[SOLVED] Can't get Squid HTTPS/SSL Interception to work with Android devices
-
I've setup HPTTPS/SSL interception with Squid following this guide: https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense.
I successfully installed the certificates on my Windows machines. But, for my Android devices (Nexus 6, 6P, 7 (2013) and 9) I can install the certificate, but when I disconnect from my Wi-Fi and try to reconnect they can't get onto the internet. I've installed the certificates by exporting from pfSense and then going to Security and importing the certificate.
Is there something else I'm supposed to do? Or, does the problem lie with my Unifi APs? My windows laptop works ok connected to the APs, so I don't think this is the problem. For now, I've added the IPs of the android devices to the Bypass settings, but I'd really like to get HTTPS working. Otherwise, I need to decide whether to live with just HTTP or go without the proxy on the Android devices.
Thanks in advance for any help.
-
Hmm, "they can't get onto the internet" is not a useful problem description. This works just fine with "Splice all" without any certificates being required, if you really need MITM and have trouble with certificates, you'd be better off moving to some Android forum for advise.
-
Hmm, "they can't get onto the internet" is not a useful problem description. This works just fine with "Splice all" without any certificates being required, if you really need MITM and have trouble with certificates, you'd be better off moving to some Android forum for advise.
Sorry, I meant the wi-fi indicator shows as 'Connected, no internet'
Splice all did the trick - thanks. I'm new to pfSense - can I check what Splice all does please. I've done some searching but I'm still not clear - does it mean that all HTTPS traffic goes via the proxy, unless it's in the ACL blacklist?
-
It's described in the GUI, click the blue "i" next to SSL/MITM Mode.
As for 'Connected, no internet', that's definitely an Android issue in how it checks for connectivity, probably using some pre-defined servers.
-
It's described in the GUI, click the blue "i" next to SSL/MITM Mode.
As for 'Connected, no internet', that's definitely an Android issue in how it checks for connectivity, probably using some pre-defined servers.
I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).
I think you're right about 'Connected, no internet'. I used to work for a public wi-fi provider and Android does heartbeat checks to see if there's actually a live connection to a set of certain servers before connecting e.g to see whether to swich from mobile data- I bet this was messing up squid. but splice all has done the trick and not needing to install certificates is brilliant.
Thanks for the help
-
@DZMM:
I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).
When you click the Squid Wiki link there, you'll get a more detail description.
-
@DZMM:
I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).
When you click the Squid Wiki link there, you'll get a more detail description.
I wasn't quite TL;DR, but I'd been to the Wiki page before but I perservered this time and the definition of Splice was a long way down the page ;-)
Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between.
Understand now - caches, but doesn't decode so can't do any filtering. This works for me as I'm in a home environment and I don't want visitors to start wondering if I'm watching their internet usage.
Thanks again for the help
-
You are welcome.