Partial Website Load
-
This question may be answered already and I was unable to find it, if so please send me the link to the solution. Thanks.
I have been able to access <http: swsheets.com="">without issues until this last update of pfSense v2.4.2-RELEASE (amd64). The site only partially loads in all browsers. I get the text and not the background layout and some of the graphics after the homepage. I confirmed the issue on Chrome, IE, and Firefox on my PC. Same on another PC inside my network. I loaded the site on my phone on the network, the same. When I load it on my phone off my network, it loads normally. This leads me to believe the issue is with pfSense. Not sure what information you might need regarding my network layout or settings on pfSense.
Network Layout
Internet Router/Modem -> pfSense -> all systems in my networkThe Internet Router/Modem is set to DMZ to the pfSense router.
Thanks for any help.</http:>
-
Are you using proxy in pfsense, are you using IPS?
What are you doing for dns - forwarder or resolver? Are you using pfblocker? Normally when a page does load its layout or images can be related to dns not being able to resolve where he css or image laid out.
I would suggest you use a browser tool to show you what specific part of the page, like the css or whatever is the background, etc.
-
I have confirmed with the site owner that it uses CSS and Javascript. Most CSS and Javascript is hosted on swsheets.com itself, but some CSS is loaded from googleapis.com and some JS from maxcdn.com.
-
Attached is an image using Google Chromes info. Errors are listed below.
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.
welcome:1 This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar. For more information, see https://goo.gl/zmWq3m.
VM242:34278 Refused to connect to 'https://cr-input.mxpnl.net/data?_channel_id=&_partner_id=39571&_sub_id=0000&_app_version=1.0.23&_app=cs-dca' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.I hooked up a laptop to bypass my router and connect directly to my internet modem and the page comes up without issues.
Proxy I have squid and squidGuard. I have turned it off and still the same, these were both on before the last pfSense update.
I do not believe I'm using IPS.
-
I have disabled DNS Forwarder in the DNS Server Settings under General Setup.
pfblocker - no I do not have it installed
-
Well looks like that js was blocked.. So yeah that could cause you some issues with displaying the page.. That looks to be browser itself blocking it because it violates some security policy.
-
I would agree with you if it didn't occur on every browser, but does not happen on the same browser outside of my network.
-
Well I am on that page through pfsense 2.4.2 and using chrome and don't even see what your having error with even loaded..
I would validate you can resolve that domain
;; QUESTION SECTION:
;cr-input.mxpnl.net. IN A;; ANSWER SECTION:
cr-input.mxpnl.net. 3569 IN A 52.21.163.24
cr-input.mxpnl.net. 3569 IN A 34.200.204.208
cr-input.mxpnl.net. 3569 IN A 34.193.92.154
cr-input.mxpnl.net. 3569 IN A 34.200.94.45;; Query time: 1 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Dec 14 14:24:38 Central Standard Time 2017
;; MSG SIZE rcvd: 111"Proxy I have squid and squidGuard."
You sure you have those disabled?? Try just not using the proxy straight through pfsense not using transparent proxy or implicit proxy, etc.
-
With the proxy confirmed off and the Chrome extensions disabled, the site works. Cache was cleared and confirmed a couple of times.
With the proxy confirmed off and the Chrome extensions enabled, the site works. Cache was cleared and confirmed a couple of times.With the proxy confirmed on and the Chrome extensions enabled, the site does not work. Cache was cleared and confirmed a couple of times. So the issue appears to be related to the proxy.
On the Proxy Filter (PackageProxy filter SquidGuard: Common Access Control List (ACL)Common ACL) I have the following:
own personal Whitelist - whitelist
–-only thing on it is the swsheets.com which is on the domain list
[blk_BL_adv] - deny
[blk_BL_spyware] - deny
[blk_BL_tracker] - denyThe list is downloaded from <http: www.shallalist.de="" downloads="" shallalist.tar.gz="">.
Even with them set to allow the denied ones, the site still will not work correctly. Thoughts?</http:>
-
After following this setup for the proxy it appears the issue is related to the Transparent HTTP Proxy being enabled. Disabled the site works, enabled it doesn't work correctly. My work around is simply adding the side to the Bypass Proxy for These Destination IPs and it is working.
PFSense Series #2 - How to setup SQUID & SquidGuard
https://www.youtube.com/watch?v=OrB2i2btceIAny thoughts on why or what settings might be affecting this not working through the proxy?
-
With the proxy confirmed off and the Chrome extensions disabled, the site works. Cache was cleared and confirmed a couple of times.
With the proxy confirmed off and the Chrome extensions enabled, the site works. Cache was cleared and confirmed a couple of times.With the proxy confirmed on and the Chrome extensions enabled, the site does not work. Cache was cleared and confirmed a couple of times. So the issue appears to be related to the proxy.
On the Proxy Filter (PackageProxy filter SquidGuard: Common Access Control List (ACL)Common ACL) I have the following:
own personal Whitelist - whitelist
–-only thing on it is the swsheets.com which is on the domain list
[blk_BL_adv] - deny
[blk_BL_spyware] - deny
[blk_BL_tracker] - denyThe list is downloaded from <http: www.shallalist.de="" downloads="" shallalist.tar.gz="">.
Even with them set to allow the denied ones, the site still will not work correctly. Thoughts?</http:>
Surely based on the following post you can correlate what's missing from the whitelist?
I have confirmed with the site owner that it uses CSS and Javascript. Most CSS and Javascript is hosted on swsheets.com itself, but some CSS is loaded from googleapis.com and some JS from maxcdn.com.
I'd add the following to the whitelist maybe?
googleapis.com
maxcdn.comJust a suggestion, I'm new here so don't know if this will fix your issue, but it sounds logical.
Regards,
MATT (infiniti25)