Problem with site with squid -3 development



  • Dear all,

    I am using squid-3 develop and squidguard, which are working ok, but when I try to open www.huda.gov.in which is a goverment site, it send a ssl error on port 443. My certificate is self signed , I am sure it is the root of the problem.

    I want to have this site bypass from squid , please help me doing it.

    Regards.



  • BTW. have you enabled HTTPS/SSL interception?

    I'm no expert on this subject and tried this option only once, with self signed certificates.
    If your certificate isn't up to snuff most browsers won't allow access to many https sites.
    Certificates are validated and most browsers won't like the man in the middle self signed certificate when detected.

    So basically caching the https site won't do you any good because the browser won't let you go there and squid proxy will have nothing the cache to begin with.

    Have you tried visiting the site with this option disabled?



  • Thanks for the info,

    If i disable https/ssl interception probably it will work but than my users who are on block list with facebook and https sites will go through and it is not desirable.



  • Maybe a "proxy.pac" file or "wpad.dat" would be an option. (create one in the usr/local/www folder and make a symb-link for the other)
    There are topics on how to serve this pac-file via extra http-service on port 80 in combination with DHCP and have the pfsense GUI run on https.

    How successful it will be that depends on how you roll out DCHP (additional option 252, text, location of proxy.pac) and if users are allowed to change their internet settings regarding proxy settings.
    You filter https or facebook requests to be redirected to a "denied page".

    Example "proxy.pac"

    function FindProxyForURL(url, host) {
    
      url = url.toLowerCase();
      host = host.toLowerCase();
      isHttp = (url.substring(0,5) == "http:");
      isHttps = (url.substring(0,6) == "https:")
    
    	// If the requested website is hosted within the internal network, send direct.
        	if (isPlainHostName(host) ||
               shExpMatch(host, "*.home") ||
               shExpMatch(host, "*.local") ||
               isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
               isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
               isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
               isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
    	{ return "DIRECT"; }
    
    	// Forward non-http(s) and some hosts to forward proxy (or DIRECT (or access denied page?))
    	if((!isHttp && !isHttps) // Skip all non http(s)
    	   || dnsDomainIs(host, "microsoft.com")
    	   || dnsDomainIs(host, "windowsupdate.com")
    	   || dnsDomainIs(host, "eset.com")
    	   || dnsDomainIs(host, "mcafee.com") // McAfee
    	   || dnsDomainIs(host, "siteadvisor.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.org") // McAfee
    	   || dnsDomainIs(host, "avg.com")
    	   || dnsDomainIs(host, "grisoft.cz")
    	   || dnsDomainIs(host, "avgfree.com")
    	   || dnsDomainIs(host, "avg.cz")
    	   || dnsDomainIs(host, "symantecliveupdate.com")
    	   || dnsDomainIs(host, "thawte.com"))
    	{ return "DIRECT"; }
    
    	if (isHttps)
    	   // Skip HTTPS (or return access denied page?)
    	{ return "DIRECT"; }
    
    	// Otherwise, go through our proxy or if it fails, through bypass
    	return "PROXY 192.168.0.1:3128; DIRECT";
    }
    

    Or you could try a squidguard filter with a redirect page, maybe add a "proxy-list" and "VPN-service-list" to the block list there so users won't be able to use or search for anonimous-proxy or VPN's to circumvent the restrictions.


Log in to reply