Squid Proxy -> SSL Man-in-the-middle Filtering & SSL CA
-
KOM,
Would you say this is a good post to follow when setting this up?
-
On which pfsense version are you running fine with?
2.2.6. I'm still not comfortable with 2.3.x just yet.
Would you say this is a good post to follow when setting this up?
I have not gone through it but it looks ok from a quick read.
-
If you see any improvements let me know and I will update it.
-
In case anyone else runs into this issue, what solved it for me was editing a line towards the end of this file: /usr/local/etc/squid/squidGuard.conf
[Old/Didn't Work]
redirect http://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u[New/Did Work]
redirect 302:https://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u -
If you edit pfSense package .conf files manually, they will be overwritten on the next package upgrade.
-
None of above suggestions worked for me.
Now I am getting error webpage that browser recommend to close the page as it would be harmful and no other option such as (Proceed anyway).
I guess that this version of squid server is not generating certificates of every query website requested by users which cause unknown destination.
I am unable to explain my guess but overall Man in the Middle didn't work.
-
I guess that this version of squid server is not generating certificates of every query website requested
That's not how it's supposed to work from what I understand. You generate your cert on pfSense and then install that cert on every client that will use the proxy. As you're now finding out, this method is a tremendous hassle. Do yourself a favour and turn off transparent mode & MitM SSL filtering. Configure WPAD to allow your clients to discover the proxy on their own. Clients like Android that cant do WPAD will have to be configured manually.
-
@KOM:
I guess that this version of squid server is not generating certificates of every query website requested
That's not how it's supposed to work from what I understand. You generate your cert on pfSense and then install that cert on every client that will use the proxy.
Man in the Middle means pfsense will be in between LAN and WAN and will certify each website the internal certificate created.
If this feature does not run as intended to be, then there is an issue and turn it off to use WPAD is a workaround. What I am wondering of why it is running with those tutorials of previous pfsense versions.
-
I'm familiar with Man in the Middle. My comment was more about how it doesn't generate a shitload of certificates for every URL.
-
:D Finally, I could find the cause root for the whole suffering.
The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.
Special settings:
- I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
- I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.
What settings made differences in the results:
3) I had SquidGuard server already installed and running.
4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!Conclusion:
"SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
"SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.I believe this need to be escalated to Squid forums to solve it.
I feel relieved ::).
P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)
-
:D Finally, I could find the cause root for the whole suffering.
The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.
Special settings:
- I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
- I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.
What settings made differences in the results:
3) I had SquidGuard server already installed and running.
4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!Conclusion:
"SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
"SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.I believe this need to be escalated to Squid forums to solve it.
I feel relieved ::).
P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)
I just installed squid package. Common ACL alone causes this issue too. I am wondering if the issue has been solved yet.
-
Still no solution?
Maybe it makes sense to go down on 2.2.6? Is there it works fine? -
Based on the Bug #6496,
Neither Squid or SquidGuard are filtering on SSL on transparent mode:
When we try to acces any HTTPS website, we have a problem with the Issued To Common Name as you can see on the screenshot attached. :'( :'( :'( :'(
 -
Env: pfSense v2.3.2 + Squid 3.5 branch
Seven months later the problem has still not been addressed/resolved. None of the suggestions mentioned in the thread work.
-
Hi ,
I recently installed and played with this squid and squidGuard on pfsense 2.3.2 (updated with 2.3.2_1). I ran through the same issue. I mean when ever I enabled squidGuard with common ACL CN in certificate issued by squid is "http" which doesn't make any sense to me. I thought the problem is with patch So I installed pfsense 2.3.2 again and tried it worked fine. But the reason is not patch. I enabled "Do not allow IP-Addresses in URL" this is causing the issue in my case. I just disabled this and tried it is working fine but when ever i try enable this running into issues. But it should be fixed if it is a real bug. If this works for anyone please let me know I will create this in pfsense bugs list.
Thanks,
Harry.
