Splice all: web (http+https) filtering



  • Hello,
    since the new 0.4.37 squid package, things seem to be a lil'bit better with squid in transparent mode.
    First of all I want to clarify my configuration and its purpose:

    • Transparent http+https proxy=> Squid package

    • Web filtering (http+https)=>Splice all mode + Squidguard package

    I managed to get it works on all my network clients.
    Sometimes some client loose the https connctivity for some sites (e.g. https://www.google.it). no way to understand why.

    A big issue is that Windows updates on W10 clients do not work, even if that client is able to browse via proxy flawlessly: it's like there were no https connectivity.
    I think It could be due to the way the https request is made by the winupdate service…. as it were no way of peeking in it... as splice mode request(http://marek.helion.pl/install/squid.html).
    As I do not find any "guide" on Splice all mode for web filtering, If I could manage to solve issues above I'd like to create a specific post in documentation section.
    Thanks to all for help.



  • could you share your configurations how you make it worked !



  • @vielfede:

    Hello,
    since the new 0.4.37 squid package, things seem to be a lil'bit better with squid in transparent mode.
    First of all I want to clarify my configuration and its purpose:

    • Transparent http+https proxy=> Squid package

    • Web filtering (http+https)=>Splice all mode + Squidguard package

    I managed to get it works on all my network clients.
    Sometimes some client loose the https connctivity for some sites (e.g. https://www.google.it). no way to understand why.

    A big issue is that Windows updates on W10 clients do not work, even if that client is able to browse via proxy flawlessly: it's like there were no https connectivity.
    I think It could be due to the way the https request is made by the winupdate service…. as it were no way of peeking in it... as splice mode request(http://marek.helion.pl/install/squid.html).
    As I do not find any "guide" on Splice all mode for web filtering, If I could manage to solve issues above I'd like to create a specific post in documentation section.
    Thanks to all for help.

    Windows 10 doesn't like its update traffic being messed with. You need to exclude squid from touching it. Microsoft have really hardened security. You can do that by going to the ACL tab if I remember correctly.





  • @techbee:

    could you share your configurations how you make it worked !

    First of all sorry to answer late, but I was on vacancy,
    Second thanks to bbassotti for his help found on italian Forum here (https://forum.pfsense.org/index.php?topic=124163.msg690099#msg690099)

    Third although https works  95% of times, I Have to state there is still some problems:

    • Sometimes on some client some https site seem do not work whereas those sites works on other pc. No way to understand why.

    • Redirect links (e.g. google shopping results)

    • Sometime some pc have problems with some broswer: i.e. edge

    I tested it on producion environment with 20pc.

    Configuration Squid 0.4.37 package - Transparent mode
    - Squid General Settings
    Enable Squid Proxy: checked
    Keep Settings/Data: checked
    Proxy Interface(s): LAN
    Proxy Port: 3128
    ICP Port: <empty>Allow Users on Interface: checked
    Resolve DNS IPv4 First: checked
    Disable ICMP: UNchecked
    Use Alternate DNS Servers for the Proxy Server: empty

    -Transparent Proxy Settings
    Transparent HTTP Proxy: checked
    **Transparent Proxy Interface(s):**LAN

    - SSL Man In the Middle Filtering
    SSL/MITM Mode: Splice All
    SSL Intercept Interface(s): LAN
    SSL Proxy Port: <empty>SSL Proxy Compatibility Mode: Modern
    DHParams Key Size: 2048 (default)
    CA: CA_TEST (you might need to create one new)
    **SSL Certificate Deamon Children:**50
    Remote Cert Checks: Accept remote server certificate with errors
    Certificate Adapt: Sets the "Not after" (setValidAvter) + Sets the "Not Before" (setValidBefore)

    Squidguard conf:  no changes respect the "regular/usual" (http) conf</empty></empty>



  • What I did is use a WPAD as default (all devices are set to auto configure proxy) then i used transparent proxy with mitm splice all to catch everything that cannot use the proxy (blocking port 80 and 443).

    I have no issues with windows updates with this setup and all my devices can connect to the proxy.



  • @aGeekHere:

    What I did is use a WPAD as default (all devices are set to auto configure proxy) then i used transparent proxy with mitm splice all to catch everything that cannot use the proxy (blocking port 80 and 443).

    I have no issues with windows updates with this setup and all my devices can connect to the proxy.

    Thanks Geek… I  know your conf (WPAD+transparent) works flawlessly (I tested it).
    Nevertheless it's quite disappointing have to use WPAD if i already use transparent.
    Moreover bbassotti stated He was able to get it work without WPAD


Log in to reply