Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Encrypted browser-Squid connection

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      evilside
      last edited by evilside

      Hi

      Do you know if the communication between Squid Proxy server and browser is encrypted?

      Can anyone to sniff the Proxy authentication passwords?

      Thanks

      1 Reply Last reply Reply Quote 0
      • T
        tim.mcmanus
        last edited by

        Here is a good starting point for you: https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

        1 Reply Last reply Reply Quote 1
        • E
          evilside
          last edited by

          Thanks!, very useful. I have activated the option "https_port 192.168.0.1:3129" in Squid configuration but I get this error:

          /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTPS_port 192.168.0.1:3129 Squid Cache (Version 3.5.27): Terminated abnormally.

          How Can I configure a certificate? GUI show a option for select a certificate but is for "SSL Man In the Middle Filtering", I don't use that.

          My PFsense WebConfigurator have a Let's Encrypt certificate, I hope to use the same certificate.

          1 Reply Last reply Reply Quote 0
          • E
            evilside
            last edited by evilside

            I found the solution.

            First I downloaded and modified this script for export the Let's Encrypt certificate from config.xml file:

            #!/bin/sh
            set -eu
            XMLLINT=/usr/local/bin/xmllint
            BASE64_DECODE='/usr/local/bin/python2 -m base64 -d'
            OPENSSL="/usr/bin/openssl"
            KEYTOOL="/usr/local/bin/keytool"
            PFSENSE_CONF=/cf/conf/config.xml
            extract_private_key() {
                    local RAW XPATH
                    XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()"
                    RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
                    printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
            }
            extract_certificate() {
                    local RAW XPATH
                    XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()"
                    RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
                    printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
            }
            combine_pem() {
                    local PRIVATE_KEY CERTIFICATE
                    PRIVATE_KEY="`extract_private_key "$1"`"
                    CERTIFICATE="`extract_certificate "$1"`"
                    printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE"
            }
            main() {
                    local KEYSTORE PFSENSE_CERT_NAME
                    if [ "$#" -ne 1 ]; then
                            printf "Not enough arguments.\nUsage:\n\t%s\n" \
                                    "$0 certificate_name"
                            exit 1
                    fi
                    PFSENSE_CERT_NAME="$1"
            
                    echo "Extracting cert+key form pfSense"
                    combine_pem "$PFSENSE_CERT_NAME"
            }
            main $@
            

            After, I added the script as Cron Job:

            30 	3 	* 	* 	* 	root 	/root/pemExtract pfsense.mycompany.com > /usr/local/etc/squid/cert.pem
            

            Finally, I added this params to Squid Advanced options:

            https_port 192.168.0.1:3129 cert=/usr/local/etc/squid/cert.pem
            

            Firefox y Chrome working perfect, but Internet Explorer is not compatible with secure Proxy. I modified my proxy wpad.dat file for to detect IE:

            function FindProxyForURL(url, host)
            {
                    var httpProxy = "PROXY pfsense.mycompany.com:3128";
                    var httpsProxy = "HTTPS pfsense.mycompany.com:3129";
                    // Internet Explorer 6-11
                    var isIE = /*@cc_on!@*/false || !!document.documentMode;
                    // Edge 20+
                    var isEdge = !isIE && !!window.StyleMedia; 
                    if (
            	    url.substring(0,7)  == "chrome:"
            	    ||  url.substring(0,6)  == "about:"
                        ||  shExpMatch(host, "localhost")
                        ||  isInNet(host, "192.168.0.0",  "255.255.255.0")
                        ||  isInNet(host, "127.0.0.0", "255.0.0.0")
                        ||  shExpMatch(host, "192.168.0.*")
                        ||  shExpMatch(host, "127.*")
                        ||  isPlainHostName(host)
                    ) {
                        return "DIRECT"; 
                      }
                    if (
                        url.substring(0, 5) == "http:"
                    ||  url.substring(0, 6) == "https:"
                    ||  url.substring(0, 4) == "ftp:"
                    ) {
                        if (isIE || isEdge){
                          return httpProxy;
                        }
                        return httpsProxy;
                      }
                     return httpsProxy;
            }
            

            Now, the proxy is safe to use over Internet, but I opened only 3129 port in WAN. This mean IE only working in local network, but I don't care, almost nobody use that browser.

            stephenw10S 1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator @evilside
              last edited by

              @evilside said in Encrypted browser-Squid connection:

              but I don't care, almost nobody use that browser.

              😆

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.