Squid + Virtual IP. HTTPS won't work
-
Here's my config
pfSense
LAN's Real Interface IP: 192.168.1.1/22
Virtual IP1: 10.1.1.1/24Client PC
LAN IP: 10.1.1.2/24The client cannot access HTTPS websites (connection timeout). Normal HTTP is OK.
Squid is set to Transparent.
What seems to be the problem here?
-
You cannot transparently proxy HTTPS connections.
-
Are you sure, jimp?
I have squid set to transparent and my clients can open https sites.
I'm confusedĀ ???
Cheers -
Are you sure, jimp?
I have squid set to transparent and my clients can open https sites.
I'm confusedĀ ???
CheersTransparent Squid firewall rules direct 80 port requests to the squid proxy. But https use 443 port.
-
Are you sure, jimp?
I have squid set to transparent and my clients can open https sites.
I'm confusedĀ ???
CheersSure you can get to https sites, but they aren't going through the proxy :-)
-
-
I replied on your other thread since it's not strictly relevant to this one.
-
I also just figured this out. By default, HTTPS bypasses Transparent Squid.
With "normal" configuration, pfSense does this automatically (send all HTTP to Squid, bypass Squid when HTTPS).
But in special cases such as mine (I have a LAN Virtual IP in a different subnet), you have to manually tell pfSense to Outbound NAT HTTPS traffic to a WAN from the LAN Virtual IP, or else, it will try to contact the "real" IP, which it cannot reach because the Virtual IP is in a different subnet from the real IP.
Automatic Outbound NAT only configures the "real" IP of an interface, not Virtual IP's.
-
As stated in the docs, you can proxy https and other traffic through squid but you must tell each program about the proxy, because if you tried to transparently proxy https traffic you would get security warnings.
