Squid 3.3.4 package for pfsense with ssl filtering
-
hi,
i tried to install squid 3.3.5 followed your document and all went smooth. but not showing in package list. please help me install it.
i just want transparent proxy for dynamic caching nothing more. can you please suggest me a stable proxy version for cache YouTube and other video sites
jomcy -
Has anyone tried to use the "Time" setting to change squidguard filtering on this version of squid?
I don't know if this is a squid or a squidguard error, but the filters NEVER switch from On-Time to Off-Time and vice-versa…. ie, the "recalc trigger time" event never happens.
This has been a bug for YEARS, but I cannot seem to get any of the code developers interested in looking at the problem. They all point to a client caching problem, but that is definitely not the case. Squidguard log shows the redirect every time.
:(
Thanks for listening.See:
https://forum.pfsense.org/index.php?topic=72251
https://forum.pfsense.org/index.php?topic=59671
https://forum.pfsense.org/index.php/topic,43352.0.html (nearly 7000 views!) - 19 days later
-
Hi guys
I am having a problem using transparent SSL man in the middle, and skype. Skype client connects, but it doesnt seem to complete the process, as no contants come online.
I currently managed to get transparent Squid3 Dev and Squidguard 3 working with SSL Man in the middle configured with a CA cert generated by the pfsense box - it works beaufitully, especially since this allows squidguard to apply access rules to HTTPS sites, which previously required cumbersome DNS work arounds.)
If i bypass the source IP on the proxy, skype works, and also if i switch off SSL man in the middle it works as well, which both has obvious drawbacks.
Can somebody maybe point me in the right direction as to what could cause this issue? (or what to do to resolve this)
I have not changed any filter rules or added any NAT on the firewall side ( thus it is stock)If there is a way to bypass skype traffic from the squid proxy, we can look at that as well
some entries from the squid log is generated below :
1393247653.671 680 192.168.2.11 TCP_MISS/200 394 GET http://conn.skype.com/ - HIER_DIRECT/91.190.216.81 text/html
1393247654.337 640 192.168.2.11 TCP_MISS/200 515 GET http://ui.skype.com/ui/0/6.3.60.105./en/getlatestversion? - HIER_DIRECT/157.56.114.104 text/html
1393247654.403 0 192.168.2.11 NONE/400 3535 CNT 1CON185 - HIER_NONE/- text/html
1393247654.640 700 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/adriaan.klopper/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247654.914 259 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/alfred.modiba/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247655.256 317 192.168.2.11 TCP_MISS/200 3338 GET http://api.skype.com/users/annelize.smit3/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247655.391 0 192.168.2.11 NONE/400 3535 CNT 2CON185 - HIER_NONE/- text/html
1393247655.522 256 192.168.2.11 TCP_MISS/200 1290 GET http://api.skype.com/users/live:bernardi222/profile/avatar - HIER_DIRECT/91.190.216.7 image/jpeg
1393247663.465 0 192.168.2.11 NONE/400 3535 CNT 3CON185 - HIER_NONE/- text/html
1393247686.127 0 192.168.2.11 NONE_ABORTED/000 0 GET https://forum.pfsense.org/Themes/flagrantly202/images/bbc/bbc_hoverbg.gif - HIER_NONE/- -
1393247710.685 0 192.168.2.11 NONE/400 3535 CNT 4CON185 - HIER_NONE/- text/htmlany ideas welcome
thank you guys!
- 9 days later
-
Has anyone tried to use the "Time" setting to change squidguard filtering on this version of squid?
I don't know if this is a squid or a squidguard error, but the filters NEVER switch from On-Time to Off-Time and vice-versa…. ie, the "recalc trigger time" event never happens.
This has been a bug for YEARS, but I cannot seem to get any of the code developers interested in looking at the problem. They all point to a client caching problem, but that is definitely not the case. Squidguard log shows the redirect every time.
:(
Thanks for listening.See:
https://forum.pfsense.org/index.php?topic=72251
https://forum.pfsense.org/index.php?topic=59671
https://forum.pfsense.org/index.php/topic,43352.0.html (nearly 7000 views!)I feel your pain.
