FIXED!!!! SquidGuard Redirect Page for Error Codes Issues with HTTPS/SSL Interception
-
Hello fellow Netgate Community Members can you please help?
I have SquidGuard Redirect page working for Spliced Devices. (See Photo) However on devices that are certificated it will not work. I use port 8080 for the firewalls GUI.
(Custom Options with SSL/MITM)Custom Option Used:
acl splice_only src 192.168.1.18 #Xbox
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.8 #Tasha Apple
acl splice_only src 192.168.1.7 #Jon Android
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad
acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.nobump"
ssl_bump peek step1
ssl_bump splice splice_only
ssl_bump splice NoSSLIntercept
ssl_bump stare step2
ssl_bump bump step3Notice I can access the Squidguard Error Page here on the Android Smartphone (See enlarged photo)
(hotjar is blocked by squidguard)I can access the error page directly from a certificated device (See Attached)
Direct URL used to access Error PHP
https://192.168.1.1:8080/sgerror.php?url=403%20Blocked%20by%20Mom%20and%20Dad&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
However when I attempt to access the Squidguard test blocked URL hotjar on a certificated device I get the following error code (See Attached)
I have attempted to add the GUI port into Squid as safe same issue.
Per the following pages:
https://forum.netgate.com/topic/119092/the-following-error-was-encountered-while-trying-to-retrieve-https-http/14
https://forum.netgate.com/topic/154743/how-to-configure-squidguard-for-https/7They state
You have to append
url_rewrite_access deny CONNECT
url_rewrite_access allow allto your squid custom options to make the redirect page work in SSL MITM mode.
Custom options (before auth)
I guess it blocked redirects with HTTPS SSL Intercept enabled. However all this does for me is change the error from https://https/* to https://192.168.1.1:8080/sgerror.php? and still has an error.
Every once and a while it works on the certificated device. However it always works for the spliced devices like the android phone.
I never thought much about getting this fixed until the android error page started working again.
I use the following ACLs (see photo)
I use the WPAD Host Override (see photo)
I also use option 252 and option 42 for DHCP server (see photo)
I can access the URL in each option 252 listed and download the wpad.pac wpad.da wpad.dat directly from the web browsers.Why does the Squidguard Error page cause issues with the Ipad and Imac? It works sometimes and others it gives out a Error.
-
(I have Squidguard set to int error page)
Notice the redirect url I can access this manually no issues.
-
On my android phone Firefox and Edge show the error URL correctly.
-
FIX:
Use EXT URL MOVE and set it to your internal url
(error working now with WPAD and on SSL intercepted certificated devices and on SSL spliced devices -
This post is deleted! -
J JonathanLee referenced this topic on
-
FIX:
Set redirect to Google.com that way it can not give an error message it just takes you back to the search page.
Or you could use the office website if needed.
I did not think it would work but it does.
-
@JonathanLee Keep in mind this type of redirect could be "gaslighting" and cause "crazy making situations" if it just keep going to google. I would recommend to use an official "this website is blocked page" after to redirect back to a company page and not just google. This provides clarity and transparency.
-
That action is just echoing back the input to the user but as it passes through a query string and so on, the contents are not evaluated, only printed. It ends up encoded in a way that doesn't make it possible to execute anything. I tossed a bunch of different inputs at it (various PHP commands, exec commands, javascript tags, and so on) and thus far have been unable to produce anything other than benign output. Not even rendered HTML, just URL encoded strings.
It could maybe use an extra layer of encoding for safety but it doesn't appear to be critical unless it's something browser-specific that I've been unable to trigger.
Also in the future, this is NOT the place or method to report suspected security issues. Please report them responsibly as detailed on https://www.netgate.com/security and do not discuss them publicly.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp thanks for looking into this. I will use that URL for future items. I did not know about that other URL until today.
