PfSense, Squid, and HTTPS

unmode · Aug 14, 2013, 11:16 AM

Hi all,

I'm sure this is a noob question, so please bear with.

I've installed pfSense with Squid and pointed it to an upstream proxy cache.

LAN > pfSense > Upstream Proxy > Internet

I've also enabled transparent proxy.

HTTP traffic works fine, I can access websites as normal, but I'm having a problem with HTTPS sites.

HTTPS can't be transparently proxied, of course, but even if I configure the browser manually with the proxy server details I can't access HTTPS sites.

I've also tried by disabling transparent proxy, which doesn't work either.

HTTPS works fine if I remove pfSense from the equation.

Basically I need a way to get HTTPS traffic through pfSense.

Can anyone help?

Thanks in advance.

unmode · Aug 16, 2013, 7:20 AM

Nobody?

doktornotor · Aug 16, 2013, 8:04 AM

http://forum.pfsense.org/index.php/topic,62256.0.html

stephenw10 · Aug 16, 2013, 9:57 AM

Odd because usually HTTPS traffic simply bypasses Squid unless you block it deliberately.

Steve

kejianshi · Aug 16, 2013, 11:08 AM

HTTPS is being blocked in rules somewhere either deliberately or not. There is probably a block rule somewhere or a NAT rule that forwards to nowhere. I've seen rules like that set up in attempt to filter HTTPS. Maybe you copied one of their rules in an example somewhere not realizing it.

unmode · Aug 19, 2013, 7:36 AM

Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

kejianshi · Aug 19, 2013, 7:45 AM

I have no idea personally. The idea that someone could successfully proxy (not socks5 proxy) HTTPS sounds alot like Man-In-The-Middle stuff too me. Basically, by default squid doesn't touch HTTPS. Just HTTP.

I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.

doktornotor · Aug 19, 2013, 7:50 AM

@unmode:

Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

Please, read the entire thread already referenced once above: http://forum.pfsense.org/index.php/topic,62256.0.html (And I'd personally just recommend to NOT do this at all.)

unmode · Aug 19, 2013, 10:08 AM

Thanks. In theory though you could just pass the HTTPS traffic through the firewall rather than proxying it.

Thanks for the continuing replies doktornotor, but as stated in my original post I'm not trying to proxy HTTPS traffic, just let it pass through the firewall.

kejianshi · Aug 19, 2013, 2:20 PM

I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.