Having problems with Squid SSL Filtering, only in transparent mode



  • I'm on a fresh pfSense 2.3.4 installation that I updated to 2.3.4-RELEASE-p1 via the pfSense interface.

    I also posted here:
    https://forum.pfsense.org/index.php?topic=134364.0
    trying to make sure I was setting things up correctly with squid, and after a couple of weeks of trying things on my own since I've yet to receive a response, I've been able to narrow some things down.

    So, as previously stated, I'm wanting to use squid to proxy traffic, and if I enable squid, and point a client to the pfSense box with squid's port as the proxy (port 3128), all seems to be working well.  I'd also like to proxy HTTPS connections, so I enabled that with pfSense, added the appropriate cert to the client, and added the HTTPS proxy (same port, 3128) to the client browser.  That also works like a champ.  BUT, as soon as I enable transparent mode (which is my ultimate configuration goal), remove any browser proxy settings, and try again, the HTTPS part of the proxy breaks (HTTP still works fine).  I start getting cert errors, errors about the COMMON_NAME being invalid, etc.  Stuff that I'm NOT getting when I manually point to squid/pfSense as the proxy when running it in non-transparent mode.

    What could be causing this?  It doesn't seem to be a configuration issue on the client because the imported CA and HTTPS filtering works just fine when I've set the client to use the squid/pfSense proxy manually.  It's only when I try to do it transparently.

    I did notice that in transparent mode squid runs on two ports, 3128 and 3129, but in non-transparent mode it seems to only run on port 3128 (while servicing both HTTP and HTTPS requests, if I have the SSL Filtering enabled).  Just extra info, but didn't know if that was normal behavior, the two ports for transparent and one port for non-transparent?

    Does anyone have any thoughts?  I've read several other threads regarding transparent mode being problematic but none of them seem to come to a conclusion that is applicable to me (ie, I'm not running anything custom, "Bypass Proxy for These Destination IPs" is already blank, etc).



  • Any thoughts on my question(s) above, anyone??

    I have noticed after continuing to look into the issue that, when in transparent mode, the HTTPS portion of squid is not running on the LAN interface like the HTTP portion does, see the below output from sockstat:

    squid    squid      56445 26 tcp4  192.168.0.60:3128      :
    squid    squid      56445 27 tcp4  127.0.0.1:3128        :
    squid    squid      56445 28 tcp4  127.0.0.1:3129        :

    Is this normal, or does this mean something's not starting correctly with squid?  FWIW, "LAN" is selected in the "SSL Intercept Interface(s)" section.



  • OK, if I examine the squid config file between transparent and non-transparent modes, the only difference between the two files is the addition of these two lines in the "transparent" version of the config file:

    http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert
    =/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:
    EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!a
    NULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_S
    SLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

    https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cer
    t=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM
    :EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!
    aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_
    SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

    I did some more searching and did find the system logs and don't see anything about port 3129 being problematic or anything about any of the squid ports being blocked or problematic.

    So, the only difference in the configs is these two localhost ports running when squid is in transparent mode.  Why would that impact the functionality of squid??  Something must be stopping communication to port 3129 since that is the one associated with SSL.  Can somebody please provide a suggestion or some insight?



  • If you use SquidGuard, disable the option: "Do not allow IP-Addresses in URL"



  • @Jarek358, appreciate the suggestion, but I am not using squidguard in this case.



  • I've now tried upgrading pfSense to the 2.4.0 RC, and the same problem still persists.

    Anybody else have any suggestions or information??



  • @DDDSSS:

    Anybody else have any suggestions or information??

    I have completely the same issue.
    HTTP and HTTPS filtering works flawlessly in non-transparent mode. But if I enable transparent mode, HTTPS filtering stop working with errors.
    And I have this issue on three separate pfSense instances. All three updated to the 2.4.1-RELEASE version of pfSense.
    So, I may assume that for some reason HTTPS filtering is not working in transparent mode in pfSense.


  • Banned

    @DDDSSS:

    OK, if I examine the squid config file between transparent and non-transparent modes, the only difference between the two files is the addition of these two lines in the "transparent" version of the config file:

    That is actually NOT correct. Transparent == you do NOT configure the clients. And here's the code that does the job:

    https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L2056



  • @doktornotor, I'm confused by your response based on what you quoted.  The part that I posted about the differences between the two files was just a diff between the two config files when transparent was on and then when it was off.  But you're right, you don't have to configure clients for a proxy in transparent mode, but you DO have to give the clients an SSL cert if you're doing HTTPS filtering.  I guess I'm just not sure what you were saying is "NOT correct" in your post, based on what you quoted.

    @dizazter, and anyone else who ends up reading this, I tried a few different firewall distros when I couldn't get PFsense to work consistently with its HTTPS filtering functionality, and found that the Smoothwall Express distro with this mod:

    https://community.smoothwall.org/forum/viewtopic.php?f=118&t=40697

    .. works very well out-of-the-box.  So, hopefully that can help someone else, and hopefully whatever's causing the HTTPS filtering to work inconsistently with PFsense gets sorted out, because I do like PFsense's interface and feature set!



  • @DDDSSS:

    and hopefully whatever's causing the HTTPS filtering to work inconsistently with PFsense gets sorted out

    Not gonna happen. Since it seems that nobody in pfSense cares about Squid HTTPS filtering in transparent mode with Splice-All setting.
    I read a lot of topics here. And the most common answer - Do not use HTTPS filtering in transparent mode. It's not designed for that, blah-blah-blah.
    Despite it working flawlessly on other distros.


Log in to reply