Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Splice all: web (http+https) filtering

    Cache/Proxy
    5
    7
    8.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vielfede
      last edited by

      Hello,
      since the new 0.4.37 squid package, things seem to be a lil'bit better with squid in transparent mode.
      First of all I want to clarify my configuration and its purpose:

      • Transparent http+https proxy=> Squid package

      • Web filtering (http+https)=>Splice all mode + Squidguard package

      I managed to get it works on all my network clients.
      Sometimes some client loose the https connctivity for some sites (e.g. https://www.google.it). no way to understand why.

      A big issue is that Windows updates on W10 clients do not work, even if that client is able to browse via proxy flawlessly: it's like there were no https connectivity.
      I think It could be due to the way the https request is made by the winupdate service…. as it were no way of peeking in it... as splice mode request(http://marek.helion.pl/install/squid.html).
      As I do not find any "guide" on Splice all mode for web filtering, If I could manage to solve issues above I'd like to create a specific post in documentation section.
      Thanks to all for help.

      1 Reply Last reply Reply Quote 0
      • T
        techbee
        last edited by

        could you share your configurations how you make it worked !

        1 Reply Last reply Reply Quote 0
        • P
          pfsensation
          last edited by

          @vielfede:

          Hello,
          since the new 0.4.37 squid package, things seem to be a lil'bit better with squid in transparent mode.
          First of all I want to clarify my configuration and its purpose:

          • Transparent http+https proxy=> Squid package

          • Web filtering (http+https)=>Splice all mode + Squidguard package

          I managed to get it works on all my network clients.
          Sometimes some client loose the https connctivity for some sites (e.g. https://www.google.it). no way to understand why.

          A big issue is that Windows updates on W10 clients do not work, even if that client is able to browse via proxy flawlessly: it's like there were no https connectivity.
          I think It could be due to the way the https request is made by the winupdate service…. as it were no way of peeking in it... as splice mode request(http://marek.helion.pl/install/squid.html).
          As I do not find any "guide" on Splice all mode for web filtering, If I could manage to solve issues above I'd like to create a specific post in documentation section.
          Thanks to all for help.

          Windows 10 doesn't like its update traffic being messed with. You need to exclude squid from touching it. Microsoft have really hardened security. You can do that by going to the ACL tab if I remember correctly.

          1 Reply Last reply Reply Quote 0
          • B
            bbassotti
            last edited by

            http://wiki.squid-cache.org/SquidFaq/WindowsUpdate#Squid_with_SSL-Bump_and_Windows_Updates

            1 Reply Last reply Reply Quote 0
            • V
              vielfede
              last edited by

              @techbee:

              could you share your configurations how you make it worked !

              First of all sorry to answer late, but I was on vacancy,
              Second thanks to bbassotti for his help found on italian Forum here (https://forum.pfsense.org/index.php?topic=124163.msg690099#msg690099)

              Third although https works  95% of times, I Have to state there is still some problems:

              • Sometimes on some client some https site seem do not work whereas those sites works on other pc. No way to understand why.

              • Redirect links (e.g. google shopping results)

              • Sometime some pc have problems with some broswer: i.e. edge

              I tested it on producion environment with 20pc.

              Configuration Squid 0.4.37 package - Transparent mode
              - Squid General Settings
              Enable Squid Proxy: checked
              Keep Settings/Data: checked
              Proxy Interface(s): LAN
              Proxy Port: 3128
              ICP Port: <empty>Allow Users on Interface: checked
              Resolve DNS IPv4 First: checked
              Disable ICMP: UNchecked
              Use Alternate DNS Servers for the Proxy Server: empty

              -Transparent Proxy Settings
              Transparent HTTP Proxy: checked
              **Transparent Proxy Interface(s):**LAN

              - SSL Man In the Middle Filtering
              SSL/MITM Mode: Splice All
              SSL Intercept Interface(s): LAN
              SSL Proxy Port: <empty>SSL Proxy Compatibility Mode: Modern
              DHParams Key Size: 2048 (default)
              CA: CA_TEST (you might need to create one new)
              **SSL Certificate Deamon Children:**50
              Remote Cert Checks: Accept remote server certificate with errors
              Certificate Adapt: Sets the "Not after" (setValidAvter) + Sets the "Not Before" (setValidBefore)

              Squidguard conf:  no changes respect the "regular/usual" (http) conf</empty></empty>

              1 Reply Last reply Reply Quote 0
              • A
                aGeekhere
                last edited by

                What I did is use a WPAD as default (all devices are set to auto configure proxy) then i used transparent proxy with mitm splice all to catch everything that cannot use the proxy (blocking port 80 and 443).

                I have no issues with windows updates with this setup and all my devices can connect to the proxy.

                Never Fear, A Geek is Here!

                1 Reply Last reply Reply Quote 0
                • V
                  vielfede
                  last edited by

                  @aGeekHere:

                  What I did is use a WPAD as default (all devices are set to auto configure proxy) then i used transparent proxy with mitm splice all to catch everything that cannot use the proxy (blocking port 80 and 443).

                  I have no issues with windows updates with this setup and all my devices can connect to the proxy.

                  Thanks Geek… I  know your conf (WPAD+transparent) works flawlessly (I tested it).
                  Nevertheless it's quite disappointing have to use WPAD if i already use transparent.
                  Moreover bbassotti stated He was able to get it work without WPAD

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.