WebSocket issue with pfsense squid guard

msaeed · Oct 29, 2019, 5:42 PM

We have Pfsense version:
2.4.4-RELEASE-p3 (amd64)
FreeBSD 11.2-RELEASE-p10
We installed Squid proxy server and squid guard in order to filter some websites like (ex:facebook)
Which is a “https” website so we enabled the SSL filter and create our self-signed CA and installed in all client’s machines and everything is working fine
The problem is:
All WebSocket “wss://…” or “ws://…” connections failed
Which make a problem with many websites use the WebSocket for example (WhatsApp)
Error ex:
Request URL: wss://web.whatsapp.com/ws
Request Method: GET
Status Code: 400 Bad Request

i read that squid v 4 solved the issue how can i install it manually as also i hread that no plan to add it to the available packages as it is still beta version

or is there other simple solution for https web filter rather than squid

KOM · Oct 29, 2019, 6:13 PM

I just tried WebSockets from behind squid and it works fine for me. Go here and try their test:

https://www.websocket.org/echo.html

msaeed · Oct 30, 2019, 8:16 AM

Hi KOM,

Thanks for your reply

Actually it doesn't work when enable ssl filter which is mandatory to filter https websites try open https://web.whatsapp.com/ in PC the qr code will not work and also the google drive cannot sync as it also uses the websocket

gamebaiv8 · Oct 30, 2019, 10:52 AM

This post is deleted!

KOM · Oct 30, 2019, 2:38 PM

Sorry, I forgot to mention that I use squid in explicit mode, not transparent mode.

You don't need SSL intercept to filter URLs. Configure WPAD so your clients can find the proxy on their own, and then you don't need transparent mode, you don't need to install certs everywhere, and you can still filter HTTPS URLs.

msaeed · Nov 3, 2019, 2:57 PM

would you tell me how i can do that without certificate and i can block only facebook in specific time and with source ip address exception
i accept any solution which deliver that

KOM · Nov 3, 2019, 8:35 PM

Click the WPAD link above and start reading. You can use either squidguard or pfBlockerNG to block Facebook.

msaeed · Nov 5, 2019, 9:34 AM

This is not a solution i can filter out using dns but it miss usability as i can not put acl and user exception time based filter the issue is not with the facebook itself it is an example https website as other websites will be blocked based on department and time