The following error was encountered while trying to retrieve https://http/*

mzmrk · Aug 13, 2017, 12:26 PM

I am getting this error:
ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://http/*

Unable to determine IP address from host name http

The DNS server returned:

Name Error: The domain name does not exist.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.

Your cache administrator is admin@localhost.

SquidGuard is broken for https out of the box. You need configure Common ACL
Target Rules List Default access [all] to Allow, save. Then click Apply in General settings tab.

My best bet is that Default access has no block page configured for some reason. If anyone knows how to get Default access to deny working please let me know.

Here is my working SquidGuard configuration step by step tested on pfSense 2.3.4-RELEASE-p1 (amd64):

1. Download any blacklist - www.shallalist.de for example.

- General Settings -> Blacklist options -> check to enable blacklist
- Put in Blacklist URL: http://www.shallalist.de/Downloads/shallalist.tar.gz
- Hit save.
- Go to Blacklist tab.
- Hit download (Black list url is already there)
- Wait for it to finish downloading.

2. You need to configure your blacklist default to Allow state (The default state which is Deny all is what causes https://http/ error)*

- Go to Common ACL Tab
- Hit plus button on Target Rules List
- Scroll down to Default access [all], set access to allow
- Set other categories that you want to be blocked to deny.
- Hit save at the bottom of the page.
- Go to General settings Tab.
- Click Apply at to Top of the page so your settings will be applied from Common ACL Tab.

Check if https sites load properly now.
Remember to clear cache from before playing with pfsense from your browser or it will show you old state of web filtering.

I wrote this post so long for future gogglers if they ever encounter this error I wasted way to much time on.

The real question is how to set Default access [all] to deny without getting https://http/ error for all https urls?*

loboferoz · Nov 27, 2017, 4:47 AM

Nope, this does not work, tested several times on pfsense 2.4.2

rmr85 · Dec 6, 2017, 4:50 PM

Im having same problem here on PfSense 2.4.2 (amd64)Transparent Proxy HTTP/HTTPS + Squidguard
If i disable Squidguard all works well.

Any help?

Impatient · Dec 6, 2017, 5:30 PM

It is not supposed to work with Default access [all] to deny.

Voxnod · Nov 1, 2018, 4:10 AM

It worked for me. PfSense 2.4.4 (amd64) Squid + Squidguard.

kopraasbotha · Feb 18, 2019, 7:33 AM

This post is deleted!

bluegrass-168 · Jan 6, 2020, 9:48 AM

I have the same error with Default access [all] to allow already.

Anyone knows and helps the solution? Plz.

cavaco · May 23, 2020, 10:20 PM

this is happening to me ... squid with active squid guard , and the comon acl with the settings that are said in the first post ,but its not working ... did u guys get it working ???

coffeelover · Jul 29, 2020, 1:11 PM

You have to append

url_rewrite_access deny CONNECT
url_rewrite_access allow all

to your squid custom options to make the redirect page work in SSL MITM mode.

sonerzin · Jul 30, 2020, 8:31 AM

@coffeelover said in The following error was encountered while trying to retrieve https://http/*:

You have to append

url_rewrite_access deny CONNECT
url_rewrite_access allow all

to your squid custom options to make the redirect page work in SSL MITM mode.

Where exactly do you put those options? Custom Options (Before Auth) / Custom Options (After Auth) / Custom Options (SSL/MITM)?

SSL/MITM Mode: Splice All, Splice Whitelist, bump otherwise or Custom?

Thanks!

coffeelover · Jul 30, 2020, 2:15 PM

I put these in "Custom options (before auth)"

And for complete filtering (URLs instead of domains) of SSL-Traffic via squidguard you have to set the mode to "Splice whitelist, bump otherwise".

Splice: Do not break the SSL Connection
Bump: Break the SSL Connection (Proxy CA on Clients needed)

Dacosta · Dec 2, 2020, 1:48 AM

Hi Coffee Lover,

I got this error after I added as your suggest:

Fastly error: unknown domain: yahoo.com. Please check that this domain has been added to a service.

Details: cache-sin18030-SIN

Please help.

Michele Trotta · Jul 22, 2021, 9:39 AM

@coffeelover Thanks I have solved it

jpattard · Aug 26, 2021, 6:30 AM

I cannot make this work with the latest version of PF sense. Anything else i should check?

robirf · Sep 4, 2021, 2:13 PM

I have the same problem, when I´m not using ssl interceptation the page showed is on picture bellow.
login-to-view

But when I actived ssl interception the page showed is bellow.
So I´ve tried to put these lines that you mentioned before , but for me not solved.

login-to-view

nilux17 · Sep 24, 2021, 11:32 AM

same issue

aGeekhere · Sep 25, 2021, 2:11 AM

Try
https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3

WPAD as your main setup
and transparent proxy to catch the rest.

nilux17 · Sep 28, 2021, 8:16 AM

Thx,
actually, i've already setup a wpad but i put a "return direct"
changing for a "return proxy ..." seems to do the trick

I don't investigate "more than that" but a windows 10 laptop, even with a proxy configuration try to connect on 443 for a lot of things.
Android apps too...

aGeekhere · Sep 28, 2021, 8:28 AM

@nilux17 In Internet properties lan settings
Is Automatically detect settings checked?

Sounds like you are going through the transparent proxy rather than the WPAD

nilux17 · Sep 28, 2021, 10:22 AM

@ageekhere
Yeap, of course !