Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FIXED!!!! SquidGuard Redirect Page for Error Codes Issues with HTTPS/SSL Interception

    Cache/Proxy
    redirect squid squidguard mitm
    2
    9
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello fellow Netgate Community Members can you please help?

      I have SquidGuard Redirect page working for Spliced Devices. (See Photo) However on devices that are certificated it will not work. I use port 8080 for the firewalls GUI.

      Screenshot 2023-08-18 at 2.21.59 PM.png
      (Custom Options with SSL/MITM)

      Custom Option Used:

      acl splice_only src 192.168.1.18 #Xbox
      acl splice_only src 192.168.1.11 #Amazon Fire
      acl splice_only src 192.168.1.8 #Tasha Apple
      acl splice_only src 192.168.1.7 #Jon Android
      acl splice_only src 192.168.1.15 #Tasha HP
      acl splice_only src 192.168.1.16 #iPad
      acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.nobump"
      ssl_bump peek step1
      ssl_bump splice splice_only
      ssl_bump splice NoSSLIntercept
      ssl_bump stare step2
      ssl_bump bump step3

      Notice I can access the Squidguard Error Page here on the Android Smartphone (See enlarged photo)
      Screenshot_20230816-174226.png (hotjar is blocked by squidguard)

      I can access the error page directly from a certificated device (See Attached)
      Screenshot 2023-08-18 at 2.30.54 PM.png

      Direct URL used to access Error PHP

      https://192.168.1.1:8080/sgerror.php?url=403%20Blocked%20by%20Mom%20and%20Dad&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

      However when I attempt to access the Squidguard test blocked URL hotjar on a certificated device I get the following error code (See Attached)

      Screenshot 2023-08-18 at 2.19.22 PM.png

      I have attempted to add the GUI port into Squid as safe same issue.

      Per the following pages:
      https://forum.netgate.com/topic/119092/the-following-error-was-encountered-while-trying-to-retrieve-https-http/14
      https://forum.netgate.com/topic/154743/how-to-configure-squidguard-for-https/7

      They state

      You have to append

      url_rewrite_access deny CONNECT
      url_rewrite_access allow all

      to your squid custom options to make the redirect page work in SSL MITM mode.

      Custom options (before auth)

      I guess it blocked redirects with HTTPS SSL Intercept enabled. However all this does for me is change the error from https://https/* to https://192.168.1.1:8080/sgerror.php? and still has an error.

      Every once and a while it works on the certificated device. However it always works for the spliced devices like the android phone.

      I never thought much about getting this fixed until the android error page started working again.

      I use the following ACLs (see photo)
      Screenshot 2023-08-18 at 2.37.40 PM.png

      I use the WPAD Host Override (see photo)
      Screenshot 2023-08-18 at 2.38.23 PM.png

      I also use option 252 and option 42 for DHCP server (see photo)
      Screenshot 2023-08-18 at 2.40.24 PM.png
      I can access the URL in each option 252 listed and download the wpad.pac wpad.da wpad.dat directly from the web browsers.

      Why does the Squidguard Error page cause issues with the Ipad and Imac? It works sometimes and others it gives out a Error.

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        Screenshot 2023-08-18 at 2.44.45 PM.png

        (I have Squidguard set to int error page)

        Screenshot 2023-08-18 at 2.45.53 PM.png

        Notice the redirect url I can access this manually no issues.

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee
          last edited by

          On my android phone Firefox and Edge show the error URL correctly.

          1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee
            last edited by

            FIX:

            Use EXT URL MOVE and set it to your internal url

            Screenshot 2023-08-18 at 3.08.12 PM.png

            Screenshot 2023-08-18 at 3.08.27 PM.png
            (error working now with WPAD and on SSL intercepted certificated devices and on SSL spliced devices

            1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee
              last edited by JonathanLee

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • JonathanLeeJ JonathanLee referenced this topic on
              • JonathanLeeJ
                JonathanLee
                last edited by

                FIX:

                Set redirect to Google.com that way it can not give an error message it just takes you back to the search page.

                Or you could use the office website if needed.

                Screenshot 2023-08-18 at 4.34.26 PM.png

                I did not think it would work but it does.

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @JonathanLee
                  last edited by

                  @JonathanLee Keep in mind this type of redirect could be "gaslighting" and cause "crazy making situations" if it just keep going to google. I would recommend to use an official "this website is blocked page" after to redirect back to a company page and not just google. This provides clarity and transparency.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That action is just echoing back the input to the user but as it passes through a query string and so on, the contents are not evaluated, only printed. It ends up encoded in a way that doesn't make it possible to execute anything. I tossed a bunch of different inputs at it (various PHP commands, exec commands, javascript tags, and so on) and thus far have been unable to produce anything other than benign output. Not even rendered HTML, just URL encoded strings.

                    It could maybe use an extra layer of encoding for safety but it doesn't appear to be critical unless it's something browser-specific that I've been unable to trigger.

                    Also in the future, this is NOT the place or method to report suspected security issues. Please report them responsibly as detailed on https://www.netgate.com/security and do not discuss them publicly.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    JonathanLeeJ 1 Reply Last reply Reply Quote 1
                    • JonathanLeeJ
                      JonathanLee @jimp
                      last edited by

                      @jimp thanks for looking into this. I will use that URL for future items. I did not know about that other URL until today.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.