• Hello, i am a newbie at pfsense. I have installed Squid with HTTPS/SSL Filtering enabled and it is running successfully. I can access some https sites, but when i tried to enable squidGuard. i can't access any sites eventhough it is http only.

  • No need to shout  :D

    Did you enable the default Target ACL?  I think it's set to deny by default.  That's just a wild guess since you didn't provide any configuration details or screenshots about what you have done.

  • im sorry for making my subject all caps.

    Yes, i did allow the default access to all and i also created a dummy acl for the auto-restart bug.
    I tried reinstalling squidguard a couple of times but still same results.
    I attached a screenshot of what my browser is displaying whenever i am trying to access a site after i have enabled squidguard.

  • This is a different issue than what you originally posted.  This is a MitM certificate warning from your browser.  This tells me that you don't have transparent mode configured properly, or you haven't imported your pfSense cert into your client.

  • Actually, Squid Proxy is working successfully in Transparent Mode with Man in the Middle Filtering enabled. I have installed the certificate already to the client computers and i can already filter HTTPS. What i mean about is that when i enabled SquidGuard, i can't access any sites. The screenshot that i have provided was the result of enabling squidGuard.

  • Read the text of the error in your browser.  You can access the site just fine.  Your browser is complaining about the site's certificate, which leads me to believe you don't have the proxy properly configured.  Does it do this for all HTTPS sites or just this one?

  • It does the same error to all the sites that i am trying to access not just HTTPS. I just can't figure out why is that happening when squidguard is enabled.
    There's no Problem when Squid is the only one running. The SSL Certificate that i created is already fine with just Squid.
    I just want SquidGuard to be successfully running so i can use blacklist to filter websites.

  • Absolutely not a squidguard Issue. if you want just to filter including ssl sites without Certificate warning. add this to custom config ";http_port 8080;". then use port 8080 as your proxy including https that will work with squidguard also without cert warning.

  • isnt much easier just to configure WPAD?

  • Thanks for the replies guys.

    I think i really messed up the configurations of squid and squidguard after i reinstall squidguard several times because now i can't access any site if i stop squid.

  • @killmasta93:

    isnt much easier just to configure WPAD?

    No it's not  ;)

    Why?  because WPAD, which I'm strongly pushing for, only solves the proxy discovery aspect, if I can say so.
    Meaning you're no more working in transparent mode, that it (and this is already a lot BTW  ;D)

    However, transparent vs. explicit proxy is different from SSL-bump enabled or not (eve if often associated here).
    The point is that is you don't enable SSL-bump (MITM), then Squidguard will not able to look at the content of HTTPS based sites. You can filter based on URL (fqdn) but not based on content, therefore not look for viruses, e.g.
    And this is true in explicit or transparent mode.

    Reason why WPAD doesn't help but this is not a reason to not deploy it  8)

  • True true, but some sites dont really play nice with MITM, i haven had a few issues with some times using WPAD i cant even imagine the headache with MITM

  • @killmasta93:

    True true, but some sites dont really play nice with MITM, i haven had a few issues with some times using WPAD i cant even imagine the headache with MITM

    MITM and WPAD are definitely different stories.
    You may have one or the other or both or none  ;D

    Issues with WPAD depending on site? I can't imagine what kind of issue, even thinking about fairly complex proxy.pac (because issue would be proxy.pac rather than WPAD if any)

    This said, MITM…. well  :-X  for sure if content filter or antivirus at proxy level is mandatory, it does help but I won't comment further  :-X :-X :-\

Log in to reply