Squid 3.3.4 package for pfsense with ssl filtering
-
Is this normal, or theres a way to overcome this? Thanks
Yes, to avoid these erros, play with squid cert options and include pfsense CA as a trusted CA on each browsers. This way you will not get any ssl error for https sites.
Services that use same ssl port(tor, ultrasurf) will always fail.
-
Thanks marcelloc. I've fixed the certificated error. also I re-enabled the transparent ssl and it helps :)
-
Hi, I have a question. I just visited a government agency website, its an organization that handles employers contribution. or employees contribution. Ive noticed that after accepting the certificate and continuing to website. The website did not respond and it says webpage not avalable. According to other forums ubuntu to be exact, theres a site that sometimes block this kind of interception, i mean we will not be availbe to continue that's why they added some code.
Can we adopt their code to our pfsense? I think their added it in squid.conf
-
Can we adopt their code to our pfsense? I think their added it in squid.conf
If you find what code is it, I can add to squid.conf.
-
Hi marcerlloc, check this pic that ive uploaded
-
Hi, marcelloc i successfully entered that website. But this website www.sss.gov.ph
prevents my network -
These pics shows stardard ssl squid configuration.
-
You mean it doesn't have something to do with the website? Maybe I mis configured. On the other hand, I've noticed something when connecting to facebook. It seems like the page is broken, I couldn't see the pictures and other posts. I've tried to disable my squid guard and let the squid3-dev handle the internet, but the outcome is the same. But when i tried not to proxy the internet, only using the direct firewall rules on lan, the page seems fixed. Is there a workaround on this?
-
Can you test on firefox with firebug extension enabled on network tab?
-
I don't have that firebug option in my firefox. By the way I also tried this on my other browser but still no luck
-
Also when I put the source ip, it bypassess the squidguard, and the website seems fixed also..
-
I'm thinking of Using Version 3.3.4, maybe I won't have that kind of issue on fb, is that possible?
-
I don't have that firebug option in my firefox.
It's a firefox extension/plugin. Just install it and enable.
-
Hi i just install the plugin but it doesn't fixed the issue, but i think the issue is came from ssl filtering, because when I disable the ssl filtering, and restart the pfsense. It returned to normal, and when I get back on using ssl filtering the site is broken again. Did I did something wrong? I set my ssl listening port to 3129, while my squid port is in 3128, both are set to LAN interface. Also i set my safe ports to 80, 443 and acl ports to 443 only.
Can you give me other config options? How can i used port 3128 on both squid port and ssl port man in the middle. can we do the tunneling?
-
Hi i just install the plugin but it doesn't fixed the issue.
This plugin is usefull to debug the problem, not to fix ssl issues.
Enable it, select net tab and access the site with ssl enabled.
This way you will see all connections and check what is going fine and whats is failing.
-
Ok I will try that in my work on tuesday. Today is holiday in my country. Nways last time I also noticed that disbling or unchecking the "Allow users on the interface" and providing network subnet on acl tab will cause the ssl filterng not to work. Automatically squidguard will stop.
I Also tried disabling squidguard, and tried to filter the secured site in proxy server alone by putting its domain name in blacklist field on acl tab, example: youtube.com, but it fails. Seems like ssl is not filtering because i can still go to the site.
Another thing can you please teach me how will I install squid dev package using shell? Because i want to edit squid.conf manually. What I wan't to do temporaryly while we are fixing this error is to disable ssl filtering by default and enable it only on sp
ecific website along with specific ip address. This way i can block the access to specific people only and let the other employees access it without errors. Sounds good idea i guess. Thanks in advance! -
you can install the package using this:
amd64
fetch http://files.pfsense.org/packages/amd64/8/All/squid-3.3.8-amd64.pbi pbi_add --no-checksig squid-3.3.8-amd64.pbiTo edit squid.conf file and keep it on xml backup, you can use filer package.
-
Is this normal, or theres a way to overcome this? Thanks
Yes, to avoid these erros, play with squid cert options and include pfsense CA as a trusted CA on each browsers. This way you will not get any ssl error for https sites.
Services that use same ssl port(tor, ultrasurf) will always fail.
I am trying to do this but keep getting cert errors on my test machine. Have I done it right? I created an internal cert authority on pfsense and exported the certificate then installed the certificate in to the trusted root ca store of the test machine.
edit: nevermind changing the certificate adapt setting seems to have resolved!
Does this mean I can now enforce google safesearch without forcing no ssl?
Also, what happens is there is a malicious man in the middle attack beyond pfsense?
-
Also, what happens if there is a malicious man in the middle attack beyond pfsense?
Certificate fails on client or server. It will depends on what certificate errors you configure to accept.
It it's configured to do not accept, you receive a squid error page
If It's configured to allow client decide, browser will complain about a "not trusted by CA" certificate error. -
That is excellent.
I too however would like not to intercept for certain domains, I am using transparent mode and entering domains in the whitelist had no effect, I think someone else mentioned this somewhere.
