SquidGuard "Block Page" served via IP Address and HTTPS

dataweasel · Dec 24, 2016, 7:35 PM

Hello all:

I just installed pfSense (2.1.5-RELEASE - amd64) with Squid3 (3.1.20 pkg 2.1.4) and SquidGuard (1.4_4 pkg v1.9.16). I had to use an older version because I could not get Squid to correctly allow web traffic with the latest release of pfSense. I'm okay with that.

I've got everything running, categories selected, and SquidGuard is blocking pages that it should, etc. I've set up a local "CA" and am distributing the CA Cert to all my client machines and devices. The only issue that I have is:

When SquidGuard blocks a page, the server in the URL is the IP Address of my firewall, but the page is also served via HTTPS.

https://192.168.62.1/sgerror.php?url=403%20&a=192.168.62.100&n=&i=&s=default&t=blk_BL_porn&u=http://www.a_porn_site.com/

When this hits the browser I get a certificate error. I'd like to either change the Server from IP to FQDN or change the page being sent via HTTPS. Either way I should stop getting the error. I've looked at all the configuration in the GUI and some of the files on the filesystem but I don't see a clear way to do either.

Any push in the right direction would be appreciated.

Thanks.

-Joe

dataweasel · Dec 24, 2016, 8:30 PM

Additional Info:

When I look in /usr/local/etc/squidGuard/squidGuard.conf I can see that the "redirect" field for the default ACL is HTTP and not HTTPS:

acl  {
        #
        default  {
                pass !in-addr !blk_BL_anonvpn !blk_BL_costtraps !blk_BL_dating !blk_BL_fortunetelling !blk_BL_gamble !bl
k_BL_porn !blk_BL_redirector !blk_BL_sex_lingerie !blk_BL_spyware !blk_BL_warez all
                redirect http://192.168.20.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                rewrite safesearch
                log block.log
        }
}

When I change the "Redirect Info" on the Common ACL page the changes are reflected in here. However, it appears that the connection is being forced to HTTPS even if the URL is configured as HTTP.

aeleus · Apr 7, 2017, 7:08 PM

I have a similar issue.

Everything was working as expected using HTTP.

I recently switched the webConfigurator (System/Advanced/Admin Access) from HTTP to HTTPS.

Now, that redirects everything to HTTPS - including SquidGuard redirects that are set to HTTP.

From squidGuard.conf:

default {
pass Internal Allowed !in-addr !Blocked none
redirect 301:http://proxy.mydomain.net/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That would be fine except that I have this in squidGuard.conf:

dest blk_BL_adv {
domainlist blk_BL_adv/domains
urllist blk_BL_adv/urls
redirect http://10.0.0.1:80/sgerror.php?url=blank_img&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That gives me certificate errors when it redirects to https://10.0.0.1/….

I don't know why that's the only entry - aside from the default and explicit ACL's that I set - that has a redirect.

Any thoughts on how to change it?

doktornotor · Apr 14, 2017, 8:28 AM

There is no way to change it, when using the FQDN, HTTPS will get forced via HSTS as soon as you've switched the webGUI to HTTPS.

https://redmine.pfsense.org/issues/6650

jimp · Apr 20, 2017, 7:44 PM

Set the redirect to Ext URL Found and enter the full URL using the hostname, including the parameters you want to pass.

For example, this works fine:

https://host.example.com/sgerror.php?url=403&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

remzej · Apr 21, 2017, 9:06 AM

@aeleus:

I have a similar issue.

Everything was working as expected using HTTP.

I recently switched the webConfigurator (System/Advanced/Admin Access) from HTTP to HTTPS.

Now, that redirects everything to HTTPS - including SquidGuard redirects that are set to HTTP.

From squidGuard.conf:

default {
pass Internal Allowed !in-addr !Blocked none
redirect 301:http://proxy.mydomain.net/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That would be fine except that I have this in squidGuard.conf:

dest blk_BL_adv {
domainlist blk_BL_adv/domains
urllist blk_BL_adv/urls
redirect http://10.0.0.1:80/sgerror.php?url=blank_img&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

That gives me certificate errors when it redirects to https://10.0.0.1/….

I don't know why that's the only entry - aside from the default and explicit ACL's that I set - that has a redirect.

Any thoughts on how to change it?

To get rid of the certificate errors for sgerror happens, you need to create a certificate for your server. Specify the alternative names for your server like FQDN and IP address of the server.