Squid SSL Filtering - Webconfigurator Lockout?



  • I am running Squid on pfsense 2.4.1 in transparent mode in conjunction with WPAD. I've been able to verify that both DHCP and DNS WPAD entries are working and would eventually like to switch to non-transparent mode. I am trying to turn on the SSL filtering option ( Splice Whitelist, Bump Otherwise) - currently it is set to "Splice All". I have a CA created and exported the certificate to my PC. I already went ahead and imported the CRT file into my Windows 10 client and manually imported it into Firefox. I am keeping an eye on Squid (tail -f /var/squid/logs/access.log) and can see that its generating output for HTTP and HTTPS sites using the settings shown in the attachments. I am not getting any sort of browser warnings or errors when surfing the net. The problem comes when I attempt to get back in to manage the firewall using the webconfigurator.

    Normally when there is a certificate mismatch it would be firefox pitching a fit - which can be circumvented temporarily with an exception. If I set the SSL filtering mode from "Splice All" to "Splice Whitelist, Bump Otherwise" I will get locked out of the webconfigurator by Squid (I can tell its Squid because the error page is the one defined in the Squid options). There's no opportunity to add an exception. I'm extremely new to pfsense so all I've been able to do when this occurs is to use option 15 from the console and roll the configuration back.

    I've tried switching the webconfigurator to use a cert that was signed by the CA I setup within pfsense but no luck. I also tried specifying alternate names (first screenshot) but something Firefox still isn't happy with it. The blacked out info is what I think is the FQDN of my pfsense box (web login > System Information > "Name"). I'm really at a loss here and any help is appreciated.

    Thanks in advance














  • Would it be possible for someone to move this into the Packages > Cache/Proxy section of the forums - I should have looked around more before I posted it here. Sorry.


Log in to reply