Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL Filtering blocks some windows apps (Dropbox, Anydesk and etc.)

    Scheduled Pinned Locked Moved Cache/Proxy
    12 Posts 4 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • emammadovE
      emammadov
      last edited by

      I am using Squid proxy inside pfSense and added dropbox.com, but it didn't work.

      squid.jpg
      squid.jpg_thumb

      Elvin

      1 Reply Last reply Reply Quote 0
      • P
        pfsensation
        last edited by

        This is an annoying security feature as mentioned before called Certificate Pinning. It's there to stop MITM attacks like the one you are doing, I have a similar configuration to yours but I've had to setup bypasses for apps which use Certificate Pinning via Squid to make them work.

        1 Reply Last reply Reply Quote 0
        • emammadovE
          emammadov
          last edited by

          Thank you very much for your help. I changed SSL/MITM Mode to Splice All. It worked now. But Splice all says "Content filtering (such as Antivirus) will not be available for SSL sites. " Then keeping ClamAV Antivirus turned on doesn't make sense?

          Elvin

          1 Reply Last reply Reply Quote 0
          • S
            sichent Banned
            last edited by

            Revert back the Splice All ( it actually means no HTTPS filtering) - try adding .dropbox.com (note leading dot!!) to SSL filter exclusions.

            1 Reply Last reply Reply Quote 0
            • emammadovE
              emammadov
              last edited by

              Actually I tested https sites with Splicall All, it worked.
              I reverted from Splice All to Splice Whitelist, Bump Otherwise and added .dropbox.com in Bypass Proxy for These Destination IPs under Transparent Proxy Settings. When saving settings, it gives an error: Bypass proxy for these destination IPs' entry '.dropbox.com' is not a valid IP address, hostname, or alias.

              Elvin

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                That is not the place. The place is ACLs - Whitelist.

                1 Reply Last reply Reply Quote 0
                • emammadovE
                  emammadov
                  last edited by

                  Thanks, I will try it. But what about my router using DHCP relay, then I have to add certificate in each mobile phones too?

                  Elvin

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsensation
                    last edited by

                    @emammadov:

                    Thanks, I will try it. But what about my router using DHCP relay, then I have to add certificate in each mobile phones too?

                    Don't use the router for DHCP. Use PfSense as the DHCP server, so you can configure WPAD (so devices can auto discover your proxy), there's guides already on how to do that. Export out the CA certificate from PfSense, and install it on all your mobile devices. If you have Android devices, note that there's steps involved. Android doesn't support WPAD or any auto discovery by default, so you'll have to set that up manually. On IOS devices, just select the proxy as auto and it should pick it up from WPAD.

                    Also, are you using SquidGuard to do the filtering? For mobile devices…You'll find a lovely surprise of apps not working due to certificate pinning. I've been through all this myself, and have setup bypasses for most of them.

                    1 Reply Last reply Reply Quote 0
                    • emammadovE
                      emammadov
                      last edited by

                      Sorry, I mean wifi router which is using dhcp relay to pfsense. Actually it becomes annoying to import ca certificate to each pc and mobile devices.
                      I added .dropbox.com to ACLs - Whitelist in Squid Proxy, but it didn't work either. It just works only with Splice All. For example: I have created group of some https websites and denied them in Squid Proxy, and then tested, it worked okay, it shows it is forbidden by administrator. Also dropbox and some other apps in windows started working. I think it means SSL filtering works well for http and https websites.
                      But Splice all says "Content filtering (such as Antivirus) will not be available for SSL sites. " Then keeping ClamAV Antivirus turned on doesn't make sense?

                      Elvin

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        @emammadov:

                        Then keeping ClamAV Antivirus turned on doesn't make sense?

                        "Content filtering (such as Antivirus) will not be available for SSL sites"

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.