Https block sgerror only in transparent mode
-
Try to use "int error page"
-
nearly the same result:
http://facebook.com -> blocked with sgerror.php
https://facebook.com -> ssl error "certificate was generated for other address" (translated error massage)https://twitter.de -> allowed website works without error
-
http://facebook.com -> blocked with sgerror.php
Is your block page shown with http or https? I mean sgerror.php
-
after i solved that ssl error i get following message from squid:
could not retrieve hostname from: https://http/*
so i thing the page is delivered with http and the browser wants to open https://http://sgerror.php….I think you can setup this with the webconfigurator setting (System -> Advanced)
if i cahnge to https webconfigurator i get the same error with https://https/*I think the problem is located somwhere how squid reads the request(from squid.log):
transparent setting: only ip as gateway and nothing else: https://www.facebook.com
configured as non transparent and setup with wpad or manual: www.facebook.com:443my next try will be a setup from scratch to prevent configuration problems because of massive testing
-
Let me know if you get this sorted. Sounds like a similar issue to what i'm having.
-
Ok…
configured new pfsense in VM.
everything stays the same. It is impossible to tell squid to redirect correctly.NON - Transparent with or without ssl - man in the middle
http://eample.com blocked and redirect to sgerror.php
https://example.com blocked but NO REDIRECT:same setup only enabling the transparent setting:
everything worksi believe its a bug. during my configurations there were so many bugs in reloading config or something like squidgard stops working after setting something complete different...
-
https://example.com blocked but NO REDIRECT:
Can you open block page with https itself? just type https://YUORIP/sgerror.php
Check if you disallow numeric URLs, if yes - add your pfSense to exclusion.
-
Opening blockpage itself depends on webconfigurator http or https setting. Both works.
it doesnt matter if i chose internal or external page.
The only problem here is the default redirect of the blacklist advertisement filter that redirects to the ip with a domain cert error instead of fqdn without error ;)
(this could be managed with the webconfigurator setting)the very interesting thing is, that everything is working nice in transparent mode (witch ssl-bump) and gateway setting via dhcp. Everything except some strange cert errors because there is a lack of options for squid to correctly mimik the server cert…
(for example if www.example.com loads js from www.cd.example.com -> squid is too dump to generate different cert for different connection and so you get cert domain errors) -
"Do not allow IP-Addresses in URL" doesnt matter… :(
-
End Workaround: I changed squid error page to sgerror.php
Better the users get blocked message than proxy errors.. but … crap
-
According to Amos Jeffries, a squid developer/maintainer, it's a browser problem:
http://www.squid-cache.org/mail-archive/squid-users/201202/0216.html
-
Hi all.
Is there any update on this case ?
I have exactly the same problem with a pfsense version 2.3.2.Thanks.
Regards.
Olivier. -
Hi, Me too.
Any advice?
-
End Workaround: I changed squid error page to sgerror.php
Better the users get blocked message than proxy errors.. but … crap
Hi,
How to change squid error page to sgerror.php?
Thanks.
-
I reported this issue as a bug in https://redmine.pfsense.org/issues/6777
I hope that the programmers can help us, in my situation, this issue is present in pfsense 2.3.2
-
Ressurecting this thread…
I'm having similar issues, more... even when the external error page is loaded, no CSS on that page is applied.
-
After some search, It's a behavior standard in Browsers.
See this: https://bugzilla.mozilla.org/show_bug.cgi?id=479880
So any page blocked by Squid(+SquidGuard) that is HTTPS will not display the error page, just the generic error message from the browser on Tunnel connection error.
-
any updates on this ?
-
any updates on this ?
No because it is not a bug, it's working in the only way that it can with SSL/TLS.
