Https block sgerror only in transparent mode
-
Hello
Pfsense 2.6; Squid3; Squidguard; blacklists enabled
For testing the webconfigurator is running at http://IP:80
Non Transparent / No SSL Bump:
–> Everything works fine with correct wpad except showing sgerror for blocked https sitesTransparent / No SSL Bump:
--> Everything works fine setting up firewall ip as gateway address except showing sgerror for blocked https sites
----> after that i read that it is impossible to redirect https without ssl-bump so i configured hhtps/ssl interceptionNon Transparent / With ssl bump
--> after some issues everything works fine except showing sgerror for blocked https sitesTransparent / with ssl bump
--> everything works fine----> So what am i missing here that Transparent Proxy setting and configuring Firewall IP as Gateway works fine but non transparent not?
----> sgerror.php is configured as ext url err page : (tested with http and https on firewall and different server)Maybe i cannot run transparent and non tranparent at the same interface but it works except showing sgerror redirect when configured proxy settings
I can see a difference in the log blocking facebook:
Configured Gateway: https://www.facebook.com/ Request(Standard/Filter_Standard/-) - GET REDIRECT (succesfull display of sgerror)
Configured Proxy: www.facebook.com:443 Request(Standard/Filter_Standard/-) - CONNECT REDIRECT (ssl_error_bad_cert_domain)
If i remove facebook.com from Filter_Standard the site itself works fine without a ssl warning or error.There is no problem changing the actual setup like "Gateway for every Client"(transparent) to "automatic proxy search"(non-transparent) or "preconfigured proxy"
But only if sgerror is displayed for every blocked connection.Im getting very strange errors depending on using https webinterface or http or different ports:
ssl error without any hints (browser)
ssl_error_bad_cert_domain (browser)
could not retrieve https://http/ (direct from squid)
I mean where is the problem if squid can succesfully block https connects and showing a cert issue ... why not showing sgerror.php?PS: Is it possible to make a list of ip's where ssl-bump is not used without using an additional interface
-
Try to use "int error page"
-
nearly the same result:
http://facebook.com -> blocked with sgerror.php
https://facebook.com -> ssl error "certificate was generated for other address" (translated error massage)https://twitter.de -> allowed website works without error
-
http://facebook.com -> blocked with sgerror.php
Is your block page shown with http or https? I mean sgerror.php
-
after i solved that ssl error i get following message from squid:
could not retrieve hostname from: https://http/*
so i thing the page is delivered with http and the browser wants to open https://http://sgerror.php….I think you can setup this with the webconfigurator setting (System -> Advanced)
if i cahnge to https webconfigurator i get the same error with https://https/*I think the problem is located somwhere how squid reads the request(from squid.log):
transparent setting: only ip as gateway and nothing else: https://www.facebook.com
configured as non transparent and setup with wpad or manual: www.facebook.com:443my next try will be a setup from scratch to prevent configuration problems because of massive testing
-
Let me know if you get this sorted. Sounds like a similar issue to what i'm having.
-
Ok…
configured new pfsense in VM.
everything stays the same. It is impossible to tell squid to redirect correctly.NON - Transparent with or without ssl - man in the middle
http://eample.com blocked and redirect to sgerror.php
https://example.com blocked but NO REDIRECT:same setup only enabling the transparent setting:
everything worksi believe its a bug. during my configurations there were so many bugs in reloading config or something like squidgard stops working after setting something complete different...
-
https://example.com blocked but NO REDIRECT:
Can you open block page with https itself? just type https://YUORIP/sgerror.php
Check if you disallow numeric URLs, if yes - add your pfSense to exclusion.
-
Opening blockpage itself depends on webconfigurator http or https setting. Both works.
it doesnt matter if i chose internal or external page.
The only problem here is the default redirect of the blacklist advertisement filter that redirects to the ip with a domain cert error instead of fqdn without error ;)
(this could be managed with the webconfigurator setting)the very interesting thing is, that everything is working nice in transparent mode (witch ssl-bump) and gateway setting via dhcp. Everything except some strange cert errors because there is a lack of options for squid to correctly mimik the server cert…
(for example if www.example.com loads js from www.cd.example.com -> squid is too dump to generate different cert for different connection and so you get cert domain errors) -
"Do not allow IP-Addresses in URL" doesnt matter… :(
-
End Workaround: I changed squid error page to sgerror.php
Better the users get blocked message than proxy errors.. but … crap
-
According to Amos Jeffries, a squid developer/maintainer, it's a browser problem:
http://www.squid-cache.org/mail-archive/squid-users/201202/0216.html
-
Hi all.
Is there any update on this case ?
I have exactly the same problem with a pfsense version 2.3.2.Thanks.
Regards.
Olivier. -
Hi, Me too.
Any advice?
-
End Workaround: I changed squid error page to sgerror.php
Better the users get blocked message than proxy errors.. but … crap
Hi,
How to change squid error page to sgerror.php?
Thanks.
-
I reported this issue as a bug in https://redmine.pfsense.org/issues/6777
I hope that the programmers can help us, in my situation, this issue is present in pfsense 2.3.2
-
Ressurecting this thread…
I'm having similar issues, more... even when the external error page is loaded, no CSS on that page is applied.
-
After some search, It's a behavior standard in Browsers.
See this: https://bugzilla.mozilla.org/show_bug.cgi?id=479880
So any page blocked by Squid(+SquidGuard) that is HTTPS will not display the error page, just the generic error message from the browser on Tunnel connection error.
-
any updates on this ?
-
any updates on this ?
No because it is not a bug, it's working in the only way that it can with SSL/TLS.
