• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid Proxy -> SSL Man-in-the-middle Filtering & SSL CA

Scheduled Pinned Locked Moved Cache/Proxy
23 Posts 12 Posters 23.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rsaanon
    last edited by May 21, 2016, 11:04 PM

    Env: pfSense: v2.3.1, Squid: v0.4.16_2
    Client Env: Win10 w/ latest Chrome & Firefox browser

    In trying to configure the "SSL Man in the Middle Filtering", I did the following configuration:

    1. Created a CA (Test CA): Specified all textfield entries + Kept all the default entries:
    
           Descriptive Name:
           O=My Company
           emailAddress=xxx@yyy.com
           CN=common-name-internal-ca
    
    1. Specified this Test CA in the "Man in the Middle Filtering" section for the CA
    2. Install this CA as the Trusted Root Auth.
    3. Enabled SSL Filtering.
      –-------------------------------------------------
      NOTE: I've attached ALL IMAGES.  Please see before reading further.
      On the windows client machine, when I view the Test CA Cert, it shows: "Issued to: http" which is incorrect.  When creating the CA, I never specified the "issue to" field
      On both browers, I get errors:
          Chrome:  ERR_CERT_COMMON_NAME_INVALID

    Finally, the Squid reports ERROR: Unable to determine IP address from host name "http" (which is the value of the issued-to in the certificate that was never specified).

    pfcapture6.jpg
    pfcapture6.jpg_thumb
    pfcapture7.jpg
    pfcapture7.jpg_thumb
    pfcapture8.jpg_thumb
    pfcapture8.jpg

    1 Reply Last reply Reply Quote 0
    • P
      pfsensier
      last edited by Jun 4, 2016, 6:40 PM

      I am facing same exact issue on the same pfsense version 2.3.1 update 1

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by Jun 4, 2016, 7:51 PM

        No problem here, with squid and same pfsense version.

        Can you set the "Certificate adapt" options in squid? Select all three.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by Jun 4, 2016, 11:40 PM

          Hi,

          for curiosity I got the same problem today, too. But I could solve/woraround it.

          So what happened:

          Everything worked fine first
          I added an Target categories" containing regular expressions to these target categories
          I set these categories to "deny" on the "Common ACL" and clicked "Save" - everything still OK
          I clicked on "Save" on Squidguard "General Settings" and the Error appeared.
          I set the catehories back to "–-" on "Common ACL" and clicked save and the "Save" again on "General Settings" tab of SquidGuard. Everything working again.

          So I don't know what exactly happened what caused the problem but it looks like it hase something to do with the squidguard filters.

          PS:
          I wanted to add very long regular expression lists to one "Target categorie" but it caused pfsense to crash and restore the old config file. I hat to tighten the regular expression list to get it "work". At the end I had 10 target categories instead of one - but as I explained above - I could not use it because of the certificate error.

          Kind regards!

          1 Reply Last reply Reply Quote 0
          • M
            m01maikler
            last edited by Jun 8, 2016, 3:19 PM

            I have the same problem, any solution? I searched for information about it and not found anything yet. I made a new installation with version 2.3.1 and updated pfsense 2.3.1_1 and continuing the same problem. the error is present after installing the squidguard.

            I have set up Squid in transparent mode with SSL filtering + Squidguard

            Please help

            1 Reply Last reply Reply Quote 0
            • D
              dgr92
              last edited by Jun 13, 2016, 7:43 PM

              I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served has a common name of "http". I have tried tweaking settings to no luck. Does anyone have any ideas?

              Squid Proxy Interfaces LAN for HTTP and HTTPS
              Resolve DNS IPv4 First ENABLED
              No transparent proxy
              SSL Filtering Completed with a local CA (able to generate certificates for allowed requests without error)
              Remote Cert Checks: Have tried both options, currently set to Accept remote server certificate with errors
              Certificate Adapt: All three properties enabled
              Antivirus: Disabled
              Authentication: Disabled

              1 Reply Last reply Reply Quote 0
              • K
                KOM
                last edited by Jun 13, 2016, 8:24 PM

                I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

                Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

                1 Reply Last reply Reply Quote 0
                • P
                  pfsensier
                  last edited by Jun 13, 2016, 9:32 PM

                  @KOM:

                  I'm having the same issue. Explicit proxy with HTTPS. When a request is blocked the certificate that is served

                  Maybe I've been away from this for too long, but I thought you didn't need to worry about certificates and their related options when running in explicit mode.  I run explicit and I don't worry about client certs everywhere, and filtering works fine with squidguard.

                  On which pfsense version are you running fine with?

                  1 Reply Last reply Reply Quote 0
                  • A
                    AR15USR
                    last edited by Jun 13, 2016, 9:50 PM

                    KOM,

                    Would you say this is a good post to follow when setting this up?

                    https://forum.pfsense.org/index.php?topic=112335.0


                    2.6.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • K
                      KOM
                      last edited by Jun 14, 2016, 12:51 PM

                      On which pfsense version are you running fine with?

