how to let https traffic through http proxy ?

aincvy

I have 3 VMs.

• 192.168.200.1 - pfSense ( with 3 nics, 1 wan, 2 lan (Lan, OthersRoute) )
• 192.168.200.33 - debian ( using clash as http proxy server.)
• 192.168.200.32 - centos (client machine)

Other Info.

• clash on debian, HTTP proxy listening port: 7890.
• I start Squid service on my pfSense, and I checked Transparent HTTP Proxy option.
• I add 2 custom options to squid.
  • cache_peer 192.168.200.33 parent 7890 0 no-query
  • never_direct allow all

Use commands on centos( client machine)

curl -x 192.168.200.33:7890 -v https://www.google.com, it works fine.

curl -x 192.168.200.1:3128 -v https://www.google.com, it works fine.

curl http://www.google.com, it works fine.

curl https://www.google.com, it's timeout.

My Question.

How to let https request transparent proxy to 192.168.200.1:3128/192.168.200.33:7890?
Just like curl -x 192.168.200.1:3128.

More Info

Enable SSL filtering.

I tried to check the Enable SSL filtering. option.

1. I create a cert in System / Cert. Manager
2. SSL/MITM Mode: Splice All
3. SquidGuard target rules: all
4. It doesn't work.

Port Forward

1. Generated rule: rdr on em1 proto tcp from 192.168.200.0/24 to any port 443 -> 192.168.200.1 port 3128
2. Generated rule: rdr on em2 proto tcp from 192.168.200.0/24 to 192.168.200.0/24 port 443 -> 192.168.200.1 port 3128
3. One Port Forward rule, but 2 generated rules
4. command: curl -v http://www.baidu.com
5. It throws NSS error -5938 (PR_END_OF_FILE_ERROR) on the centos matchine.

Thank you for reading.

srlek

dunno why you need clash, but for proxying https you need squid-guard on pfsense

aincvy

@srlek Hi, srlek
Thank you for your reply.

dunno why you need clash

Because I am in China, the gov blocks a lot of websites.

but for proxying https you need squid-guard on pfsense

I have installed squid-guard package, and I set target rules=all, and it doesn't work.

Maybe I need more knowledge about routing.