Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid HTTPS Interception not working?

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomstephens89
      last edited by

      Hi all, trying to get HTTP MiTM working in squid package 0.4.44_7 on pfSense 2.4.4.

      I have the CA set up, CA cert in the clients, and SSL filtering checked, bound to my inside interface on port 3129 however when clients are configured to point to 172.16.1.254:3129 for HTTPS proxy and 172.16.1.254 for HTTP proxy they cannot get to any site HTTP or HTTPS.

      Without SSL filtering enabled, I have got HTTP working via squid. What gives here?

      1 Reply Last reply Reply Quote 0
      • T
        tomstephens89
        last edited by

        Ok, I have resolved this.

        I was pointing my clients to port 3129 for HTTPS and 3128 for HTTP. Turns out Squid itself listens on 3128 and redirects HTTPS to 3129. Therefore all clients must point to the main port, by default 3128.

        Not documented anywhere. Nice one.

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @tomstephens89
          last edited by

          @tomstephens89 said in Squid HTTPS Interception not working?:

          Not documented anywhere. Nice one.

          Squid port usage

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          T 1 Reply Last reply Reply Quote 0
          • T
            tomstephens89 @Gertjan
            last edited by

            @gertjan

            Show me the document that says squid will not answer HTTPS connections on 3129, but needs to receive them on 3128?

            As I have said, pointing clients at 3129 does nothing.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5).
              True, the official doc is hard to read.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              T 1 Reply Last reply Reply Quote 0
              • T
                tomstephens89 @Gertjan
                last edited by tomstephens89

                @gertjan said in Squid HTTPS Interception not working?:

                For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5).
                True, the official doc is hard to read.

                Well, in order to get this working, I have the SSL interception running on port 3129 and the main proxy on 3128.

                Pointing clients at 3129 for HTTPS results in no connectivity. However upon just telling clients to use 3128 for HTTP and HTTPS, I can see HTTPS Man in the middle working and the certificates are being issued by my CA as expected.

                This suggests that PfSense+Squid is doing some sort of redirection internally to 3129 for HTTPS, or the seperate port setting for HTTPS does nothing, and it just listens on 3128 full stop.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.