Problems with Squid In Pfsense hacking website content


  • Hi,

    I can not find any info on this. I have Squid and Squid Guard running on Pfsense 2.4.4.

    I have it set to not proxy certain form web sites that I need to visit. It will work for a time, and the web page forms will display properly, but then something happens and it "hacks the web site up" and they stop displaying correctly or give errors and such.

    If I STOP Squid, and go open the sites again, they display correctly with no errors. If I turn Squid back on, they will work properly anywhere from 1 day to maybe a week and then all of a sudden, they are broken again.

    I think the sites have imbedded content or references from other web sites (most sites do these days) and Squid is preventing them from loading everything they needs to properly function or something like this. Its odd.

    But why would it work for a time with no issues?

    I use MITM for ease of use and have tried everything I can think of to allow these sites, but they continue to break.

    Any ideas on how to get around this?

    How can I bypass SQUID all together for just CERTAIN WEB SITES url's? (I can't do via IP as they appear dynamic)

    Thanks,

    MP


  • This post is deleted!

  • @mrpush1 said in Problems with Squid In Pfsense hacking website content:

    I have it set to not proxy certain form web sites that I need to visit. It will work for a time, and the web page forms will display properly, but then something happens and it "hacks the web site up" and they stop displaying correctly or give errors and such.
    If I STOP Squid, and go open the sites again, they display correctly with no errors. If I turn Squid back on, they will work properly anywhere from 1 day to maybe a week and then all of a sudden, they are broken again.
    I think the sites have imbedded content or references from other web sites (most sites do these days) and Squid is preventing them from loading everything they needs to properly function or something like this. Its odd.

    Seems content caching issue,

    Try to disable caching:
    Screenshot from 2020-11-14 19-27-48.png


  • @viktor_g

    Hi, I do not have that option listed under Squid General Settings. ???

    Squid 0.4.44_8
    Squid Guard 1.16.18_1

    What versions are you running?

    Thanks,


  • @viktor_g

    Hi, I updated both Squid and Squidguard to latest and shut off Caching. Still get hacked sites. It's something wrong with Squid. It I shut off squidGuard, and refresh sites they do not fix themselves. If I shut off Squid, and refresh, they fix themselves.

    Witch Squid back on, they will break again, could be 10 minutes, could be a week!

    Its maddening.

    Any other ideas?

    Thx,

    MP


  • @mrpushner part of the problem is sites can use something called pinning/stapling so they can detect MITM interceptions like yours. As more and more sites do this trying to intercept and decrypt web sites is going to be come more and more difficult. the best way IMO is to put the content control on the endpoints..then you do not have to worry about MITM issues.


  • @hescominsoon

    Hi, so content control on the end points, so like apps or AV solutions installed on clients that offer content control. Do you use any or recommend any of these?

    Seems like taking content control away from a firewall/router/server and putting it on the end points is going in the wrong direction to me.

    What I'm experiencing can not be happening on say higher end Firewall products like Barracudas and such can it?

    How do they avoid "Pinning/Stapling" issues with certain web sites?

    I still think this is a SQUID/Squidguard glitch as even if I add these websites in the "bypass proxy" settings lists, then in theory they should not ever be seen by Squid and not get hacked, but they still do!

    If I simply stop squid or squidguard and refresh, the sites load perfectly again.

    MP


  • @mrpushner When your site is broken, go to Squid -> Real Time -> String filter -> input the URL domain you have trouble with.
    If you see things like below, we maybe on the same boat.

    6dcb9934-63da-4100-b43d-88ebc366a4dc-image.png