c009b747-296e-48bd-9496-3abbb4b9c611-image.png

              It would be easier for me to fix up all the 409s after leaving it running for a bit.

              I've checked squid access log and it has sufficient info for my audit purpose.

              Thank you for helping out, @periko @michmoor @JonathanLee! It fixed most of my issues for my particular use case with this less intrusive implementation. For Jonathan's use case of content filtering it would still need that extra work for whitelisting.

              P.S. @periko no more evernote sync issue either after Splice All!

              1 Reply Last reply Reply Quote 1
              • JonathanLeeJ Offline
                JonathanLee @dkzsys
                last edited by JonathanLee

                @dkzsys
                Check this out for WPAD

                https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html

                It's a really good how to overview of WPAD. I have mine set up this way with an addition of DHCP options to automatically send the proxy and DNS information when IP addresses are distributed.

                DHCP option 252 and 42

                Screenshot_20230921-195923.png

                "A WPAD host may be supplied via DHCP numbered option 252 (string value containing the entire URL to the WPAD file) or DNS, which is easy to do with the built-in DNS forwarder" (Netgate docs).

                Normally you would use standard ports again my GUI uses port 8080 and it works good for the XBOX One

                Make sure to upvote

                D 1 Reply Last reply Reply Quote 0
                • D Offline
                  dkzsys @JonathanLee
                  last edited by dkzsys

                  @JonathanLee said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

                  @dkzsys
                  Check this out for WPAD

                  https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html

                  It's a really good how to overview of WPAD. I have mine set up this way with an addition of DHCP options to automatically send the proxy and DNS information when IP addresses are distributed.

                  Thanks for the illustration as always @JonathanLee ! Yes - I went through the same page as well:)

                  For me, the next is to evaluate switching back to AdGuard Home for DNS on RaspberryPi, or use SquidGuard with pfSense DNS. Since I've blocked DNS (53, DoH, DoT) to WAN, and NATing locally, AdGuard would have a similar effect of SquidGuard in terms of service/domain blocking. (and neither approach will prevent kids bypassing with VPN). And at this stage, I don't need time-of-day control. So my criteria would be relatively simple:

                  • #1: no impact to Squid transparent proxy implementation (re earlier discussion in this thread)
                  • Ease of adding/removing domains
                  • Ease and effectiveness of rule toggles.
                  1 Reply Last reply Reply Quote 1
                  • JonathanLeeJ Offline
                    JonathanLee @michmoor
                    last edited by

                    @michmoor WPAD auto configures devices to use the proxy. It's for laptops that move from the office and back to home. It's so you an admin never need to set the poxy settings. When a known device jumps on your network the device already knows to use the proxy, versus having to configure it on the device each and every time you change from a lan at the office to your lan at home. It's explicitly for proxy use. It just does it automagically.

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 1
                    • D Offline
                      dkzsys
                      last edited by

                      After a few days of testing with Transparent proxy + SSL Interception (Splice All), a couple of observations:

                      1. For the whitelisted source IP by FQDN (e.g. microsoft, Apple icloud etc), the result is intermittent - sometimes 200 and others 409... I have updated the "Aliases Hostnames Resolve Interval" to 60 sec. but still not resolved. Some input for resolution will be appreciated.

                      2. FW Blocking to WAN is no longer 100% effective, to the FQDNs on and off the source bypass list. For example, blocked clients can still search on google.com, play chess on chess.com, etc. See screenshot for the fw block rule below. I will have to reset fw states to block all outgoing traffic to WAN from those clients. @periko - can I get your input on this pls - any other options to effectively block client to WAN without fw state reset?

                      092128b1-6ed6-4f15-872f-f73c37be3f71-image.png

                      JonathanLeeJ D 2 Replies Last reply Reply Quote 0
                      • JonathanLeeJ Offline
                        JonathanLee @dkzsys
                        last edited by JonathanLee

                        @dkzsys if you use Squid or Squidguard you can utilize regular expressions.

                        Some examples from my always splice file:

                        ^((alt[0-9]-mtalk.)|(mtalk.)|(mtalk-(staging|dev).))google.com

                        ^(((clients)[0-9])|accounts).google.(com|us)

                        ^.*(outlook.)(office365|office).com

                        ^(disney.(content|connections)).edge.bamgrid.com

                        Test and create them with a regular expressions tester online if needed.

                        Make sure to upvote

                        D 1 Reply Last reply Reply Quote 0
                        • D Offline
                          dkzsys @JonathanLee
                          last edited by

                          @JonathanLee my understanding is that for the regex domain to work, squid will need to be set to explicit mode, or transparent mode with peek and splice config; and it doesn't work for transparent mode with Splice All. Happy to be corrected.

                          JonathanLeeJ 1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ Offline
                            JonathanLee @dkzsys
                            last edited by

                            @dkzsys it should work if the domains are using .something else in it. Yes that is mostly used with SSL intercept

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 1
                            • D Offline
                              dkzsys @dkzsys
                              last edited by

                              @dkzsys said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

                              1. FW Blocking to WAN is no longer 100% effective, to the FQDNs on and off the source bypass list. For example, blocked clients can still search on google.com, play chess on chess.com, etc. See screenshot for the fw block rule below. I will have to reset fw states to block all outgoing traffic to WAN from those clients. @periko - can I get your input on this pls - any other options to effectively block client to WAN without fw state reset?

                              I just found out that I can use "pfctl -k" to reset fw sessions for specific client IPs via terminal. Since I am using CLI to toggle the blocking rules, it actually worked out well for me as a workaround - simply adding the extra command in the block rule CLI snippet.

                              D 1 Reply Last reply Reply Quote 1
                              • D Offline
                                dkzsys @dkzsys
                                last edited by

                                @dkzsys said in Squid Proxy "Bypass Proxy for These Destination IPs" Not Working?? Transparent HTTP Proxy Mode + HTTPS/SSL Interception:

                                I just found out that I can use "pfctl -k" to reset fw sessions for specific client IPs via terminal. Since I am using CLI to toggle the blocking rules, it actually worked out well for me as a workaround - simply adding the extra command in the block rule CLI snippet.

                                Unfortunately killing the state for the client still doesn't block their traffic to WAN with the block rule enabled... Looking for an alternative workaround.

                                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                                • JonathanLeeJ Offline
                                  JonathanLee @dkzsys
                                  last edited by

                                  @dkzsys try this

                                  client_persistent_connections on
                                  client_persistent_connections off

                                  "Squid uses persistent connections (when allowed). You can use
                                  this option to disable persistent connections with clients."

                                  http://www.squid-cache.org/Doc/config/client_persistent_connections/

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.