Squid HTTPS Transparent proxy with Splice All + SquidGuard Blacklist (No client certificate): Cannot send snapchat messages. No block messages seen in SquidGuard log.
-
I had to whitelist my son's iphone because he cannot send snapchat messages with the above config.
However i dont see any blocked messages on squidguard logs (I tried with my own iphone too).
How do i check what is blocking snapchat? and if there are any specific domains/IPs that i need to add to whitelist?
-
I am experiencing the same problems. Some applications such as tiktok or snapchat simply do not work with Squid+Squidguard where Squid is set up to Splice All.
Anyone has an advice on how to troubleshoot/fix this issue?
-
The issue is that you are working with squid in transparent. Its known to cause lots of problems. Its best to be avoided.
For the best/optimal use case its best to load a certificate on the client device and perform full MITM.
Thats of course unrealistic on mobile devices so you are left with either running an explict proxy or no proxy.
The best advice is to not use squid at all tbh. -
@michmoor Thank you very much for the advice. Pity that squid/squidguard cannot be used in the transparent mode. Hope that netgate guys would make it easier for parents to effectively block malicious sites... Even with explicit proxy settings on client mobile devices, some websites and services (ie snapchat) simply refuse to work.
-
@bole5 the problem isn’t something that Netgate can solve. Squid is just an extremely poor tool to use in 2023 to do any type of control. Domain blocking is effective and highly recommended. Pfblocker can be used in this case.
To your Snapchat issue it’s probable that the application is calling out to multiple domains which may use cert pinning or other methods to prevent proxies. So you will be in a constant battle of whitelisting domains.
Avoid Squid at all cost. -
@bole5 Configure the phone to use the proxy instead of relying on the transparent proxy. You can either do is manually for each device or you can use a WPAD to auto configure devices to use the proxy.
So to summarize
1 Set device to use the proxy either manually or using a WPAD ( if you want you can use the unofficial WPAD package https://github.com/marcelloc/Unofficial-pfSense-packages)
2 Still have the transparent proxy enabled to proxy traffic that cannot be configured to use the proxy.
3. If you are using MITM only decrypt (bump) sites which you need to or else a lot of things break. -
@aGeekhere Guaranteed he is running into NONE/409 errors in the Squidlog. That really comes about when using it as a transparent proxy.
Its really not worth the headache. "Juice not worth the squeeze"
-
@bole5 bypass those domains...
-
@sultanofswing sultanofswing what ports are needed for that application? You may need to add that as an approved port for Squid too not just the ACL lists.
(Custom)Have you tried custom and setting the snapchat to splice only?
(SSL Intercept set to custom)
(Example with regex expression with office set to splice only)I personally would set snapchat to splice and leave it alone.
-
Thank you all for the advice!
More info about my system:
- Running on the latest version of pfSense+ with latest version of Squid+SquidGuard.
- I have a separate VLAN for Kids where Squid is being used. WPAD file is served by nginx and children devices are set up to auto-discover proxies.
- Squid setup: Proxy interface.= KIDS, Transparent Proxy=OFF, SSL/MITM mode=Splice All
- In the SQUID ACLs I whitelisted offending domains (should not be needed but I was desperate)
I then monitor the traffic from my daughter's phone with Wireshark. When proxy is not used everything works fine. When proxy is used I can see some connections in the Real Time tab but also some TLS connections (TCP port 443) are bypassing proxy.
Even when I allow this traffic that bypasses proxy, the application still does not work correctly ie you can see other peoples posts but can not post yourself. -
@JonathanLee This post is not mine :-).
