https filter with https://http:/*

  • I am running squid and squidguard for http and https filtering and I am receiving the following error on browser.

    The following error was encountered while trying to retrieve the URL: https://http/*
    Unable to determine IP address from host name http.

    What is causing this ?


  • I have seen the cause of https://http:/* error in browser as shown in the attachment. In the SquidGuard, when I tick check the "Do not allow IP-Addresses in URL" for a particular group, that will make that error but when I untick that option, there is no error. IS THIS A BUG in version 2.4.3-RELEASE-p1 ?

    It affects both GROUP ACL and COMMON ACL

  • I have exactly the same problem but it appears regardless of how i checked "Do not allow IP-Addresses in URL" and all the ACLs have "Allow alll" athe the end. The firewall is in transparent mode and squid has the bridge ip and i am using it with SSL MITM with certificate. Everything else is working as expected.
    Is there a solution of this?
    Thank you.

  • Hey! Anyone found the solution? :/

  • I have the same issue. It's not clear if WPAD file is required for browsers to work properly. Ideally if you have pushed the CA certificate to all devices you really don't want to build a wpad setup for transparent mode. Otherwise transparent mode is really pointless these days with almost every website using SSL.

    I hope it's possible to use transparent mode for HTTP & HTTPS. Push CA certificate to all computers and good to go.

  • I found this and haven't been able to test yet.

    SquidGuard is broken for https out of the box. You need configure Common ACL Target Rules List Default access [all] to Allow, save. Then click Apply in General settings tab.

    My best bet is that Default access has no block page configured for some reason. If anyone knows how to get Default access to deny working please let me know.

    Here is my working SquidGuard configuration step by step tested on pfSense 2.3.4-RELEASE-p1 (amd64):

    1. Download any blacklist - shallalist. for example.

    General Settings -> Blacklist options -> check to enable blacklist
    Put in Blacklist URL: shalla list
    Go to Blacklist tab.
    Hit download (Black list url is already there)
    Wait for it to finish downloading.
    2. You need to configure your blacklist default to Allow state (The default state which is Deny all is what causes https://http/* error)

    Go to Common ACL Tab
    Hit plus button on Target Rules List
    Scroll down to Default access [all], set access to allow
    Set other categories that you want to be blocked to deny.
    Hit save at the bottom of the page.
    Go to General settings Tab.
    Click Apply at to Top of the page so your settings will be applied from Common ACL Tab.
    Check if https sites load properly now.

    Remember to clear cache from before playing with pfsense from your browser or it will show you old state of web filtering.

Log in to reply