[SOLVED]SquidGuard with HTTPS

Yann Richard

Hello,

Iam currently trying to set up a squid proxy with filter on PFSENSE. My objective is too allow access only to some URLs, for example google.fr.

With my configuration i can execute "wget google.fr" without any problem, but if i try to get this same url in https (https://google.fr), I get "Gateway Time Out: Unable to establish SSL connection" from my proxy.
In SquidGuard ACL, if I allow "all" I will be able to get my URL in https.

I have no idea of what to do now, below my configuration for squid server and squid filter.

# Do not edit manually !
http_port 192.168.2.1:3128
http_port 127.0.0.1:3128 transparent
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/pbi/squid-amd64/etc/squid/errors/English
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
logfile_rotate 0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.2.0/255.255.255.248
uri_whitespace strip

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off

# No redirector configured

# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
acl sslports port 443 563  443
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin ?
acl allowed_subnets src 192.168.2.0/29 
cache deny dynamic
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# Custom options
url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny all

# ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard

# 
dest GOOGLE_GEOCODE {
	urllist GOOGLE_GEOCODE/urls
	log block.log
}

# 
dest HECTRONICS {
	urllist HECTRONICS/urls
}

# 
rew safesearch {
	s@(google..*/search?.*q=.*)@
&safe=active@i
	s@(google..*/images.*q=.*)@
&safe=active@i
	s@(google..*/groups.*q=.*)@
&safe=active@i
	s@(google..*/news.*q=.*)@
&safe=active@i
	s@(yandex..*/yandsearch?.*text=.*)@
&fyandex=1@i
	s@(search.yahoo..*/search.*p=.*)@
&vm=r&v=1@i
	s@(search.live..*/.*q=.*)@
&adlt=strict@i
	s@(search.msn..*/.*q=.*)@
&adlt=strict@i
	s@(.bing..*/.*q=.*)@
&adlt=strict@i
	log block.log
}

# 
acl  {
	# 
	default  {
		pass GOOGLE_GEOCODE HECTRONICS none
		redirect http://192.168.0.4:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
	}
}

KOM

squidGuard relies on squid.  How do you have squid configured?  Which version of pfSense & squid?  Are you running in explicit or transparent mode?  If transparent (boo!), are you intercepting SSL?

Yann Richard

thanks for this responses.

Iam running squid v2.7.9 pkg v.4.3.6 and squidGuard v1.9.14.

Squid configuration is stated in my first post, other than that i did the minimum and didn't see any mention of SSL interception in the GUI.
I'm working in transparent mode but it wouldnt be a problem at all to switch to non-transparent. (I already tested it to check if it wasnt the problem).

Which piece of configuration would be useful ?

KOM

OK

• Don't use squid2.  Use squid3.  Squid2 is ancient and broken for some things.

• Don't use transparent mode.  Use explicit mode in conjunction with WPAD.  Make sure to block ports 80/443 on LAN so that the proxy use is enforced.

• Make sure your clients are set to autodetect the proxy.  This has been the default in Windows for many years.  Android may have to be set manually.

Yann Richard

Hey,

Thanks for the reply. In fact  I downloaded the package from PFsense GUI, i had no idea i could get a more up-to-date version (or how, but this can be fixed).

My clients are in fact linux server, my goal being the access to some webservices exposed on the web for my applications.

Thanks,

Yann Richard

OK, so I set squid3 up.

But still the same error : "unable to establish SSL connection".
I tried to enable SSL Interception aswell but I'm not sure it does what i want, no transparent proxy, no idea…

Yann Richard

Okay problem solved :

the key was to declare urls in Domain List rather that URL list. It works now.

thanks for your help !