Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filtering HTTPS / SSL Traffic on pfSense 2.1 using Squid Proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    44 Posts 27 Posters 167.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NetViciousN
      NetVicious
      last edited by

      On 2.2.2-RELEASE (i386) with these package versions:

      • squid3 0.2.8
      • squidGuard 1.9.14
      • squidGuard-devel 1.5_1beta pkg v.1.5.6

      I get one error saying squid needs the module to bypassing SSL

      # squid -k check
      2015/05/22 14:15:33| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.
      FATAL: Bungled /usr/local/etc/squid/squid.conf line 7: https_port 127.0.0.1:3129 intercept
      Squid Cache (Version 3.4.10): Terminated abnormally.
      CPU Usage: 0.024 seconds = 0.018 user + 0.006 sys
      Maximum Resident Size: 36000 KB
      Page faults with physical i/o: 0

      It seems we need a new package from the pfSense developers

      ..//\/ e t . \/ i c i o u s ..

      1 Reply Last reply Reply Quote 0
      • NetViciousN
        NetVicious
        last edited by

        Hi! Any progress on the squid update to fix the HTTPS filtering problem we have on 2.2.2?

        ..//\/ e t . \/ i c i o u s ..

        1 Reply Last reply Reply Quote 0
        • L
          lockye
          last edited by

          I have everything setup and it is filtering HTTPS sites correctly but I do have a couple of issues with using iPad’s/Android’s on the network.

          I have installed the certificates but It seems that some of the apps do not like going through the man in the middle filtering, the app store, banking apps and Facebook to name a few.

          Is there a way to setup some sites to bypass the proxy filtering completely?

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Is there a way to setup some sites to bypass the proxy filtering completely?

            The main Squid config page has this option:

            Bypass proxy for these destination IPs

            1 Reply Last reply Reply Quote 0
            • L
              lockye
              last edited by

              KOM

              I have tried using the bypass proxy with apples iTunes store address but for some reason I can not get it to work for various Apps.

              1 Reply Last reply Reply Quote 0
              • N
                nhgdesign
                last edited by

                I Have about 70 workstations on the network.

                Installing a certificate in each and every browser would be a terrible idea for me.

                :o

                Using: Pfsense 2.2.4-RELEASE (amd64)

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Installing a certificate in each and every browser would be a terrible idea for me.

                  And everyone else, too.  That's why WPAD is, IMO, the preferred method.

                  1 Reply Last reply Reply Quote 0
                  • N
                    nhgdesign
                    last edited by

                    How about using E2Guardian? Although I can't find it in the packages available, it's probably being ported sometime soon. I've read somewhere that it supports HTTPS filtering.

                    Using: Pfsense 2.2.4-RELEASE (amd64)

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      I haven't paid it much attention as I don't need a heavy content filter, just a simple URL filter.  Others have likened it to a substitute for DansGuardian but I have no knowledge of that.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sichent Banned
                        last edited by

                        Updated the guide for pfSense 2.3 and web safety 4.4 - http://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html

                        1 Reply Last reply Reply Quote 0
                        • A
                          alex_lebbrom
                          last edited by

                          Question, Can I filter HTTPS traffic but not at all websites? For example, we could open websites for bank but we couldn't open social networks?

                          Thanks,

                          Alexis Rondon

                          1 Reply Last reply Reply Quote 0
                          • S
                            sichent Banned
                            last edited by

                            Hate to say but not in pfSense version :( In pfSense SSL filtering settings are managed by PfSense's Squid GUI. In Linux version there are two modes - bump all or filter targeted. And it is also possible to bump by categories - i.e. never bump banks

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.