Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL filtering

    Cache/Proxy
    3
    5
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alear
      last edited by

      Hello,

      I configured man in the middle ssl filtering as follows:

      ssl mode: splice all
      interface: 2 internal networks
      default port
      ssl compatibility: modern
      DHT: 2048
      remote check: accept
      adapt: not before

      This config was working perfectly. Now all of a sudden I have two websites google and facebook that cannot be accessed. I get the cannot connect securely error which is what is received when squidguard blocks the https page. Checked the squidguard logs and there are no blocks logged for these two sites. I have tested other https sites and they work perfectly. I tested other sites in blocked categories and they are blocked and I receive the cannot connect securely error as I should. I tested the exact same setup on another box and I am not having any issues. Everything I set to block gets blocked and all other https sites including google and facebook are accessible without issue. What am I missing?

      Other info:

      I do have an internal webserver that requires port 80-82 to be forwarded. I disabled those rules but it did not resolve the issue. Port 443 is not forwarded. I have 3 VPN servers configured in pfsense but all with unique ports configured. If I disabled ssl filtering then everything works properly but https sites ex: https.porn.xxx do not get blocked anymore.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • S
        sichent Banned
        last edited by

        Seems this from your description - https://docs.diladele.com/faq/squid/chrome_ssl_filter/dns_does_not_exist.html (it is not sg but it does not matter - the error is shown only for squid denied page, right?)

        1 Reply Last reply Reply Quote 0
        • A
          alear
          last edited by

          I don't believe that's it. I'm getting "cannot connect securely" which is what I should get using splice all. I'm blocking porn category. All http sites are blocked without issue. If I visit https xvideos.com I get "cannot connect securely" and SG logs show the block. Now I'm not blocking google or facebook but when visiting those sites I get either cannot connect securely or tls error in IE. In chrome I can connect to google fine but get cannot connect securely to Facebook. Check SG logs and no blocks are recorded. This was working well at first but now it is not. It only seems to be these two sites.

          I have tried ACL list to allow but that did not work either. I know I'm missing something simple but I just can't put my finger on it.

          ![What I should be getting.png](/public/imported_attachments/1/What I should be getting.png)
          ![What I should be getting.png_thumb](/public/imported_attachments/1/What I should be getting.png_thumb)
          ![What I am getting (incorrect).png](/public/imported_attachments/1/What I am getting (incorrect).png)
          ![What I am getting (incorrect).png_thumb](/public/imported_attachments/1/What I am getting (incorrect).png_thumb)
          ![What I am getting (incorrect) also.png](/public/imported_attachments/1/What I am getting (incorrect) also.png)
          ![What I am getting (incorrect) also.png_thumb](/public/imported_attachments/1/What I am getting (incorrect) also.png_thumb)

          1 Reply Last reply Reply Quote 0
          • A
            alear
            last edited by

            I have resolved the issue. I set the DHCP Server to use the interface as the DNS Server. I then applied the same server addresses into squid "use alternate DNS servers"

            IP addresses vary depending on your network scope.

            ex: LAN=192.168.1.1 use this as the DNS server applied to DHCP clients. Configure in DHCP Server>Servers>DNS Servers.

            Then enter the same DNS server(s) IP in Squid Proxy Server>General>Use Alternate DNS Servers for the Proxy Server.

            HTTPS filtering should work flawlessly using Splice All. And block only the sites set in Squidguard rules.

            1 Reply Last reply Reply Quote 0
            • T
              tortilliofan Banned
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.