My work around this was to create a cronjob to HUP squid each off time. - 15 days later
-
I have the same issue . I cannot find a way to allow skype to work .
I use trasparent proxy for 80/443 with mitm. if someone knows a way hot to get it work please share it with us !!! -
some entries from the squid log is generated below :
Create a host alias on pfsense and add
api.skype.com conn.skype.com ui.skype.com
Then put this alias on squid "Bypass proxy for these destination IPs" transparent option
Field description says
Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]If you are not using transparent proxy, a custom acl to keep .skype.com out of ssl interception may work.
http://www.squid-cache.org/Doc/config/ssl_bump/ -
I've got Squid with transparent SSL working, but sadly not for sites like gmail.com (mail.google.com works). A HSTS failure prevents chrome for opening the site. Is there any bypass for HSTS?
-
I had setup ssl-bump and could navigate to different sites, gmail, google, facebook, paypal and even more, all of them use https.
The trick for me was to give my ca to each browser, on iexplore import the ca to the root, firefox was more detail because he ask u what rights u want to apply to the ca.
Just 1 failure with my bank site which I still cannot access with ssl-bump enable, but the browser doesn't give to much details of the issue.
The 2nd issue I found was with ebay, went I wanted to pay I receive this error:
The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443
Failed to establish a secure connection to site-ip
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa 10/CN=VeriSign Class 3 Secure Server CA - G3This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
What I did was to clear certs folders, empty index.txt, size folder value to 0, latter remove my ca from the browsers, create a new one and start over.
I could pay on ebay, the only issue I have is with my bank now, I will try to add the option that skip some sites from ssl-bump.
I still nervous if I can send this to production.
-
I still nervous if I can send this to production.
with ssl interception you will always need a lot of tests.
I'm having some issues with some sites too, the workaround is to do not intercept sites I know or trust.
I'm still waiting squid 3.4 in freebsd ports. Since it's there, I'll update squid3-dev.
-
I've been working to get ssl bumping working on windows 7 & 8 clients, but I continue to get SSL Certificate errors.
I'm running latest PFsense 2.1, and installed squid3-dev from the repo.
I created a CA in the certificate manager, then clicked on SSL Man in the middle filter in the Proxy Server panel. I'm running squid as a transparent proxy, so input port 443 in the port number field. I then select my CA create in the CA field.
I'm not sure if I need to select any of the options in Remote Cert checks and Certificate adapt fields, so I'm just accepting defaults (i.e., selecting none).
I then download the CA on my windows machines and install them as Trusted Root CAs using the certmgr.msc windows application. When I browse to google.com in both firefox and chrome, I get certificate errors.
Am I missing a setting in the SSL man in the middle panel or some other setting?
Thanks,
greg
-
Don't know if this helps, but if u run ccleaner to clear cache in all your browsers before testing, does this helps?
-
Squid ssl filtering not working, it used to work 3 days back, but now certificate error are popping all over. please suggest.
-
You have to import pfsense-ca crt on firefox too, internet explorer and chrome uses certmgr.msc imported cert.
I'm testing it a lot without any cert issues on any sites.
-
Hi,
I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.
-
In spite of all my effort still certificate error as soon as I enable ssl filtering , help guys.
-
I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.
the only place you need is trusted root certificate on ie and firefox.
Sure it works.
screenshot the certificate you get when firefox rejects.
-
I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.
the only place you need is trusted root certificate on ie and firefox.
Sure it works.
screenshot the certificate you get when firefox rejects.
It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1 -
Thats my problem too , I have tried all combination but doesn't work, it used to work earlier quite smoothly, but somehow it stopped working now.
I request to sort this issue out asap to help the community and existing installs.
-
It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1Need to see which system things changed with the upgrade.
Verify the "orphan" libraries for squid3-dev and what about OpenSSL?
OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes
https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes
-
I have used the standard process as pfsense 2.1 (now even in previous version ssl certificate error is popping)
I installed pfsense.
Created the internal CA.