                      2.2.6.  I'm still not comfortable with 2.3.x just yet.

                      Would you say this is a good post to follow when setting this up?

                      I have not gone through it but it looks ok from a quick read.

                      1 Reply Last reply Reply Quote 0
                      • A
                        aGeekhere
                        last edited by Jun 14, 2016, 12:58 PM

                        If you see any improvements let me know and I will update it.

                        Never Fear, A Geek is Here!

                        1 Reply Last reply Reply Quote 0
                        • D
                          dgr92
                          last edited by Jun 15, 2016, 3:24 AM

                          In case anyone else runs into this issue, what solved it for me was editing a line towards the end of this file: /usr/local/etc/squid/squidGuard.conf

                          [Old/Didn't Work]
                          redirect http://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                          [New/Did Work]
                          redirect 302:https://10.0.0.1/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                          1 Reply Last reply Reply Quote 0
                          • K
                            KOM
                            last edited by Jun 15, 2016, 1:27 PM

                            If you edit pfSense package .conf files manually, they will be overwritten on the next package upgrade.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfsensier
                              last edited by Jun 15, 2016, 7:03 PM

                              None of above suggestions worked for me.

                              Now I am getting error webpage that browser recommend to close the page as it would be harmful and no other option such as (Proceed anyway).

                              I guess that this version of squid server is not generating certificates of every query website requested by users which cause unknown destination.

                              I am unable to explain my guess but overall Man in the Middle didn't work.

                              1 Reply Last reply Reply Quote 0
                              • K
                                KOM
                                last edited by Jun 15, 2016, 7:45 PM

                                I guess that this version of squid server is not generating certificates of every query website requested

                                That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.  As you're now finding out, this method is a tremendous hassle.  Do yourself a favour and turn off transparent mode & MitM SSL filtering.  Configure WPAD to allow your clients to discover the proxy on their own.  Clients like Android that cant do WPAD will have to be configured manually.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfsensier
                                  last edited by Jun 15, 2016, 9:23 PM

                                  @KOM:

                                  I guess that this version of squid server is not generating certificates of every query website requested

                                  That's not how it's supposed to work from what I understand.  You generate your cert on pfSense and then install that cert on every client that will use the proxy.

                                  Man in the Middle means pfsense will be in between LAN and WAN and will certify each website the internal certificate created.

                                  If this feature does not run as intended to be, then there is an issue and turn it off to use WPAD is a workaround. What I am wondering of why it is running with those tutorials of previous pfsense versions.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    KOM
                                    last edited by Jun 16, 2016, 1:05 PM

                                    I'm familiar with Man in the Middle.  My comment was more about how it doesn't generate a shitload of certificates for every URL.

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfsensier
                                      last edited by Jun 18, 2016, 2:16 AM Jun 18, 2016, 1:01 AM

                                      :D Finally, I could find the cause root for the whole suffering.

                                      The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

                                      Special settings:

                                      1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
                                      2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

                                      What settings made differences in the results:
                                      3) I had SquidGuard server already installed and running.
                                      4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
                                      5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

                                      Conclusion:
                                      "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
                                      "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

                                      I believe this need to be escalated to Squid forums to solve it.

                                      I feel relieved  ::).

                                      P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eshh2016
                                        last edited by Nov 13, 2016, 3:46 AM

                                        @pfsensier:

                                        :D Finally, I could find the cause root for the whole suffering.

                                        The post which Mr. Nachtfalke posted in June 04, 2016, 06:40:15 pm pushed me to try it at home.

                                        Special settings:

                                        1. I'm not sure whether required or not, I enabled and set up (DNS Resolver) service to be used later during the setup of Squid proxy server.
                                        2. I'm not sure whether required or not, I inserted in the Squid proxy settings a punch of DNS IPs such as 8.8.8.8;8.8.4.4;… ISP DNS IPs.

                                        What settings made differences in the results:
                                        3) I had SquidGuard server already installed and running.
                                        4) When I disabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle Succeeded !!!
                                        5) When I enabled the "Groups ACL" which I made to control webfiltering over working hours, then Man in the Middle FAILED !!!!!!!!

                                        Conclusion:
                                        "SquidGuard + Groups ACL" will negatively impact Man in the Middle in any pfSense version.
                                        "SquidGuard + Common ACL" will work fine with Man in the Middle in any pfSense version.

                                        I believe this need to be escalated to Squid forums to solve it.

                                        I feel relieved  ::).

                                        P.S. Note: I've done all of the above after the new Squid version released out (v.0.4.18)

                                        I just installed squid package.  Common ACL alone causes this issue too.  I am wondering if the issue has been solved yet.

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          InsomniaNsk
                                          last edited by Nov 22, 2016, 2:13 PM

                                          Still no solution?
                                          Maybe it makes sense to go down on 2.2.6? Is there it works fine?

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received