Squid makes false certificates on some pages



  • Hello everybody,
    I use Pfsense 2.3.2-p1 with Squid 0.4.23_1. I have activated SSL filtering, because I want to prevent downloads and lock web sites.

    Now to my Problem
    In most cases everything runs as it should I get on HTTPS pages valid certificates from PFSENSECA-> website. In some cases, however, the whole thing does not work, because instead of PFSENSECA-> website is an IP ADDRESS issued with an expired date. As an example I took https://emby.media

    See pictures
    Without Squid

    With Squid

    I think it is a setting problem of my side, but could not yet determine which is.

    Hope you can help me.

    Thanks and regards



  • I have just found out if I disable transparent-proxy and make the proxy settings manually, it runs perfectly.
    But this is not a good solution for me



  • Using squid in explicit mode along with WPAD is almost as seamless as transparent mode.



  • Thanks for the answer.
    I have now switched to WPAD and switched off the SSL Filtering. Works so far quite well, but I get on locked websites now an HTTP 404 instead of my Costum Page. Can do something about it?

    Thanks and regards



  • I just noticed that I can not block downloads in this configuration. Is that right?



  • but I get on locked websites now an HTTP 404 instead of my Costum Page. Can do something about it?

    I don't understand what you mean here.

    I just noticed that I can not block downloads in this configuration. Is that right?

    You can with squidguard.  squid by itself is just a cache.



  • Hi,
    I used Squidguard, I have a rule under Target Categories with the content "(.\ /..(Exe|msi)) under Regular Expression. If I have enabled SSL filtering, downloads are blocked, now with WPAD I disable the SSL filtering and the rule does not work anymore.

    In Squidguard, I have the redirect mode "ext url err page (enter URl )" Redirect Info "http://domain/blocked.php?Clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u" The clients get then displayed a Custom Error Page.
    If SSL filtering is deactivated, it only shows "Make sure the web address … is correct"

    Regards



  • Ah OK.  This is normal behaviour with HTTPS, squidguard and explicit proxy I believe.



  • Is there a way to change that? Or is there a way to get the transparency mode running properly?

    Regards



  • I don't know for sure, but I do know that transparent mode is more trouble than its worth.