Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SquidGuard + SSL certificate for error page served over HTTPS

    pfSense Packages
    2
    2
    4276
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ectospasm last edited by

      I have pfSense 2.0.3 installed, with squid3 3.1.20 pkg 2.0.6 and squidGuard 1.4_4 pkg v.1.9.5 installed.  I also have a DynDNS domain (domain.org) with an appropriate SSL certificate, and have a split-DNS setup so internal requests to domain.org get directed to the internal pfSense address (192.168.0.1).  All of it is working perfectly, except the squidGuard error page when accessing a forbidden website shows the internal address in the URL, not the domain.org address.  Since the SSL certificate is keyed off the domain name, having 192.168.0.1 in the URL generates a browser SSL warning.  Not a major problem, but I don't want my users to deal with an invalid SSL certificate, and I definitely don't want to muck about with installing a new certificate authority on all of their machines.

      To be sure, the following URL generates an SSL warning, a red 'x' over the lock icon in chrome (because the IP address doesn't match the FQDN on the certificate):

      https://192.168.0.1/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
      

      If I rewrite the URL in my browser, exchanging 192.168.0.1 for domain.org, I get the same result except this time there's no SSL warning (a green lock icon in chrome):

      https://domain.org/sgerror.php?url=403%20&a=192.168.0.254&n=workstation.home&i=&s=default&t=blk_blacklists_porn&u=http://hustler.com/
      

      I've tried many combinations to get this working, to no avail.  I think the most straightforward thing would be to edit squidGuard.conf directly, and change this:

      acl  {
      	# 
      	default  {
      		pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all
      		redirect http://192.168.0.1/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
      		rewrite safesearch
      		log block.log
      	}
      }
      

      To this:

      acl  {
      	# 
      	default  {
      		pass !in-addr !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail blk_blacklists_redirector all
      		redirect https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
      		rewrite safesearch
      		log block.log
      	}
      }
      

      But when I press "Apply" in the squidGuard configuration this appears to be overwritten, and I can't seem to figure out how to reload squidGuard with the new information.  If I try to set an external error page with https://domain.org/sgerror.php?url=blank&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u as the URL, it seems to work, but I get a blank page with nothing telling the user what happened.  Whatever else I set, it gives either the 192.168.0.1 address anyway, or generates a squid error (92, Protocol Error, saying squid was unable to negotiate a secure page).

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke last edited by

        Hi,

        if you modify anything on .conf files it will be overwritten.
        You need to change this in the following two files:

        /usr/local/pkg/squidguard.inc
        /usr/local/pkg/squidguard_configuration.inc
        

        Further I had some problems in the past to get the sgerror.php page displayed correctly if I have the pfsense webGUI running on https.
        So probably best would be to first change the .inc file and /or then try without pfsense webGUI on HTTPS but5 revert - for testing - back to http.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post