Squid 3.3.4 package for pfsense with ssl filtering

ccarreraalza

I have a question.
I'm using squid 3.3.8-devel, well, when I go to facebook page shows me the warning I give exception and shows me confirm the facebook page but incompletely, as well as also the paypal page, and this because it is within the site of faccebook or https paypal there are other pages that are to be displayed, but they all come with an X.

as could validate the certificate on them to the web page or paypal facebook full display?

thanks

Google translator, sorry not mastered the English perfectly

totalimpact

Any tips to getting this working with dansguardian?

downloaded all the libs, installed Dans and then squid-dev, checked the boxes under squid to enable transparent mode and https MITM, installed Dans, and selected the same CA/Cert on pf.

Can see pages getting proxy'd, but no filtering is happening.

Mozart

Is it possible to update the Squid3-dev package so that I can add a couple of options to the reverse proxy part? I want to disable certain unsafe protocols like sslv2. Here is an example of the line in the config file that I updated:
https_port 172.28.252.101:443 accel cert=/usr/pbi/squid-amd64/etc/squid/52038c08be9a9.crt key=/usr/pbi/squid-amd64/etc/squid/52038c08be9a9.key defaultsite=some.site.com vhost options=NO_SSLv2:NO_TLSv1 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

I would like it if there would be an option in the GUI to do this. My workaround at the moment is editing the /usr/local/pkg/squid_reverse.inc file on line 85. I added the options there so they will stay in place in case I make an update to the reverse proxy.

exograpix

Any news or timeline or alternative  of antivirus package compatible with squid -dev version.

Thanks

leojoe

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

Nachtfalke

@leojoe:

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

I don't have any problems with these links. Try another browser or clear your browser's cache.

leojoe

@Nachtfalke:

@leojoe:

amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

i386
http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

I don't have any problems with these links. Try another browser or clear your browser's cache.

yeah it's working now.

ZGruk

I'm having a really weird issue with squid. I've got squid and dansguardian, and I added local authentication to squid.
I defined 3 users in the squid GUI, one named admin, and two others.
The "admin" user works as intended. It blocks access unless I log in, and once I do, it works fine. None of the other users work.
When I try to log in with them, it acts like they don't exist or I put the wrong password in. I thought maybe it was linked somehow to the pfSense user "admin" but

A) the squid admin password is different from the pfSense password and
B) adding a pfSense user with one of the other names doesn't help.

Any idea what could be causing this?

Separately, do we know if SSL man-in-the-middle works with dansguardian? Older posts suggest that it doesn't, but I wondered if it had been fixed more recently.

wheelz

I'm seeing some SSL disconnects which are very similar to this bug:  http://bugs.squid-cache.org/show_bug.cgi?id=3659.  However this was supposed to have been resolved some time ago and changing the read_timeout does not fix it.  Any ideas?

ZGruk

Update to add: I tried adding an "administrator" and an "admin2" account. "administrator" works, "admin2" doesn't. Very strange. Perhaps I should try "administrador" (spanish) or "administrateur" (french) next  :P

jomcy

hi,
i tried to install squid 3.3.5 followed  your document and all went smooth. but not showing in package list. please help me install it.
i just want transparent proxy for dynamic caching nothing more. can you please suggest me a stable proxy version for cache YouTube and other video sites
jomcy

duanes

Has anyone tried to use the "Time" setting to change squidguard filtering on this version of squid?

I don't know if this is a squid or a squidguard error, but the filters NEVER switch from On-Time to Off-Time and vice-versa…. ie, the "recalc trigger time" event never happens.

This has been a bug for YEARS, but I cannot seem to get any of the code developers interested in looking at the problem.  They all point to a client caching problem, but that is definitely not the case.  Squidguard log shows the redirect every time.

:(
Thanks for listening.

See:
https://forum.pfsense.org/index.php?topic=72251
https://forum.pfsense.org/index.php?topic=59671
https://forum.pfsense.org/index.php/topic,43352.0.html    (nearly 7000 views!)

erwintwr

Hi guys

I am having a problem using transparent SSL man in the middle, and skype. Skype client connects, but it doesnt seem to complete the process, as no contants come online.

I currently managed  to get transparent Squid3 Dev and Squidguard 3 working with SSL Man in the middle configured with a CA cert generated by the pfsense box - it works beaufitully, especially since this allows squidguard to apply access rules to HTTPS sites, which previously required cumbersome DNS work arounds.)

If i bypass the source IP on the proxy, skype works, and also if i switch off SSL man in the middle it works as well, which both has obvious drawbacks.

