SquidGuard + SSL certificate for error page served over HTTPS
-
I have pfSense 2.0.3 installed, with squid3 3.1.20 pkg 2.0.6 and squidGuard 1.4_4 pkg v.1.9.5 installed. I also have a DynDNS domain (domain.org) with an appropriate SSL certificate, and have a split-DNS setup so internal requests to domain.org get directed to the internal pfSense address (192.168.0.1). All of it is working perfectly, except the squidGuard error page when accessing a forbidden website shows the internal address in the URL, not the domain.org address. Since the SSL certificate is keyed off the domain name, having 192.168.0.1 in the URL generates a browser SSL warning. Not a major problem, but I don't want my users to deal with an invalid SSL certificate, and I definitely don't want to muck about with installing a new certificate authority on all of their machines.
To be sure, the following URL generates an SSL warning, a red 'x' over the lock icon in chrome (because the IP address doesn't match the FQDN on the certificate):
https://192.168.0.1/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
If I rewrite the URL in my browser, exchanging 192.168.0.1 for domain.org, I get the same result except this time there's no SSL warning (a green lock icon in chrome):
https://domain.org/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
I've tried many combinations to get this working, to no avail. I think the most straightforward thing would be to edit squidGuard.conf directly, and change this:
acl { # default { pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all redirect http://192.168.0.1/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u rewrite safesearch log block.log } }
To this:
acl { # default { pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all redirect https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u rewrite safesearch log block.log } }
But when I press "Apply" in the squidGuard configuration this appears to be overwritten, and I can't seem to figure out how to reload squidGuard with the new information. If I try to set an external error page with https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u as the URL, it seems to work, but I get a blank page with nothing telling the user what happened. Whatever else I set, it gives either the 192.168.0.1 address anyway, or generates a squid error (92, Protocol Error, saying squid was unable to negotiate a secure page).
-
Hi,
if you modify anything on .conf files it will be overwritten.
You need to change this in the following two files:/usr/local/pkg/squidguard.inc /usr/local/pkg/squidguard_configuration.inc
Further I had some problems in the past to get the sgerror.php page displayed correctly if I have the pfsense webGUI running on https.
So probably best would be to first change the .inc file and /or then try without pfsense webGUI on HTTPS but5 revert - for testing - back to http.