We are trying to work with squid proxy/squidguard but whitelist dont work

albtech

Hello
We are new with pfsense. Just have installed and added Squid , squidGuard and Lightsquid packages.
I have configured them like manual says but the problem is that there are a lot of websites that LAN part can access even I have Deny all categories on blacklist? Actually have been blocked traffic for ports 80/443 TCP and every thing is ok. We have setup the configuration for proxy server and Squidguard, configured black lists with http://www.shallalist.de/Downloads/shallalist.tar.gz and set up a whitelist with domain that the company allow to access but  cant access them they stay loading all the time. Have add at Target Categorie the whitelist and configured as Whitelist at Common ACL. Can you help us to solve this issue please?
Thank you in advance

zacha

Did you setup ssl bumping? Most websites nowadays use tls and squid cannot see/filter the url/domain name when tls is used (when you look into the log you only see "CONNECT $IP-ADDRESS"). you COULD setup filtering based on sni information sent by the client/certificate sent by the server (acl based on ssl:sni or server certificate name) though but that cannot be done using squidquard as squidguard does url rewriting and never sees an url in this case. squiguard/blacklists are only useful in conjunction with ssl bumping.

You COULD instead use an acl and match sni against the domain blacklist if you want to avoid bumping. But you could never filter against the URL.

http://www.squid-cache.org/Doc/config/acl/

Example using peek and afterwards splice (bumping not utilized, ssl/tls filtering only based on domain name):

acl forbidden_ads ssl::server_name -i "/var/db/squidGuard/blk_BL_adv/domains"
acl forbidden_porn ssl::server_name -i "/var/db/squidGuard/blk_BL_porn/domains"
ssl_bump peek step1
ssl_bump peek step2
ssl_bump terminate forbidden_ads
ssl_bump terminate forbidden_porn
ssl_bump splice all

this is not a tested config but from i reckon should be able deploy like this. no idea if this results in an acceptable performance though.

albtech

UPDATE
I have created a CA and activate HTTPS/SSL Interception with this configuration :
SSL/MITM Mode –------------- Splice All
SSL Intercept Interface(s)----------- LAN
SSL Proxy Port----------3129
SSL Proxy Compatibility Mode ----------- Modern
DHParams Key Size-------------2048
CA------------- CA Filter (the cetificate that I have created)

other fields are default

At this point everything is ok the blacklist is blocked and the whitelist works but after some minutes some of whitelist goes black for example gmail.com. I have add it as gmail.com / mail.google.com in both Target Categories as whitelist and at Squid Proxy as whitelist at ACL.

• I have export the certificate and installed on Windows computer.

zacha

if you use splice all it does not bump at all. Which CA du you see on your client. Every host should turn up as signed by your ca if bumbing is applied. Whitelist/Blacklist of squid does NOT apply to SSL at all. As I wrote before in another thread Splice Whitelist is defect too.

If possible post resulting squid.conf here and a screenshot of what goes wrong. Press F12 in your browser to see 'security' details. Or try with openssl s_client -connect to see certificate and ssl details.

ssl bump is not for the faint harted though. a lot of problems on the horizon. hpkp, tls 1.3, missing intermediate certificates, incompatible ciphers etc etc to mention some. some experience with tls required I would say.