Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] Can't get Squid HTTPS/SSL Interception to work with Android devices

    Cache/Proxy
    2
    8
    2680
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Binson_Buzz last edited by

      I've setup HPTTPS/SSL interception with Squid following this guide: https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense.

      I successfully installed the certificates on my Windows machines.  But, for my Android devices (Nexus 6, 6P, 7 (2013) and 9) I can install the certificate, but when I disconnect from my Wi-Fi and try to reconnect they can't get onto the internet.  I've installed the certificates by exporting from pfSense and then going to Security and importing the certificate.

      Is there something else I'm supposed to do?  Or, does the problem lie with my Unifi APs?  My windows laptop works ok connected to the APs, so I don't think this is the problem.  For now, I've added the IPs of the android devices to the Bypass settings, but I'd really like to get HTTPS working.  Otherwise, I need to decide whether to live with just HTTP or go without the proxy on the Android devices.

      Thanks in advance for any help.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Hmm, "they can't get onto the internet" is not a useful problem description. This works just fine with "Splice all" without any certificates being required, if you really need MITM and have trouble with certificates, you'd be better off moving to some Android forum for advise.

        1 Reply Last reply Reply Quote 0
        • B
          Binson_Buzz last edited by

          @doktornotor:

          Hmm, "they can't get onto the internet" is not a useful problem description. This works just fine with "Splice all" without any certificates being required, if you really need MITM and have trouble with certificates, you'd be better off moving to some Android forum for advise.

          Sorry, I meant the wi-fi indicator shows as 'Connected, no internet'

          Splice all did the trick - thanks.  I'm new to pfSense - can I check what Splice all does please.  I've done some searching but I'm still not clear - does it mean that all HTTPS traffic goes via the proxy, unless it's in the ACL blacklist?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            It's described in the GUI, click the blue "i" next to SSL/MITM Mode.

            As for 'Connected, no internet', that's definitely an Android issue in how it checks for connectivity, probably using some pre-defined servers.

            1 Reply Last reply Reply Quote 0
            • B
              Binson_Buzz last edited by

              @doktornotor:

              It's described in the GUI, click the blue "i" next to SSL/MITM Mode.

              As for 'Connected, no internet', that's definitely an Android issue in how it checks for connectivity, probably using some pre-defined servers.

              I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).

              I think you're right about 'Connected, no internet'.  I used to work for a public wi-fi provider and Android does heartbeat checks to see if there's actually a live connection to a set of certain servers before connecting e.g to see whether to swich from mobile data- I bet this was messing up squid. but splice all has done the trick and not needing to install certificates is brilliant.

              Thanks for the help

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned last edited by

                @DZMM:

                I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).

                When you click the Squid Wiki link there, you'll get a more detail description.

                1 Reply Last reply Reply Quote 0
                • B
                  Binson_Buzz last edited by

                  @doktornotor:

                  @DZMM:

                  I read the 'i' before I posted but it wasn't clear at first, but I've deduced that splicing is where the traffic goes via the filter and bumping is where it doesn't (but not blocked).

                  When you click the Squid Wiki link there, you'll get a more detail description.

                  I wasn't quite TL;DR, but I'd been to the Wiki page before but I perservered this time and the definition of Splice was a long way down the page ;-)

                  Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between.

                  Understand now - caches, but doesn't decode so can't do any filtering.  This works for me as I'm in a home environment and I don't want visitors to start wondering if I'm watching their internet usage.

                  Thanks again for the help

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned last edited by

                    You are welcome.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy