Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ssl filtering seems impossible

    Scheduled Pinned Locked Moved Cache/Proxy
    15 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nvdstruis
      last edited by

      Hi,

      Struggling with filtering ssl. Been searching and trying solutions from all over the web, nothing helped.
      I have squid and squidguard installed. Transparent mode doesn't work at all, so I do not use that. I have http and https filtering turned on in the squid settings, intercepting both http and https on port 3128. Squid works fine with regular http traffic, blocking various stuff like porn and ads (from in squidguard blacklists).
      I created a CA and exported the certificate to file, then imported it in the windows trusted root certificate authorities. I still can't do a regular google search (whcih defaults over ssl) or anything else involving ssl, like online banking.
      Attached a screenshot.

      Can this be done at all???
      Untitled.png
      Untitled.png_thumb

      1 Reply Last reply Reply Quote 0
      • N
        nvdstruis
        last edited by

        Some screenshots

        Untitled.png
        Untitled.png_thumb
        Untitled1.png
        Untitled1.png_thumb

        1 Reply Last reply Reply Quote 0
        • N
          nvdstruis
          last edited by

          Btw, I have also tested with Avast scanner turned off. That doesn't seem to be the culprit.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Transparent mode is a pain in the ass.  Explicit mode is best, and you don't need to screw around with certificates at all.  I suspect your config is a borked mishmash of transparent and explicit settings. For example, in explicit mode, you do not need to worry about SSL MitM Filtering, so uncheck all of that stuff.  From there, either set your proxy in your OS manually or configure WPAD for auto-discover of the proxy.

            1 Reply Last reply Reply Quote 0
            • N
              nvdstruis
              last edited by

              @KOM:

              Transparent mode is a pain in the ass.  Explicit mode is best, and you don't need to screw around with certificates at all.  I suspect your config is a borked mishmash of transparent and explicit settings. For example, in explicit mode, you do not need to worry about SSL MitM Filtering, so uncheck all of that stuff.  From there, either set your proxy in your OS manually or configure WPAD for auto-discover of the proxy.

              Hi KOM,

              Thx for your answer.
              The checkbox at "Transparent HTTP Proxy" is unchecked, "Enable SSL filtering" is checked, and I set the proxy explicitly in Firefox.
              Is that what you mean with "explicit"? What could possibly be wrong otherwise?

              Thx

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Uncheck Enable SSL filtering as well.  Explicit means your PC is either told where the proxy is, or it can find it itself.  With transparent mode, your PC is never ever aware that it's being proxied.

                1 Reply Last reply Reply Quote 0
                • N
                  nvdstruis
                  last edited by

                  Well, for some reason it still doesn´t work.
                  I expect to be able to block e.g. https://www.google.com. As this URL is in the target rules of [blk_BL_searchengines], which is set to DENY, that should work, right?
                  I unchecked "Enable SSL filtering" and rebooted pfsense. I configured Firefox to use the same proxy on port 3128 for all protocols. I verified that some pages with ads have their ads now blocked, so the proxy IS working for http. Now firefox states "Unable to connect"…. when searching on https://www.google.com  >:(

                  1 Reply Last reply Reply Quote 0
                  • N
                    nvdstruis
                    last edited by

                    @KOM:

                    Uncheck Enable SSL filtering as well.  Explicit means your PC is either told where the proxy is, or it can find it itself.  With transparent mode, your PC is never ever aware that it's being proxied.

                    Right… now my PC knows where the proxy is(I told it). But because SSL filtering is turned off, it doesn't accept ssl connections...

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      It's working.  That's what you get with a blocked HTTPS connection.  Can I assume other HTTPS sites work just fine?

                      1 Reply Last reply Reply Quote 0
                      • N
                        nvdstruis
                        last edited by

                        You're kidding me…  ;)

                        1 Reply Last reply Reply Quote 0
                        • N
                          nvdstruis
                          last edited by

                          No it doesn't, and I have no clue

                          1 Reply Last reply Reply Quote 0
                          • N
                            nvdstruis
                            last edited by

                            Not sure, need more testing. Give me 5 minutes

                            1 Reply Last reply Reply Quote 0
                            • N
                              nvdstruis
                              last edited by

                              OMG, it IS working …
                              Sorry I was rude.
                              Still need to let this sink in.

                              Thanks again

                              1 Reply Last reply Reply Quote 0
                              • KOMK
                                KOM
                                last edited by

                                No problem.  Services - Squidguard also has a Log tab where you can see it blocking stuff.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sichent Banned
                                  last edited by

                                  You seem to be using Firefox to test HTTPS filtering; please not FF does not use the system certificate storage as you indicated in your screenshot - you need to add trusted root certificate to FF own storage. See https://docs.diladele.com/administrator_guide_4_8/https_filtering/install_certificates/win_ff.html

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.