Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense + Squid HTTPS Transparent

    Cache/Proxy
    4
    5
    3357
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macmagic last edited by

      Hi all,

      I am new to PFSense - have been playing around with it on my home network a bit to get a better feel for it and hopefully use in production in the future.

      Probably the millionth post about MITM HTTPS, but most other posts assume that pfsense is your firewall….

      I have been struggling with Squid and transparent proxy for SSL. Transparent proxy works fine on HTTP, but as soon as I enable HTTPS - service wont start with error```
      Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept

      
      I am using ACME certificates and have successfully created the certificates needed for my domains.
      
      This is how I have my network configured:
      
      Unifi Security Gateway - Router, DHCP, Firewall, VLAN
      PFSense ( - Firewall off entirely, WAN and LAN interface bridged, DNS Forwarder, DHCP Relay
      
      DHCP: Gateway and DNS server set to PFSense box.
      
      Can anyone shed some light on why this wont work?
      1 Reply Last reply Reply Quote 0
      • M
        macmagic last edited by

        Anyone?

        1 Reply Last reply Reply Quote 0
        • T
          Tantamount last edited by

          @macmagic:

          I have been struggling with Squid and transparent proxy for SSL. Transparent proxy works fine on HTTP, but as soon as I enable HTTPS - service wont start with error```
          Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept

          Looking at my squid.conf file with Enable SSL filtering, I'm seeing a lot more content after the word "intercept."

          https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs
          / cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3D
          ES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

          Are you using the GUI to configure squid?

          1 Reply Last reply Reply Quote 0
          • I
            ivancba last edited by

            i have some problem in lab.

            Squid.conf transparent with self singned cert. Service is running

            http_port 192.168.254.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EE
            CDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_E
            CDH_USE

            http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA
            384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SI
            NGLE_ECDH_USE

            https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SH
            A384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,S
            INGLE_ECDH_USE

            icp_port 0
            digest_generation off
            dns_v4_first on
            pid_filename /var/run/squid/squid.pid
            cache_effective_user squid
            cache_effective_group proxy
            error_default_language es
            icon_directory /usr/local/etc/squid/icons
            visible_hostname localhost
            cache_mgr admin@localhost
            access_log /var/squid/logs/access.log
            cache_log /var/squid/logs/cache.log
            cache_store_log none
            netdb_filename /var/squid/logs/netdb.state
            pinger_enable on
            pinger_program /usr/local/libexec/squid/pinger
            sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
            sslcrtd_children 5
            sslproxy_capath /usr/local/share/certs/
            sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
            sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
            sslproxy_flags DONT_VERIFY_PEER
            sslproxy_cert_adapt setCommonName all

            Squid.conf Transparent with ACME cert. Service stopped

            http_port 192.168.254.1:3128
            http_port 127.0.0.1:3128 intercept
            https_port 127.0.0.1:3129 intercept
            icp_port 0
            digest_generation off
            dns_v4_first on
            pid_filename /var/run/squid/squid.pid
            cache_effective_user squid
            cache_effective_group proxy
            error_default_language es
            icon_directory /usr/local/etc/squid/icons
            visible_hostname localhost
            cache_mgr admin@localhost
            access_log /var/squid/logs/access.log
            cache_log /var/squid/logs/cache.log
            cache_store_log none
            netdb_filename /var/squid/logs/netdb.state
            pinger_enable on
            pinger_program /usr/local/libexec/squid/pinger

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned last edited by

              You CANNOT use ACME cert!!! You need your own cert. authority!!!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post