Squid HTTPS Interception not working?
-
Hi all, trying to get HTTP MiTM working in squid package 0.4.44_7 on pfSense 2.4.4.
I have the CA set up, CA cert in the clients, and SSL filtering checked, bound to my inside interface on port 3129 however when clients are configured to point to 172.16.1.254:3129 for HTTPS proxy and 172.16.1.254 for HTTP proxy they cannot get to any site HTTP or HTTPS.
Without SSL filtering enabled, I have got HTTP working via squid. What gives here?
-
Ok, I have resolved this.
I was pointing my clients to port 3129 for HTTPS and 3128 for HTTP. Turns out Squid itself listens on 3128 and redirects HTTPS to 3129. Therefore all clients must point to the main port, by default 3128.
Not documented anywhere. Nice one.
-
@tomstephens89 said in Squid HTTPS Interception not working?:
Not documented anywhere. Nice one.
-
Show me the document that says squid will not answer HTTPS connections on 3129, but needs to receive them on 3128?
As I have said, pointing clients at 3129 does nothing.
-
For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5).
True, the official doc is hard to read. -
@gertjan said in Squid HTTPS Interception not working?:
For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5).
True, the official doc is hard to read.Well, in order to get this working, I have the SSL interception running on port 3129 and the main proxy on 3128.
Pointing clients at 3129 for HTTPS results in no connectivity. However upon just telling clients to use 3128 for HTTP and HTTPS, I can see HTTPS Man in the middle working and the certificates are being issued by my CA as expected.
This suggests that PfSense+Squid is doing some sort of redirection internally to 3129 for HTTPS, or the seperate port setting for HTTPS does nothing, and it just listens on 3128 full stop.
