SquidGuard + SSL certificate for error page served over HTTPS



  • I have pfSense 2.0.3 installed, with squid3 3.1.20 pkg 2.0.6 and squidGuard 1.4_4 pkg v.1.9.5 installed.  I also have a DynDNS domain (domain.org) with an appropriate SSL certificate, and have a split-DNS setup so internal requests to domain.org get directed to the internal pfSense address (192.168.0.1).  All of it is working perfectly, except the squidGuard error page when accessing a forbidden website shows the internal address in the URL, not the domain.org address.  Since the SSL certificate is keyed off the domain name, having 192.168.0.1 in the URL generates a browser SSL warning.  Not a major problem, but I don't want my users to deal with an invalid SSL certificate, and I definitely don't want to muck about with installing a new certificate authority on all of their machines.

    To be sure, the following URL generates an SSL warning, a red 'x' over the lock icon in chrome (because the IP address doesn't match the FQDN on the certificate):

    https://192.168.0.1/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
    

    If I rewrite the URL in my browser, exchanging 192.168.0.1 for domain.org, I get the same result except this time there's no SSL warning (a green lock icon in chrome):

    https://domain.org/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
    

    I've tried many combinations to get this working, to no avail.  I think the most straightforward thing would be to edit squidGuard.conf directly, and change this:

    acl  {
    	# 
    	default  {
    		pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all
    		redirect http://192.168.0.1/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		rewrite safesearch
    		log block.log
    	}
    }
    

    To this:

    acl  {
    	# 
    	default  {
    		pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all
    		redirect https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		rewrite safesearch
    		log block.log
    	}
    }
    

    But when I press "Apply" in the squidGuard configuration this appears to be overwritten, and I can't seem to figure out how to reload squidGuard with the new information.  If I try to set an external error page with https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u as the URL, it seems to work, but I get a blank page with nothing telling the user what happened.  Whatever else I set, it gives either the 192.168.0.1 address anyway, or generates a squid error (92, Protocol Error, saying squid was unable to negotiate a secure page).



  • Hi,

    if you modify anything on .conf files it will be overwritten.
    You need to change this in the following two files:

    /usr/local/pkg/squidguard.inc
    /usr/local/pkg/squidguard_configuration.inc
    

    Further I had some problems in the past to get the sgerror.php page displayed correctly if I have the pfsense webGUI running on https.
    So probably best would be to first change the .inc file and /or then try without pfsense webGUI on HTTPS but5 revert - for testing - back to http.