Squid Proxy -> SSL Man-in-the-middle Filtering & SSL CA



  • Env: pfSense: v2.3.1, Squid: v0.4.16_2
    Client Env: Win10 w/ latest Chrome & Firefox browser

    In trying to configure the "SSL Man in the Middle Filtering", I did the following configuration:

    1. Created a CA (Test CA): Specified all textfield entries + Kept all the default entries:
    
           Descriptive Name:
           O=My Company
           emailAddress=xxx@yyy.com
           CN=common-name-internal-ca
    
    1. Specified this Test CA in the "Man in the Middle Filtering" section for the CA
    2. Install this CA as the Trusted Root Auth.
    3. Enabled SSL Filtering.
      –-------------------------------------------------
      NOTE: I've attached ALL IMAGES.  Please see before reading further.
      On the windows client machine, when I view the Test CA Cert, it shows: "Issued to: http" which is incorrect.  When creating the CA, I never specified the "issue to" field
      On both browers, I get errors:
          Chrome:  ERR_CERT_COMMON_NAME_INVALID

    Finally, the Squid reports ERROR: Unable to determine IP address from host name "http" (which is the value of the issued-to in the certificate that was never specified).








  • I am facing same exact issue on the same pfsense version 2.3.1 update 1



  • No problem here, with squid and same pfsense version.

    Can you set the "Certificate adapt" options in squid? Select all three.



  • Hi,

    for curiosity I got the same problem today, too. But I could solve/woraround it.

    So what happened:

    Everything worked fine first
    I added an Target categories" containing regular expressions to these target categories
    I set these categories to "deny" on the "Common ACL" and clicked "Save" - everything still OK
    I clicked on "Save" on Squidguard "General Settings" and the Error appeared.
    I set the catehories back to "–-" on "Common ACL" and clicked save and the "Save" again on "General Settings" tab of SquidGuard. Everything working again.

    So I don't know what exactly happened what caused the problem but it looks like it hase something to do with the squidguard filters.

    PS:
    I wanted to add very long regular expression lists to one "Target categorie" but it caused pfsense to crash and restore the old config file. I hat to tighten the regular expression list to get it "work". At the end I had 10 target categories instead of one - but as I explained above - I could not use it because of the certificate error.

    Kind regards!



  • I have the same problem, any solution? I searched for information about it and not found anything yet. I made a new installation with version 2.3.1 and updated pfsense 2.3.1_1 and continuing the same problem. the error is present after installing the squidguard.

    I have set up Squid in transparent mode with SSL filtering + Squidguard

    Please help



  • I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served has a common name of "http". I have tried tweaking settings to no luck. Does anyone have any ideas?

    Squid Proxy Interfaces LAN for HTTP and HTTPS
    Resolve DNS IPv4 First ENABLED
    No transparent proxy
    SSL Filtering Completed with a local CA (able to generate certificates for allowed requests without error)
    Remote Cert Checks: Have tried both options, currently set to Accept remote server certificate with errors
    Certificate Adapt: All three properties enabled
    Antivirus: Disabled
    Authentication: Disabled



  • I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

    Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.



  • @KOM:

    I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

    Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

    On which pfsense version are you running fine with?



  • KOM,

    Would you say this is a good post to follow when setting this up?

    https://forum.pfsense.org/index.php?topic=112335.0



  • On which pfsense version are you running fine with?

    2.2.6.  I'm still not comfortable with 2.3.x just yet.

    Would you say this is a good post to follow when setting this up?

    I have not gone through it but it looks ok from a quick read.



  • If you see any improvements let me know and I will update it.



  • In case anyone else runs into this issue, what solved it for me was editing a line towards the end of this file: /usr/local/etc/squid/squidGuard.conf

    [Old/Didn't Work]
    redirect http://10.0.0.1/sgerror.php?url=403 &a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

    [New/Did Work]
    redirect 302:https://10.0.0.1/sgerror.php?url=403 &a=%a&n=%n&i=%i&s=%s&t=%t&u=%u



  • If you edit pfSense package .conf files manually, they will be overwritten on the next package upgrade.



  • None of above suggestions worked for me.

    Now I am getting error webpage that browser recommend to close the page as it would be harmful and no other option such as (Proceed anyway).

    I guess that this version of squid server is not generating certificates of every query website requested by users which cause unknown destination.

    I am unable to explain my guess but overall Man in the Middle didn't work.



  • I guess that this version of squid server is not generating certificates of every query website requested

    That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.  As you're now finding out, this method is a tremendous hassle.  Do yourself a favour and turn off transparent mode & MitM SSL filtering.  Configure WPAD to allow your clients to discover the proxy on their own.  Clients like Android that cant do WPAD will have to be configured manually.



  • @KOM:

    I guess that this version of squid server is not generating certificates of every query website requested

    That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.

    Man in the Middle means pfsense will be in between LAN and WAN and will certify each website the internal certificate created.

    If this feature does not run as intended to be, then there is an issue and turn it off to use WPAD is a workaround. What I am wondering of why it is running with those tutorials of previous pfsense versions.



  • I'm familiar with Man in the Middle.  My comment was more about how it doesn't generate a shitload of certificates for every URL.



  • :D Finally, I could find the cause root for the whole suffering.

    The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

    Special settings:

    1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
    2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

    What settings made differences in the results:

    1. I had SquidGuard server already installed and running.
    2. When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
    3. When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

    Conclusion:
    "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
    "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

    I believe this need to be escalated to Squid forums to solve it.

    I feel relieved  ::).

    P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)



  • @pfsensier:

    :D Finally, I could find the cause root for the whole suffering.

    The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

    Special settings:

    1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
    2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

    What settings made differences in the results:

    1. I had SquidGuard server already installed and running.
    2. When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
    3. When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

    Conclusion:
    "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
    "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

    I believe this need to be escalated to Squid forums to solve it.

    I feel relieved  ::).

    P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

    I just installed squid package.  Common ACL alone causes this issue too.  I am wondering if the issue has been solved yet.



  • Still no solution?
    Maybe it makes sense to go down on 2.2.6? Is there it works fine?



  • Based on the Bug #6496,

    Neither Squid or SquidGuard are filtering on SSL on transparent mode:

    When we try to acces any HTTPS website, we have a problem with the Issued To Common Name as you can see on the screenshot attached. :'( :'( :'( :'(

    ![SSL Cert Error Issuer CN.png](/public/imported_attachments/1/SSL Cert Error Issuer CN.png)
    ![SSL Cert Error Issuer CN.png_thumb](/public/imported_attachments/1/SSL Cert Error Issuer CN.png_thumb)



  • Env: pfSense v2.3.2 + Squid 3.5 branch

    Seven months later the problem has still not been addressed/resolved.  None of the suggestions mentioned in the thread work.



  • Hi ,

    I recently installed and played with this squid and squidGuard on pfsense 2.3.2 (updated with 2.3.2_1). I ran through the same issue. I mean when ever I enabled squidGuard with common ACL CN in certificate issued by  squid is "http" which doesn't make any sense to me. I thought the problem is with patch So I installed pfsense 2.3.2 again and tried it worked fine. But the reason is not patch. I enabled "Do not allow IP-Addresses in URL" this is causing the issue in my case. I just disabled this and tried it is working fine but when ever i try enable this running into issues. But it should be fixed  if it is a real bug. If this works for anyone please let me know I will create this in pfsense bugs list.

    Thanks,
    Harry.