Pfsense with squid and SquidGuard won't allow HTTPS traffic through?

helpdeskaleer · Sep 12, 2019, 2:54 PM

About 2 or 3 years ago I setup a pfsense server to prevent one of my family members from accessing facebook too much; they requested it.
It worked well and they were allowed to access Facebook for a specific hour a day.
Situations changed and they moved around and now I've dug the old pfsense box back out again only to find squid barking error messages at the user when something with an SSL Certificate doesn't match up; or the server on the other end isn't crazy about what we're doing over here.
I've installed the self-signed-certificate we generated from the CA (which is still valid) and although I can still load / block sites that are http, I seem to be having many different issues with the HTTPS ones.

If I'm not mistaken in the past few years TLS 1.3 came out, and at the time I set this pfsense box up, I believe TLS 1.2 was the top bar for this sort of thing.

The error messages seem to be rather varied. I'll also gladly delve into the log files if anyone needs me to check them in there, be they for Squid, SquidGuard, or something somehow firewall related.

I also found a recent (2019) thread that states that I should go about this by checking ignore internal cert validation (but it looks like this may be for a reverse proxy server and not a web content blocker proxy filter), but I don't know where to find that in the settings (and the settings in pfsense are quite numerous). I was however able to find the CA and Certificate settings as well as those for Squid and Squid Guard.
It also appears I am running Pfsense 2.3.1 Community Edition (I think they may be on 2.5 now) and FreeBSD 10.3-RELEASE-p3 (they're probably on 11 by now).

KOM · Sep 12, 2019, 2:58 PM

Upgrade to current build before you waste any time trying to debug problems with an older build. 2.4.4-p3 is current for x64 hardware. 2.3.5 is current for x86, but you should try to get away from 32bit if that's what you have.

I might also suggest that you run squid in explicit mode instead of transparent so you don't have to goof around with certificates. Your users can either set the proxy manually or you can easily configure WPAD so clients can find it on their own.

johnpoz · Sep 13, 2019, 3:15 AM

@helpdeskaleer said in Pfsense with squid and SquidGuard won't allow HTTPS traffic through?:

3 years ago I setup a pfsense serve
I am running Pfsense 2.3.1

2.3.1 Released 2016-05-18

Checks out ;)

So you installed pfsense for someone 3 years ago, and then just forgot about - never updated anything on it.. Great <rolleyes>

The good thing is seems it ran for that long without any need of intervention.. The bad part is your running a firewall that is 3 years old.. Yes update to current.. That would exclude 32bit hardware since the whole 2.3 line was EOL over a year ago.

helpdeskaleer · Sep 15, 2019, 7:36 PM

@johnpoz oh it's not that bad; it wasn't on the networks edge; it was only being used to limit a cild's time and access on the Internet.

helpdeskaleer · Sep 15, 2019, 7:39 PM

@KOM I'd rather use certificates; what's what I was doing before.