Squid SSL Splice - intermittent errors



  • Hey, just setup a new PFSense deployment using Squid and Squidguard for web filtering. Squid is set for transparent proxying for both HTTP and HTTPS. SSL is set to Splice All so that we dont have to deploy a cert to clients.

    This seems to work for the most part but we've had issues with some stuff - mainly Outlook w/Office365 and Amazon S3 experiencing intermittent connectivity. Also some web pages will fail to load in a browser with an SSL Protocol Error - refreshing enough times normally gets it to load.

    Disabling Squidguard has no effect but turning off SSL in Squid itself fixes it all, so I can be pretty sure thats where the problem lies.

    I've found this article which describes exactly the issues

    https://doc.pfsense.org/index.php/Squid_Troubleshooting

    We use AD for DNS in a pretty standard setup, with Google DNS set as forwarders. I have tried using the PFSense DNS Resolver as a forwarder in AD DNS but that doesnt help. I have also tried setting PFSense's DNS to our AD DNS then setting the client DNS server to the PFSense box (Only) - but the issue still persists.

    I've managed to find a reasonable number of blog posts about similar issues but no concrete solution. Has anyone else come across this?



  • Use a WPAD (http and https) for the main layer

    then use the transparent proxy with SSL Splice All to catch the rest (the rest being any program that cannot have its proxy value set)

    https://forum.pfsense.org/index.php?topic=112335.0

    Being using this methods without any connection issues



  • @ageekhere
    In this case, do I keep the Proxy settings transparent with Splice All enabled?