• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfSense, Squid, and HTTPS

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
10 Posts 4 Posters 4.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • U
    unmode
    last edited by Aug 14, 2013, 11:16 AM

    Hi all,

    I'm sure this is a noob question, so please bear with.

    I've installed pfSense with Squid and pointed it to an upstream proxy cache.

    LAN > pfSense > Upstream Proxy > Internet

    I've also enabled transparent proxy.

    HTTP traffic works fine, I can access websites as normal, but I'm having a problem with HTTPS sites.

    HTTPS can't be transparently proxied, of course, but even if I configure the browser manually with the proxy server details I can't access HTTPS sites.

    I've also tried by disabling transparent proxy, which doesn't work either.

    HTTPS works fine if I remove pfSense from the equation.

    Basically I need a way to get HTTPS traffic through pfSense.

    Can anyone help?

    Thanks in advance.

    1 Reply Last reply Reply Quote 0
    • U
      unmode
      last edited by Aug 16, 2013, 7:20 AM

      Nobody?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by Aug 16, 2013, 8:04 AM

        http://forum.pfsense.org/index.php/topic,62256.0.html

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Aug 16, 2013, 9:57 AM

          Odd because usually HTTPS traffic simply bypasses Squid unless you block it deliberately.

          Steve

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by Aug 16, 2013, 11:08 AM

            HTTPS is being blocked in rules somewhere either deliberately or not.  There is probably a block rule somewhere or a NAT rule that forwards to nowhere.  I've seen rules like that set up in attempt to filter HTTPS.  Maybe you copied one of their rules in an example somewhere not realizing it.

            1 Reply Last reply Reply Quote 0
            • U
              unmode
              last edited by Aug 19, 2013, 7:36 AM

              Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by Aug 19, 2013, 7:45 AM Aug 19, 2013, 7:42 AM

                I have no idea personally.  The idea that someone could successfully proxy (not socks5 proxy) HTTPS sounds alot like Man-In-The-Middle stuff too me. Basically, by default squid doesn't touch HTTPS.  Just HTTP.

                I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Aug 19, 2013, 7:50 AM

                  @unmode:

                  Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

                  Please, read the entire thread already referenced once above: http://forum.pfsense.org/index.php/topic,62256.0.html (And I'd personally just recommend to NOT do this at all.)

                  1 Reply Last reply Reply Quote 0
                  • U
                    unmode
                    last edited by Aug 19, 2013, 10:08 AM

                    Thanks. In theory though you could just pass the HTTPS traffic through the firewall rather than proxying it.

                    Thanks for the continuing replies doktornotor, but as stated in my original post I'm not trying to proxy HTTPS traffic, just let it pass through the firewall.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by Aug 19, 2013, 2:20 PM

                      I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received