Correct setup of Squid SSL filtering? Confirming GUI steps done correctly



  • (I posted this in the general area first by accident – seems more fitting for it to be here)

    From what I'm gathering from reading some other posts, there are lots of questions here that stem from the MITM/HTTPS filtering part of the Squid package.  I'm in the middle (no pun intended) of setting this up for the first time, and am of course having some issues.  Before I get too deep in tech-ing the issues, I'd just like to make sure I'm doing things right from a pfSense/Squid perspective.  What I've done:

    (I'm on pfSense 2.3.4-RELEASE-p1, the latest as of this writing.)

    1. Created a new self-signed CA under System -> Cert Manager

    I'm wanting the filtering to be transparent, so under Services -> Squid Proxy Server I:

    1. Enabled Squid ("Check to enable the Squid proxy")
    2. Enabled Transparent HTTP Proxy ("Enable transparent mode to forward all requests for destination port 80 to the proxy server.")
    3. Enabled HTTPS/SSL Interception ("Enable SSL filtering")
    4. Selected my newly-created CA in the "CA" dropdown in the SSL configuration section

    All other settings than those above were left at default.  After making sure all of that started and was enabled properly, I went back to System -> Cert Manager and:

    1. Clicked on the "multipoint star" icon next to my cert so as to "Export CA"

    I then took the resulting .CRT file that is saved, went to the browser I'm trying to access the internet on that is behind the pfSense firewall, and

    1. added that .CRT file to the "Trusted Root Certification Authorities" of said browser.

    Now, by my current understanding of what the setup should look and behave like, I should now be able to browse to an HTTPS site on that browser through the pfSense firewall without any certificate errors, and if I were to check the contents of the cert on the browser on the HTTPS site I would see reference not to the original cert but to the cert that I had created.

    Am I accurately understanding the setup and doing things right so far??  Any clarification would be appreciated.  Right now the setup is NOT working, i still get certificate errors, but I'm hoping it's just a fundamental misunderstanding of one of the above pieces of the process that can corrected with a little new knowledge.