Netflix issues with Squid transparent proxy
-
Hello all,
I'm been setting up my home network with pfsense and been dabbling with squid and squidguard to filter out sites I don't want my kids to view. I followed the guide linked here https://openschoolsolutions.org/pfsense-web-filter-filter-https-squidguard/ to filter http traffic without having to install a certificate on each client. For the most part it seems to work well for its intended purpose but I just noticed that it stops my netflix streams after about 15 mins. Thet netflix error is T1-H1-W80072EFD which netflix indicates its detect a VPN or proxy. When I disable SSL filtering the issue does not occur. I've tried adding netflix to whitelists but the problem still persists. I've seached all over the internet for a solution but haven't found one that works. Anyone familiar with this issue and have a fix?
-
Services - Squid Proxy Server - General - Headers Handling, Language and Other Customizations
Have you set X-Forwarded Header Mode to Delete?
Have you checked Disable VIA Header?
Have you checked Suppress Squid Version?
-
KOM,
Thanks for the suggestion. I tried the setting you suggested however the issue still persists. Any other ideas?
-
Not really. I don't use squid at home, and in the office I only use it as a base for squidguard. No caching.
When it fails, look in squid's access.log to see if something weird happened. If you are also only using squid for URL filtering with squidguard, perhaps you might get better results with pfBlockerNG.
-
Try setting X-Forwarded Header Mode to Transparent.
If that doesn't work I would suggest using explicit proxy or no proxy at all.
-
@kom
Realtime logs show entries TAG_NONE/409 for www.netflix.com:443. I tried whitelisting the domain name and did a nslookup and put all the resolved IP addresses for www.netflix.com in the whitelist also. However, I'm still getting those TAG_NONE/409 entries.Since I have my HTPCs and streaming devices separated in its own vlan, I just disabled HTTPS for that vlan interface for the time being. That keeps the wife and kids happy while I tinker around and find a permanent solution.
-
btw I would strongly recommend against running in transparent mode. Too many issues and hassles with https sites. IMO it's much better to run explicit and use WPAD to let devices autodiscover the proxy on their own.
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
I looked around for your problem and found these:
https://www.linuxquestions.org/questions/linux-server-73/tag_none-409-connect-squid-3-5-20-a-4175620518/
http://squid-web-proxy-cache.1019090.n4.nabble.com/Intermittent-409-Error-to-google-com-td4683329.html
-
@kom I'll take your advice and try the WPAD setup when I have some time later this week. Are there any caveats to the WPAD method? Will this work across all devices (PC, Apple, Android, etc)? I just want a solution where I don't need to install a certificate or make any configuration changes on the client to get it working.
-
I don't believe that Android, or at least older Android versions, supports WPAD. For the wifi connection, you would have to configure the proxy details manually. Make sure you block tcp80,443 on LAN to prevent people from going around the proxy (if that matters to you).