Can somebody maybe point me in the right direction as to what could cause this issue? (or what to do to resolve this)
I have not changed any filter rules or added any  NAT on the firewall side ( thus it is stock)

If there is a way to bypass skype traffic from the squid proxy, we can look at that as well

some entries from the squid log is generated below :

1393247653.671    680 192.168.2.11 TCP_MISS/200 394 GET http://conn.skype.com/ - HIER_DIRECT/91.190.216.81 text/html
1393247654.337    640 192.168.2.11 TCP_MISS/200 515 GET http://ui.skype.com/ui/0/6.3.60.105./en/getlatestversion? - HIER_DIRECT/157.56.114.104 text/html
1393247654.403      0 192.168.2.11 NONE/400 3535 CNT 1CON185 - HIER_NONE/- text/html
1393247654.640    700 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/adriaan.klopper/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247654.914    259 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/alfred.modiba/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247655.256    317 192.168.2.11 TCP_MISS/200 3338 GET http://api.skype.com/users/annelize.smit3/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247655.391      0 192.168.2.11 NONE/400 3535 CNT 2CON185 - HIER_NONE/- text/html
1393247655.522    256 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/live:bernardi222/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247663.465      0 192.168.2.11 NONE/400 3535 CNT 3CON185 - HIER_NONE/- text/html
1393247686.127      0 192.168.2.11 NONE_ABORTED/000 0 GET https://forum.pfsense.org/Themes/flagrantly202/images/bbc/bbc_hoverbg.gif - HIER_NONE/- -
1393247710.685      0 192.168.2.11 NONE/400 3535 CNT 4CON185 - HIER_NONE/- text/html

any ideas welcome

thank you guys!

serialdie

@duanes:

Has anyone tried to use the "Time" setting to change squidguard filtering on this version of squid?

I don't know if this is a squid or a squidguard error, but the filters NEVER switch from On-Time to Off-Time and vice-versa…. ie, the "recalc trigger time" event never happens.

This has been a bug for YEARS, but I cannot seem to get any of the code developers interested in looking at the problem.  They all point to a client caching problem, but that is definitely not the case.  Squidguard log shows the redirect every time.

:(
Thanks for listening.

See:
https://forum.pfsense.org/index.php?topic=72251
https://forum.pfsense.org/index.php?topic=59671
https://forum.pfsense.org/index.php/topic,43352.0.html    (nearly 7000 views!)

I feel your pain.
My work around this was to create a cronjob to HUP squid each off time.

usabug

I have the same issue . I cannot find a way to allow skype to work .
I use trasparent proxy for 80/443 with mitm. if someone knows a way hot to get it work please share it with us !!!

marcelloc

@erwintwr:

some entries from the squid log is generated below :

Create a host alias on pfsense and add

api.skype.com
conn.skype.com
ui.skype.com

Then put this alias on squid "Bypass proxy for these destination IPs" transparent option
Field description says
Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]

If you are not using transparent proxy, a custom acl to keep .skype.com out of ssl interception may work.
http://www.squid-cache.org/Doc/config/ssl_bump/

postduif

I've got Squid with transparent SSL working, but sadly not for sites like gmail.com (mail.google.com works). A HSTS failure prevents chrome for opening the site. Is there any bypass for HSTS?

periko

I had setup ssl-bump and could navigate to different sites, gmail, google, facebook, paypal and even more, all of them use https.

The trick for me was to give my ca to each browser, on iexplore import the ca to the root, firefox was more detail because he ask u what rights u want to apply to the ca.

Just 1 failure with my bank site which I still cannot access with ssl-bump enable, but the browser doesn't give to much details of the issue.

The 2nd issue I found was with ebay, went I wanted to pay I receive this error:

The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443

Failed to establish a secure connection to site-ip

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa 10/CN=VeriSign Class 3 Secure Server CA - G3

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

What I did was to clear certs folders, empty index.txt, size folder value to 0, latter remove my ca from the browsers, create a new one and start over.

I could pay on ebay, the only issue I have is with my bank now, I will try to add the option that skip some sites from ssl-bump.

I still nervous if I can send this to production.

marcelloc

@periko:

I still nervous if I can send this to production.

with ssl interception you will always need a lot of tests.

I'm having some issues with some sites too, the workaround is to do not intercept sites I know or trust.

I'm still waiting squid 3.4 in freebsd ports. Since it's there, I'll update squid3-dev.

gzartman

I've been working to get ssl bumping working on windows 7 & 8 clients, but I continue to get SSL Certificate errors.

I'm running latest PFsense 2.1, and installed squid3-dev from the repo.

I created a CA in the certificate manager, then clicked on SSL Man in the middle filter in the Proxy Server panel.  I'm running squid as a transparent proxy, so input port 443 in the port number field.  I then select my CA create in the CA field.

I'm not sure if I need to select any of the options in Remote Cert checks and Certificate adapt fields, so I'm just accepting defaults (i.e., selecting none).

I then download the CA on my windows machines and install them as Trusted Root CAs using the certmgr.msc windows application.  When I browse to google.com in both firefox and chrome, I get certificate errors.

Am I missing a setting in the SSL man in the middle panel or some other setting?

Thanks,

greg