Squid Proxy -> SSL Man-in-the-middle Filtering & SSL CA

rsaanon · May 21, 2016, 11:04 PM

Env: pfSense: v2.3.1, Squid: v0.4.16_2
Client Env: Win10 w/ latest Chrome & Firefox browser

In trying to configure the "SSL Man in the Middle Filtering", I did the following configuration:

Created a CA (Test CA): Specified all textfield entries + Kept all the default entries:


       Descriptive Name:
       O=My Company
       emailAddress=xxx@yyy.com
       CN=common-name-internal-ca

Specified this Test CA in the "Man in the Middle Filtering" section for the CA
Install this CA as the Trusted Root Auth.
Enabled SSL Filtering.
–-------------------------------------------------
NOTE: I've attached ALL IMAGES. Please see before reading further.
On the windows client machine, when I view the Test CA Cert, it shows: "Issued to: http" which is incorrect. When creating the CA, I never specified the "issue to" field
On both browers, I get errors:
Chrome: ERR_CERT_COMMON_NAME_INVALID

Finally, the Squid reports ERROR: Unable to determine IP address from host name "http" (which is the value of the issued-to in the certificate that was never specified).

pfsensier · Jun 4, 2016, 6:40 PM

I am facing same exact issue on the same pfsense version 2.3.1 update 1

Nachtfalke · Jun 4, 2016, 7:51 PM

No problem here, with squid and same pfsense version.

Can you set the "Certificate adapt" options in squid? Select all three.

Nachtfalke · Jun 4, 2016, 11:40 PM

Hi,

for curiosity I got the same problem today, too. But I could solve/woraround it.

So what happened:

Everything worked fine first
I added an Target categories" containing regular expressions to these target categories
I set these categories to "deny" on the "Common ACL" and clicked "Save" - everything still OK
I clicked on "Save" on Squidguard "General Settings" and the Error appeared.
I set the catehories back to "–-" on "Common ACL" and clicked save and the "Save" again on "General Settings" tab of SquidGuard. Everything working again.

So I don't know what exactly happened what caused the problem but it looks like it hase something to do with the squidguard filters.

PS:
I wanted to add very long regular expression lists to one "Target categorie" but it caused pfsense to crash and restore the old config file. I hat to tighten the regular expression list to get it "work". At the end I had 10 target categories instead of one - but as I explained above - I could not use it because of the certificate error.

Kind regards!

m01maikler · Jun 8, 2016, 3:19 PM

I have the same problem, any solution? I searched for information about it and not found anything yet. I made a new installation with version 2.3.1 and updated pfsense 2.3.1_1 and continuing the same problem. the error is present after installing the squidguard.

I have set up Squid in transparent mode with SSL filtering + Squidguard

Please help

dgr92 · Jun 13, 2016, 7:43 PM

I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served has a common name of "http". I have tried tweaking settings to no luck. Does anyone have any ideas?

Squid Proxy Interfaces LAN for HTTP and HTTPS
Resolve DNS IPv4 First ENABLED
No transparent proxy
SSL Filtering Completed with a local CA (able to generate certificates for allowed requests without error)
Remote Cert Checks: Have tried both options, currently set to Accept remote server certificate with errors
Certificate Adapt: All three properties enabled
Antivirus: Disabled
Authentication: Disabled

KOM · Jun 13, 2016, 8:24 PM

I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode. I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

pfsensier · Jun 13, 2016, 9:32 PM

@KOM:

I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode. I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

On which pfsense version are you running fine with?

AR15USR · Jun 13, 2016, 9:50 PM

KOM,

Would you say this is a good post to follow when setting this up?

https://forum.pfsense.org/index.php?topic=112335.0

KOM · Jun 14, 2016, 12:51 PM

On which pfsense version are you running fine with?

2.2.6. I'm still not comfortable with 2.3.x just yet.

Would you say this is a good post to follow when setting this up?

I have not gone through it but it looks ok from a quick read.

aGeekhere · Jun 14, 2016, 12:58 PM

If you see any improvements let me know and I will update it.

dgr92 · Jun 15, 2016, 3:24 AM

In case anyone else runs into this issue, what solved it for me was editing a line towards the end of this file: /usr/local/etc/squid/squidGuard.conf

[Old/Didn't Work]
redirect http://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

[New/Did Work]
redirect 302:https://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

KOM · Jun 15, 2016, 1:27 PM

If you edit pfSense package .conf files manually, they will be overwritten on the next package upgrade.

pfsensier · Jun 15, 2016, 7:03 PM

None of above suggestions worked for me.

Now I am getting error webpage that browser recommend to close the page as it would be harmful and no other option such as (Proceed anyway).

I guess that this version of squid server is not generating certificates of every query website requested by users which cause unknown destination.

I am unable to explain my guess but overall Man in the Middle didn't work.

KOM · Jun 15, 2016, 7:45 PM

I guess that this version of squid server is not generating certificates of every query website requested

That's not how it's supposed to work from what I understand. You generate your cert on pfSense and then install that cert on every client that will use the proxy. As you're now finding out, this method is a tremendous hassle. Do yourself a favour and turn off transparent mode & MitM SSL filtering. Configure WPAD to allow your clients to discover the proxy on their own. Clients like Android that cant do WPAD will have to be configured manually.

pfsensier · Jun 15, 2016, 9:23 PM

@KOM:

I guess that this version of squid server is not generating certificates of every query website requested

That's not how it's supposed to work from what I understand. You generate your cert on pfSense and then install that cert on every client that will use the proxy.

Man in the Middle means pfsense will be in between LAN and WAN and will certify each website the internal certificate created.

If this feature does not run as intended to be, then there is an issue and turn it off to use WPAD is a workaround. What I am wondering of why it is running with those tutorials of previous pfsense versions.

KOM · Jun 16, 2016, 1:05 PM

I'm familiar with Man in the Middle. My comment was more about how it doesn't generate a shitload of certificates for every URL.

pfsensier · Jun 18, 2016, 2:16 AM

:D Finally, I could find the cause root for the whole suffering.

The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

Special settings:

I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

What settings made differences in the results:
3) I had SquidGuard server already installed and running.
4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

Conclusion:
"SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
"SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

I believe this need to be escalated to Squid forums to solve it.

I feel relieved ::).

P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

eshh2016 · Nov 13, 2016, 3:46 AM

@pfsensier:

:D Finally, I could find the cause root for the whole suffering.

The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

Special settings:

I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.

I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

What settings made differences in the results:
3) I had SquidGuard server already installed and running.
4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

Conclusion:
"SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
"SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

I believe this need to be escalated to Squid forums to solve it.

I feel relieved ::).

P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

I just installed squid package. Common ACL alone causes this issue too. I am wondering if the issue has been solved yet.

InsomniaNsk · Nov 22, 2016, 2:13 PM

Still no solution?
Maybe it makes sense to go down on 2.2.6? Is there it works fine?