Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass MITM for specific domains

    Scheduled Pinned Locked Moved
    Cache/Proxy
    1
    1
    255
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RobinWright
      last edited by

      Edit/Update

      Looking in a different direction, I read https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html as it mentions the 409 status error. The https://www.everyonesinvited.uk/ site is now working. Hopefully this is a fix. Otherwise I will have to continue looking for a solution. If anyone has any insight that would be awesome!

      Original post

      Hi,

      I have a PFSense that I use for filtering WiFi for kids, this has been fine 99% of the time but I have encountered an issue with unfiltering "https://www.everyonesinvited.uk/" It seems the site itself is accessible, but their resources (styles, images etc) are hosted by Squarespace.

      TL;DR, Can I add a domain to an allowlist that will bypass the MITM in spliceall mode?

      Long version:

      I have SSL filtering enabled, it is in 'Splice all' mode. I can't realistically install the CA cert on the devices that connect to this network.

      It seems that squarespace's servers are inaccessible when MITM is active. In the log, I can see HTTP status 409. Turning off MITM makes the site work without issue.

      Looking in squidguard, I cannot see anything being blocked. I have added squarespace to the Common ACL just incase, no change.

      The example I have been testing (The Everyone's invited logo), https://static1.squarespace.com/static/5f22a93a4ca3bd10e8148771/t/5f22f877da9fd71149586bc5/1617739703822/?format=1500w should redirect to https://images.squarespace-cdn.com/content/5f22a93a4ca3bd10e8148771/1596127351681-7XDTFNHB9TRBHNV28HTE/Artboard+3%402x.png?content-type=image%2Fpng with MITM enabled, I just get an SSL protocol error and no redirect.

      Is there a way to exclude squarespace from MITM?

      Have I misunderstood how splice all vs splice whitelist bump otherwise works? With that mode enabled you need the CA installed?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.