Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid makes false certificates on some pages

    Scheduled Pinned Locked Moved Cache/Proxy
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rau
      last edited by

      Hello everybody,
      I use Pfsense 2.3.2-p1 with Squid 0.4.23_1. I have activated SSL filtering, because I want to prevent downloads and lock web sites.

      Now to my Problem
      In most cases everything runs as it should I get on HTTPS pages valid certificates from PFSENSECA-> website. In some cases, however, the whole thing does not work, because instead of PFSENSECA-> website is an IP ADDRESS issued with an expired date. As an example I took https://emby.media

      See pictures
      Without Squid

      With Squid

      I think it is a setting problem of my side, but could not yet determine which is.

      Hope you can help me.

      Thanks and regards

      1 Reply Last reply Reply Quote 0
      • R
        Rau
        last edited by

        I have just found out if I disable transparent-proxy and make the proxy settings manually, it runs perfectly.
        But this is not a good solution for me

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Using squid in explicit mode along with WPAD is almost as seamless as transparent mode.

          1 Reply Last reply Reply Quote 0
          • R
            Rau
            last edited by

            Thanks for the answer.
            I have now switched to WPAD and switched off the SSL Filtering. Works so far quite well, but I get on locked websites now an HTTP 404 instead of my Costum Page. Can do something about it?

            Thanks and regards

            1 Reply Last reply Reply Quote 0
            • R
              Rau
              last edited by

              I just noticed that I can not block downloads in this configuration. Is that right?

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                but I get on locked websites now an HTTP 404 instead of my Costum Page. Can do something about it?

                I don't understand what you mean here.

                I just noticed that I can not block downloads in this configuration. Is that right?

                You can with squidguard.  squid by itself is just a cache.

                1 Reply Last reply Reply Quote 0
                • R
                  Rau
                  last edited by

                  Hi,
                  I used Squidguard, I have a rule under Target Categories with the content "(.\ /..(Exe|msi)) under Regular Expression. If I have enabled SSL filtering, downloads are blocked, now with WPAD I disable the SSL filtering and the rule does not work anymore.

                  In Squidguard, I have the redirect mode "ext url err page (enter URl )" Redirect Info "http://domain/blocked.php?Clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u" The clients get then displayed a Custom Error Page.
                  If SSL filtering is deactivated, it only shows "Make sure the web address … is correct"

                  Regards

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Ah OK.  This is normal behaviour with HTTPS, squidguard and explicit proxy I believe.

                    1 Reply Last reply Reply Quote 0
                    • R
                      Rau
                      last edited by

                      Is there a way to change that? Or is there a way to get the transparency mode running properly?

                      Regards

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        I don't know for sure, but I do know that transparent mode is more trouble than its worth.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.