PfSense, Squid, and HTTPS

unmode

Hi all,

I'm sure this is a noob question, so please bear with.

I've installed pfSense with Squid and pointed it to an upstream proxy cache.

LAN > pfSense > Upstream Proxy > Internet

I've also enabled transparent proxy.

HTTP traffic works fine, I can access websites as normal, but I'm having a problem with HTTPS sites.

HTTPS can't be transparently proxied, of course, but even if I configure the browser manually with the proxy server details I can't access HTTPS sites.

I've also tried by disabling transparent proxy, which doesn't work either.

HTTPS works fine if I remove pfSense from the equation.

Basically I need a way to get HTTPS traffic through pfSense.

Can anyone help?

Thanks in advance.

unmode

Nobody?

doktornotor

http://forum.pfsense.org/index.php/topic,62256.0.html

stephenw10

Odd because usually HTTPS traffic simply bypasses Squid unless you block it deliberately.

Steve

kejianshi

HTTPS is being blocked in rules somewhere either deliberately or not.  There is probably a block rule somewhere or a NAT rule that forwards to nowhere.  I've seen rules like that set up in attempt to filter HTTPS.  Maybe you copied one of their rules in an example somewhere not realizing it.

unmode

Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

kejianshi

I have no idea personally.  The idea that someone could successfully proxy (not socks5 proxy) HTTPS sounds alot like Man-In-The-Middle stuff too me. Basically, by default squid doesn't touch HTTPS.  Just HTTP.

I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.

doktornotor

@unmode:

Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

Please, read the entire thread already referenced once above: http://forum.pfsense.org/index.php/topic,62256.0.html (And I'd personally just recommend to NOT do this at all.)

unmode

Thanks. In theory though you could just pass the HTTPS traffic through the firewall rather than proxying it.

Thanks for the continuing replies doktornotor, but as stated in my original post I'm not trying to proxy HTTPS traffic, just let it pass through the firewall.

kejianshi

I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.