Pfsense Squid SSL Intercept Some sites have issues
-
@S.:
Could you try it in another browser ?
Does anybody know if Internet Explorer use certificate pinning for sites like facebook ?
Thanks for the reply S. Kirschner. I should have mentioned that I had tried this in different browsers. I believe I get similar results using Firefox.
On YouTube I will see in replace of where the advertisement is:
This Connection is Untrusted ...etc...Cheers!
-
I found squid in transparent mode far too much of a hassle with endless glitches. Made it explicit and now I have no problems.
-
1/ If you install EMET, IE will use certificate pinning for similar sites.
Other browsers use pinning already for high risk domains:
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-2/ Squid 3.4 branch does not handle SNI.
3/ Finally, and most importantly - you are breaking HTTPS and replacing original certificates with MITM crap. If you have issues with that - do yourself and your users a favor and stop using similar misfeatures.
Hi doktornotor,
Not totally clear on what this is EMET? Though since pinning seems to already be enabled in other browsers I don't think this will solve my issue. ?
3/ Yes I am aware MITM is breaking SSL. However how else can one filter https traffic?
Cheers!
-
@KOM:
I found squid in transparent mode far too much of a hassle with endless glitches. Made it explicit and now I have no problems.
Hey KOM,
I'm not using transparent mode. I'm entering the info into my browsers proxy settings in order to enable using the proxy server.
Cheers!
-
If you're not running transparent, why are you talking about certificates? No certs required if you're running explicit.
-
@KOM:
If you're not running transparent, why are you talking about certificates? No certs required if you're running explicit.
Select Certificate Authority to use when SSL interception is enabled. To create a CA on pfSense, go to System -> Cert Manager. Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection.I was under the impression that I needed to intercept ssl in order to be able to filter sites that us it?
-
Wow I feel a bit silly now. Seems to be working better now without the SSL stuff turned on. :)
Thanks!
However is there anyway of getting rid of these type of pages? Using Youtube again as an example…
See attached image.
I've already got the options:
Clean Advertising Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage. and in my blacklist ads are set to denyCheers!
-
No idea, perhaps your install is borked somehow by the configuration you chose. You're making progress though. Does it do this for all blocked ads?
-
@KOM:
No idea, perhaps your install is borked somehow by the configuration you chose. You're making progress though. Does it do this for all blocked ads?
It appears so far, yes.
-
At least now it looks like a squidguard issue. If you turn off all blocking, do the ads appear normally? Post screens of your squidguard settings.
OK I just tried it and get the same result. I can't immediately figure out how to prevent it.
-
So I'm still baffled.
I've checked around online for various peoples tutorials on install SquidGuard 1.4. They all seem to imply there is a blank.gif image that is used. However when I check the actual package for 1.4 (from SquidGuard) it does not contain this.
I did find a blank.gif on a Github site for SquidGuard Adblock and was trying to get this working but nothing I do seems to work.
I mainly tried changing the redirection URL to point to the gif which I uploaded to my pfsense box. Still nothing.
Starting to think that the "error" I see is potentially not related to the adblock. It does say:
Can't establish a connection to the server at ad.doubleclick.net.Anyone have any thoughts? Suggestions?
Cheers!
-
Anyone?