Created the server certificate (tried client too)
Import CA certificate through certmgr.msc in trusted root
Import other certificate in personal
copied missing files for squid.
Installed squid-dev from packages.
Configured squid as before with ssl filter and certificate and boom even microsoft default certificate error.
-
It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1Need to see which system things changed with the upgrade.
Verify the "orphan" libraries for squid3-dev and what about OpenSSL?
OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes
https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes
Checked, and the orphan libraries are on the system. Countrycode is 2 letters.
Squid http filtering works fine, only the https part results in certificate errors. -
https is the problem and it is major concern now.
-
pfSense 2.1 (not upgraded to 2.1.1)
squid3-dev upgraded from 3.3.10 pkg 2.2.1 to 3.3.10 pkg 2.2.2Bug for interception
Last lines of squid.conf generated by 2.2.1
# Custom options always_direct allow all ssl_bump server-first all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc
Last lines of squid.conf generated by 2.2.2
# Custom options before auth # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc
Workaround until next version
Put at Custom ACLS (Before_Auth) box the lines
always_direct allow all
ssl_bump server-first allCustom ACLS (After_Auth)
In addition to this, the box Custom ACLS (After_Auth) does nothing.
Rotate Cron duplicated
The upgrade also duplicates the rotate cron. You can see it if you have Cron package installed
0 0 * * * root /bin/rm /var/squid/cache/swap.state; /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf 0 0 * * * root /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf
Delete the old cron containing rm swap.state and look up the new option Proxy server: Cache management: Clear cache on log rotate
Discussion about the new option, https://forum.pfsense.org/index.php?topic=74453.msg407287#msg407287
More about squid duplicated cron, https://forum.pfsense.org/index.php?topic=74633.0
-
Thanks for all the support, worked like a charm, much relieved now, I am not blaming developer doing very good job, but this bug wasted almost two days of working time.
Again my appreciations , you are a life saver.
If you can, please explain cron thing in details.
-
Thanks for your good words!
If you can, please explain cron thing in details.
https://forum.pfsense.org/index.php?topic=74453.msg407820#msg407820
-
I just created an account to say thank you. I've wasted all my afternoon after the upgrade, trying to guess why ssl bumping stopped to work at our school, but tomorrow everything (included the filter for the students) will be able to continue as expected.
-
Thanks for your good words!
Also, at school, www.bellera.cat :) :) :) :)
-
ssl_bump acls were inside auth loop. I'm fixing it right now.
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
This is still under devel. Current feedback says that's only working on i386 version.
-
where can i set below parameter permanently.
always_direct allow all
ssl_bump server-first allThanks in advance
-
With squid-devel pf 2.1 multi-WAN loadbalancing doesn't work. Failover works because default WAN gets switched.
More specifically, the floating rule-based setup that used to work for pfsense 2.0.x doesn't work any more. Squid only sends through default WAN, whatever that is at any point.
Marcello, can you please shed light on this? Whether this is squid-side issue or any nuance of 2.1.x?
Also, will it be possible to do loadbalancing with transparent SSL proxy?
-
Another question: does delay pooling-based traffic management work with transparent SSL proxy'ing?
- 13 days later
-
Hi everyone. I hope you all are having a good night. I'm a newbie with pfsense. For the life of me, I can't even the the squid3 dev package to work at all. It won't work in transparent mode or anything, but the non dev squid3 works like a champ. Any thoughts on where to start to looking?
I'm currently running
pfsense 2.1.2
(works)squid3 3.1.20 pkg 2.0.6 works
(doesn't seem to work at all) 3.3.10 pkg 2.2.2Thanks
-
did you followed some squid posts to get it working?
check missing libs?
ipv6 enabled?
netstat -an to see if squid port is closed or listening… -
Bug at squid3-dev 3.3.10 pkg 2.2.2
http://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762 -
Steps for SSL interception. In Spanish, please use translate.google.com
https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349 -
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
-
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
You can try old havp or test your squid in i386 pfsense version.
-
i tried installing squid 3.3.10 dev in 2.1.3v i386
no issues found yet
squid starts after configuration.
looks like the missing lib before where now incorporated in the new version