Yet another SquidGuard and HTTPS post…

C0RR0SIVE

I know, it's been covered a dozen times, but I haven't exactly found a solution that satisfies me fully… I also know I am running slighly out-dated firmware, but, I have reasons, good ones at that.

PFSense 2.1.5
SquidGuard-Squid3
squid3-dev

I have successfully implemented a PAC file, made the proper DNS and DHCP entries to point to it, and all my browsers will pick it up and go with it!

Now, the issue(s)... It's not filtering HTTPS...? Well, it SORT of is, a few links load on a white page... I have Netflix on a blacklist, and it's blocked mostly, but it doesn't fully block it...

I have also ran into an issue, accessing this forum! I get the following error in Chrome (and no connection in other browsers either), [ERR_TUNNEL_CONNECTION_FAILED]. For the time being, I have added an exception to the PAC file so that this website would direct connect, but it's not pretty, and I have had this tunnel error come up on a few other websites as well, though it seems to be rather… rare?

The last issue, when SquidGuard DOES block a website, it's throwing a 404 error instead of the normal squidguard error page...

Squid HTTP and HTTPS Transparent is OFF
Browsers can successfully pull the WPAD files
Squid Logs show HTTPS connections

Here is my wpad file if anyone is interested.

function FindProxyForURL(url,host)
{
  if(isPlainHostName(host))
  {
    return "DIRECT";
  }

  if(isInNet(host,"127.0.0.1","255.255.255.0"))
  {
    return "DIRECT";
  }

  if (url.substring(0, 4)=="ftp:" ||
        shExpMatch(url, "https://forum.pfsense.org/*"))
        return "DIRECT";

  return "PROXY 192.168.1.2:3128";
}

Also, please don't try to convince me to try 2.2.x out, I have had nothing but issues in every release version of it, serious enough that I gave up on it. It does not play nice at all with my ESXi host, and the one time it "worked", SQUID was so slow even with trying all the fixes I could find here, that, I just deemed 2.2.x to be too unreliable.

EDIT: Figured I would add, that I followed the MAJORITY of the guide located at http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration for setting wpad up, as it perplexed me greatly, not letter for letter, but enough that it wouldn't have caused this particular set of issues, as far as I can tell that is.

![pfsense 1.JPG](/public/imported_attachments/1/pfsense 1.JPG)
![pfsense 1.JPG_thumb](/public/imported_attachments/1/pfsense 1.JPG_thumb)
![pfsense 2.JPG](/public/imported_attachments/1/pfsense 2.JPG)
![pfsense 2.JPG_thumb](/public/imported_attachments/1/pfsense 2.JPG_thumb)

C0RR0SIVE

Ok, figured I would update this post… Had hoped someone would have chimed in by now though :(

I have HTTPS filtering working fully, I didn't realize that SquidGuard couldn't really intercept the connection, but will instead just break the tunnel, hence why I do not get the error page.

As for not accessing this forum, apparently when setting up my targets, I had accidently selected Forum instead of Fortune Telling... LOL

The only thing I have had trouble with since has been sgerror.php, since I followed that guide, and use HTTPS for webgui management, it seems I can't get the proper error page. I attempted to copy the sgerror.php file over to the directory that is serving things, (I can serve an html file just fine!) but the browser just downloads the php file instead of generating a proper page with the block rule and such.

So, does anyone have any tips, or hints on how to get sgerror.php to work after having followed that guide?