• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WebSocket issue with pfsense squid guard

Scheduled Pinned Locked Moved Cache/Proxy
8 Posts 3 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    msaeed
    last edited by Oct 29, 2019, 5:42 PM

    We have Pfsense version:
    2.4.4-RELEASE-p3 (amd64)
    FreeBSD 11.2-RELEASE-p10
    We installed Squid proxy server and squid guard in order to filter some websites like (ex:facebook)
    Which is a “https” website so we enabled the SSL filter and create our self-signed CA and installed in all client’s machines and everything is working fine
    The problem is:
    All WebSocket “wss://…” or “ws://…” connections failed
    Which make a problem with many websites use the WebSocket for example (WhatsApp)
    Error ex:
    Request URL: wss://web.whatsapp.com/ws
    Request Method: GET
    Status Code: 400 Bad Request

    i read that squid v 4 solved the issue how can i install it manually as also i hread that no plan to add it to the available packages as it is still beta version

    or is there other simple solution for https web filter rather than squid

    1 Reply Last reply Reply Quote 1
    • K
      KOM
      last edited by Oct 29, 2019, 6:13 PM

      I just tried WebSockets from behind squid and it works fine for me. Go here and try their test:

      https://www.websocket.org/echo.html

      1 Reply Last reply Reply Quote 1
      • M
        msaeed
        last edited by Oct 30, 2019, 8:16 AM

        Hi KOM,

        Thanks for your reply

        Actually it doesn't work when enable ssl filter which is mandatory to filter https websites try open https://web.whatsapp.com/ in PC the qr code will not work and also the google drive cannot sync as it also uses the websocket

        1 Reply Last reply Reply Quote 0
        • G
          gamebaiv8 Banned
          last edited by Oct 30, 2019, 10:52 AM

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • K
            KOM
            last edited by Oct 30, 2019, 2:38 PM

            Sorry, I forgot to mention that I use squid in explicit mode, not transparent mode.

            You don't need SSL intercept to filter URLs. Configure WPAD so your clients can find the proxy on their own, and then you don't need transparent mode, you don't need to install certs everywhere, and you can still filter HTTPS URLs.

            1 Reply Last reply Reply Quote 0
            • M
              msaeed
              last edited by Nov 3, 2019, 2:57 PM

              would you tell me how i can do that without certificate and i can block only facebook in specific time and with source ip address exception
              i accept any solution which deliver that

              1 Reply Last reply Reply Quote 0
              • K
                KOM
                last edited by Nov 3, 2019, 8:35 PM

                Click the WPAD link above and start reading. You can use either squidguard or pfBlockerNG to block Facebook.

                1 Reply Last reply Reply Quote 0
                • M
                  msaeed
                  last edited by Nov 5, 2019, 9:34 AM

                  This is not a solution i can filter out using dns but it miss usability as i can not put acl and user exception time based filter the issue is not with the facebook itself it is an example https website as other websites will be blocked based on department and time

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received