Squid 3.3.4 package for pfsense with ssl filtering

ipis

Hi i just install the plugin but it doesn't fixed the issue, but i think the issue is came from ssl filtering, because when I disable the ssl filtering, and restart the pfsense. It returned to normal, and when I get back on using ssl filtering the site is broken again. Did I did something wrong? I set my ssl listening port to 3129, while my squid port is in 3128, both are set to LAN interface. Also i set my safe ports to 80, 443 and acl ports to 443 only.

Can you give me other config options? How can i used port 3128 on both squid port and ssl port man in the middle. can we do the tunneling?

marcelloc

@ipis:

Hi i just install the plugin but it doesn't fixed the issue.

This plugin is usefull to debug  the problem, not to fix ssl issues.

Enable it, select net tab and access the site with ssl enabled.

This way you will see all connections and check what is going fine and whats is failing.

ipis

Ok I will try that in my work on tuesday. Today is holiday in my country. Nways last time I also noticed that disbling or unchecking the "Allow users on the interface" and providing network subnet on acl tab will cause the ssl filterng not to work. Automatically squidguard will stop.

I Also tried disabling squidguard, and tried to filter the secured site in proxy server alone by putting its domain name in blacklist field on acl tab, example: youtube.com, but it fails. Seems like ssl is not filtering because i can still go to the site.

Another thing can you please teach me how will I install squid dev package using shell? Because i want to edit squid.conf manually. What I wan't to do temporaryly while we are fixing this error is to disable ssl filtering by default and enable it only on sp
ecific website along with specific ip address. This way i can block the access to specific people only and let the other employees access it without errors. Sounds good idea i guess. Thanks in advance!

marcelloc

you can install the package using this:

amd64

fetch http://files.pfsense.org/packages/amd64/8/All/squid-3.3.8-amd64.pbi
pbi_add --no-checksig squid-3.3.8-amd64.pbi

To edit squid.conf file and keep it on xml backup, you can use filer package.

bilbo

@marcelloc:

@ipis:

Is this normal, or theres a way to overcome this? Thanks

Yes, to avoid these erros, play with squid cert options and include pfsense CA as a trusted CA on each browsers. This way you will not get any ssl error for https sites.

Services that use same ssl port(tor, ultrasurf) will always fail.

I am trying to do this but keep getting cert errors on my test machine. Have I done it right? I created an internal cert authority on pfsense and exported the certificate then installed the certificate in to the trusted root ca store of the test machine.

edit: nevermind changing the certificate adapt setting seems to have resolved!

Does this mean I can now enforce google safesearch without forcing no ssl?

Also, what happens is there is a malicious man in the middle attack beyond pfsense?

marcelloc

@bilbo:

Also, what happens if there is a malicious man in the middle attack beyond pfsense?

Certificate fails on client or server. It will depends on what certificate errors you configure to accept.

It it's configured to do not accept, you receive a squid error page
If It's configured to allow client decide, browser will complain about a "not trusted by CA" certificate error.

bilbo

That is excellent.

I too however would like not to intercept for certain domains, I am using transparent mode and entering domains in the whitelist had no effect, I think someone else mentioned this somewhere.

ipis

Hi marcelloc, kindly see attached file, I hope this is what we are looking for

exograpix

Any alternate link or mirror . below mentioned link is dead

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

Thanks for any info. require them urgently

Nachtfalke

@exograpix:

Any alternate link or mirror . below mentioned link is dead

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

Thanks for any info. require them urgently

Anything is up and working with the links above.

marcelloc

@ipis:

Hi marcelloc, kindly see attached file, I hope this is what we are looking for

did you tried to whitelist the aborted sites( in red)?

ipis

Yes i've tried. Its the akamai.net. Putting it to whitelist won't work, but if I try to put that address to source ip, the page is fixed again, but doing so will also bypass the block rule for all clients

exograpix

The links are working thanks for the help.

Nachtfalke

Hi,

today I installed a test machine with pfsense 2.1 and squid3-dev + squidguard-squid3.
I added the files marcelloc posted in several threads here and squid seems to start without any issues.

My questions:
1.) I first installed squid3-dev and the squidguard-squid3. Will this contain the latest squid-3.3.8 version? Or does squidguard-squid3 uses older squid3 version?

2.) On squid3-dev GUI I only see OPT1, OPT2, …. interfaces and not the names I assigned them in GUI. I know that squid2 shows the "correct" names. Is this a bug or a feature in squid3-dev?  ;)

ipis

Hi marcelloc. How can i allow mobile apps to work, because most of the doctors in our organization is using facebook apps. also yahoo messenger. while our offices are not allowed to use what i mentioned. Thanks

marcelloc

@ipis:

Hi marcelloc. How can i allow mobile apps to work, because most of the doctors in our organization is using facebook apps. also yahoo messenger. while our offices are not allowed to use what i mentioned. Thanks

What you get on squid logs?

Did you tried to install pfsense ca certificate on your mobiles?

stanthewizard

Hello

Can you help on a big issue.

I have (in a lab):
Exchange 2013
Remote Desktop Gateway

The external FQDN is: toto.com

I have multiple web servers and mapping working correctly

The exchange server is working correctly

The SSL cert is self signed:
imported in pfsense
on exchange
on TS Gateway

I'm unable to connect to the gateway … sort of timedout.

If the gateway is directly redirected (80/443 nat to the correct IP) ... IT WORKS
If the gateway is accessed through reverse proxy ... DON'T WORKS

Any idea ?
It's driving me mad

Thanks

stanthewizard

I found the SOLUTION

Create a web servers
IP of the TSG
https
named rdc_443

mapping
group name rdc_443
group description (url of the gateway)
peers rdc_443
URIs (this is the tricky part)
^https://yoururlgateway/rpcwithcert/rpcproxy.dll.$
^https://yoururlgateway/rpc/rpcproxy.dll.$

DONE

keyser

@StantheWizard

I think you and I discussed this Terminal Services Gateway Issue before since I wanted that to work as well.

Are you saying it works now with the Squid 3.3.8-Dev package? (Using your additional instructions)?

Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?

-Keyser

marcelloc

@keyser:

Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?

Do not forget to check -dev dependences before upgrading.

Most options are the same but I suggest you to check all tabs after upgrading it.