Strange Client Behaviour

unmode

Hi,

I have a pfSense server with transparent proxy and captive portal enabled. The server is called pfSense.lan.

I created a DNS Host Override entry for internet.lan and pointed it towards our upstream proxy.

With different OS's I get different behavior.

On each of the devices I have manually entered the upstream proxy settings so they should be ignoring the local proxy.

Windows -  Everything works fine
I access the captive portal fine using pfsense.lan:8000
HTTP works fine
HTTPS works fine

iOS
I access the captive portal fine using pfsense.lan:8000
HTTP works fine
HTTPS doesn't work – If I enter the IP of the upstream proxy rather than internet.lan HTTPS does work.

Android
I can't access the captive portal using pfsense.lan:8000 but can using the IP
HTTP works fine
HTTPS works fine

To me it looks as though iOS isn't resolving the proxy address but is the pfsense.lan address and it is using the local transparent proxy rather than redirecting through the firewall to the upstream proxy cache.

Android is getting through to the upstream proxy fine but isn't resolving the pfsense.lan name locally - the opposite to iOS.

Can anyone point me in the right direction?

Thanks in advance for any help.

doktornotor

Please, do NOT multipost.

unmode

Apologies, I tried to delete the previous one to move it to a more relevant forum but you don't allow it.

kejianshi

My personal opinion - You are shooting yourself in the foot.
Squid does alot, but it doesn't and shouldn't handle HTTPS very well.

I suggest you make yourself a SOCKS5 proxy if location shifting is what you are after and are determined to use proxy.
Then you can enter the proxy settings into all of your devices.

Better than that even, get yourself a VPN.  It will handle HTTP and HTTPS with ZERO problems.

SQUID is more or less for people who want to cache HTTP data that might get lots of hits to save on bandwidth or to serve up frequently hit pages faster.

unmode

Thanks for your reply. All I am really trying to do is create a DNS entry for our upstream proxy so if the IP changes in the future we just have to edit our DNS entry rather than manually change the proxy settings on the clients.

doktornotor

1/ Squid HTTPS support is a work in progress with huge thread in the proper section.
2/ Captive portals are broken by design. Internet != web. They can work, or work partially, or not work at all, depending on the client OS.
3/ OS specific stuff
Android: Will not use the DHCP assigned DNS at all, or will only use DHCP-assigned DNS without being able to set one manually, or anything in between depending on what type of connectivity are we talking about and on the OS version and how the vendor patched it or not. Also see Set DNS on Google Play.
IOS: As you've noted, broken for HTTPS. Get to Apple support/Apple forums.

kejianshi

"All I am really trying to do is create a DNS entry for our upstream proxy so if the IP changes in the future we just have to edit our DNS entry rather than manually change the proxy settings on the clients."

For the ability to point clients of one type or another to some distant server with a changeable IP, consider using some sort of dynamic DNS service at the server side.  In your case the proxy server side.  Thats how most people handle servers with dynamic IPs.