Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Proxy -> SSL Man-in-the-middle Filtering & SSL CA

    Scheduled Pinned Locked Moved Cache/Proxy
    23 Posts 12 Posters 23.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m01maikler
      last edited by

      I have the same problem, any solution? I searched for information about it and not found anything yet. I made a new installation with version 2.3.1 and updated pfsense 2.3.1_1 and continuing the same problem. the error is present after installing the squidguard.

      I have set up Squid in transparent mode with SSL filtering + Squidguard

      Please help

      1 Reply Last reply Reply Quote 0
      • D
        dgr92
        last edited by

        I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served has a common name of "http". I have tried tweaking settings to no luck. Does anyone have any ideas?

        Squid Proxy Interfaces LAN for HTTP and HTTPS
        Resolve DNS IPv4 First ENABLED
        No transparent proxy
        SSL Filtering Completed with a local CA (able to generate certificates for allowed requests without error)
        Remote Cert Checks: Have tried both options, currently set to Accept remote server certificate with errors
        Certificate Adapt: All three properties enabled
        Antivirus: Disabled
        Authentication: Disabled

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

          Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

          1 Reply Last reply Reply Quote 0
          • P
            pfsensier
            last edited by

            @KOM:

            I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

            Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

            On which pfsense version are you running fine with?

            1 Reply Last reply Reply Quote 0
            • A
              AR15USR
              last edited by

              KOM,

              Would you say this is a good post to follow when setting this up?

              https://forum.pfsense.org/index.php?topic=112335.0


              2.6.0-RELEASE

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                On which pfsense version are you running fine with?

                2.2.6.  I'm still not comfortable with 2.3.x just yet.

                Would you say this is a good post to follow when setting this up?

                I have not gone through it but it looks ok from a quick read.

                1 Reply Last reply Reply Quote 0
                • A
                  aGeekhere
                  last edited by

                  If you see any improvements let me know and I will update it.

                  Never Fear, A Geek is Here!

                  1 Reply Last reply Reply Quote 0
                  • D
                    dgr92
                    last edited by

                    In case anyone else runs into this issue, what solved it for me was editing a line towards the end of this file: /usr/local/etc/squid/squidGuard.conf

                    [Old/Didn't Work]
                    redirect http://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                    [New/Did Work]
                    redirect 302:https://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      If you edit pfSense package .conf files manually, they will be overwritten on the next package upgrade.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsensier
                        last edited by

                        None of above suggestions worked for me.

                        Now I am getting error webpage that browser recommend to close the page as it would be harmful and no other option such as (Proceed anyway).

                        I guess that this version of squid server is not generating certificates of every query website requested by users which cause unknown destination.

                        I am unable to explain my guess but overall Man in the Middle didn't work.

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          I guess that this version of squid server is not generating certificates of every query website requested

                          That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.  As you're now finding out, this method is a tremendous hassle.  Do yourself a favour and turn off transparent mode & MitM SSL filtering.  Configure WPAD to allow your clients to discover the proxy on their own.  Clients like Android that cant do WPAD will have to be configured manually.

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfsensier
                            last edited by

                            @KOM:

                            I guess that this version of squid server is not generating certificates of every query website requested

                            That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.

                            Man in the Middle means pfsense will be in between LAN and WAN and will certify each website the internal certificate created.

                            If this feature does not run as intended to be, then there is an issue and turn it off to use WPAD is a workaround. What I am wondering of why it is running with those tutorials of previous pfsense versions.

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              I'm familiar with Man in the Middle.  My comment was more about how it doesn't generate a shitload of certificates for every URL.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsensier
                                last edited by

                                :D Finally, I could find the cause root for the whole suffering.

                                The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

                                Special settings:

                                1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
                                2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

                                What settings made differences in the results:
                                3) I had SquidGuard server already installed and running.
                                4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
                                5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

                                Conclusion:
                                "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
                                "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

                                I believe this need to be escalated to Squid forums to solve it.

                                I feel relieved  ::).

                                P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

                                1 Reply Last reply Reply Quote 0
                                • E
                                  eshh2016
                                  last edited by

                                  @pfsensier:

                                  :D Finally, I could find the cause root for the whole suffering.

                                  The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

                                  Special settings:

                                  1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
                                  2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

                                  What settings made differences in the results:
                                  3) I had SquidGuard server already installed and running.
                                  4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
                                  5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

                                  Conclusion:
                                  "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
                                  "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

                                  I believe this need to be escalated to Squid forums to solve it.

                                  I feel relieved  ::).

                                  P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

                                  I just installed squid package.  Common ACL alone causes this issue too.  I am wondering if the issue has been solved yet.

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    InsomniaNsk
                                    last edited by

                                    Still no solution?
                                    Maybe it makes sense to go down on 2.2.6? Is there it works fine?

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      gsusrafael
                                      last edited by

                                      Based on the Bug #6496,

                                      Neither Squid or SquidGuard are filtering on SSL on transparent mode:

                                      When we try to acces any HTTPS website, we have a problem with the Issued To Common Name as you can see on the screenshot attached. :'( :'( :'( :'(

                                      ![SSL Cert Error Issuer CN.png](/public/imported_attachments/1/SSL Cert Error Issuer CN.png)
                                      ![SSL Cert Error Issuer CN.png_thumb](/public/imported_attachments/1/SSL Cert Error Issuer CN.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rsaanon
                                        last edited by

                                        Env: pfSense v2.3.2 + Squid 3.5 branch

                                        Seven months later the problem has still not been addressed/resolved.  None of the suggestions mentioned in the thread work.

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          itsharsha24gmail.com
                                          last edited by

                                          Hi ,

                                          I recently installed and played with this squid and squidGuard on pfsense 2.3.2 (updated with 2.3.2_1). I ran through the same issue. I mean when ever I enabled squidGuard with common ACL CN in certificate issued by  squid is "http" which doesn't make any sense to me. I thought the problem is with patch So I installed pfsense 2.3.2 again and tried it worked fine. But the reason is not patch. I enabled "Do not allow IP-Addresses in URL" this is causing the issue in my case. I just disabled this and tried it is working fine but when ever i try enable this running into issues. But it should be fixed  if it is a real bug. If this works for anyone please let me know I will create this in pfsense bugs list.

                                          Thanks,
                                          Harry.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.