Is squid unpredictably broken?



  • Hello everyone,

    We have a small corporate network. We have a domain, and our server runs vmware ESXi 6.0.0 (Build 3620759), and hosts Windows Server 2016 and pfSense 2.3.2_1. pfSense is (or at least it should be) our proxy server/firewall/gateway. pfSense has 1.5 GB of RAM assigned, and 16 GB of storage. The Windows VM serves Active Directory, DNS, DHCP and WIDS, so for simplicity, it MUST keep those services running to avoid a very cumbersome configuration.

    So I got this very annoying issue whete I can't enable SSL/HTTPS filtering on squid because it tells me that ssl-bump is missing, or it generates corrupted certificates.

    I've reinstalled pfSense several times by now, started fresh with the latest stable version, tested it on another virtual machine, and got some mixed results.

    Take into consideration that I did create a certificate authority, I did install it on every machine, I did upgrade pfSense to the latest version, I did check the logs for some abnormalities and found that ssl-bump is missing, and I don't know why it should be. I mean, I just freshly installed everything, from pfSense itself to Open-VM-Toos (because vmware), then squid and squidGuard… nothing else. and if that ssl-bump thing is a dependency for squid, why shouldn't it be installed?

    So, I got squid and squidGuard installed, set up everything (except the SSL filtering) and it works. Then I wanted to enable SSL Filtering...

    First I got it briefly working fine, then I've got certificate errors whete it showed that the domain was invalid, and after examining the certificate, this was the common name: https://http/*
    then, after a reinstall of the whole system squid just refused to start. when I tried to start if from the console, I got a message saying that ssl-bump was missing. Yes, I even wiped out the disk to make sure it contained absolutely nothing before doing the reinstall.

    Right now, I left the SSL filtering disabled, and everything works fine. Of course, it doesn't filter HTTPS sites. If I try to enable it, squid either stops or just doesn't even try to filter HTTPS/SSL. It doesn't matter if I use Transparent proxy or manually configure it to test it, it just doesn't work. And I'm telling you, I've rebuilt the whole pfSense box several times by now. probably 10 or more. I'm sick of it.

    Anyway, I can't use WPAD, if you were to suggest that. Our DHCP and DNS server is a Windows Server 2016 machine that doesn't like being touched too much. I tried it anyway and it didn't work. The clients never got the proxy settings. I followed like 4 how-to's about setting WPAD, and none of them worked (and yes, I did the gpupdate /force on every single computer of our domain, and yes, created several copies of the wpad.dat file with all the different names, yes, I did set up the option 252 on the DHCP server, yes, I did create a wpad.domain.com entry on my DNS server, and yes, I made sure that every web browser was configured to detect proxy settings, yes, the file was freely accesible, and yes, I rebooted everything several times)

    At this point, I ran memtest86+, prime95, HDAT5, removed any unnecesary hardware from the server, just to rule out a hardware issue. Still, is there some kind of weird intermittent issue with ESXi that I'm not aware of?

    My only option right now is to actually spend money on a Fortigate. Those are expensive. we don't need them and can't afford them.

    --EDIT: I also looked for a way to install that ssl-bump thing, It is not a package, so it must be a library of some sorts, but I can't seem to find it... there's no reference to it anywhere. Google itself doesn't know what is that, neither duckduckgo, nor yahoo, nevermind bing...