Explicit Proxy won't forward ssl



  • I'm having an explicit (non transparent) proxy on my LAN side. The proxy forwards its traffic thru an upstream proxy (squid cache_peer)

    Client –> squid3/pfsense --> upstream cache --> internet

    This setting works fine for http.
    Unfortunately, it doesn't work for https.

    HTTPS can't connect thru the pfsense proxy.

    Here's my config:

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl home_network src 192.168.1.0/24
    acl guest_network src 192.168.0.0/24

    #Ports allowed through Squid
    acl Safe_ports port 80 #http
    acl Safe_ports port 443 #https
    acl SSL_ports port 443
    acl SSL method CONNECT
    acl CONNECT method CONNECT

    #allow/deny
    http_access allow localhost
    http_access allow home_network
    http_access allow guest_network
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny all

    #proxy ports
    http_port {proxy_server_IP}:3128

    Does anyone see my what's going wrong here?

    Cu
    Ben



  • Just for the record: To make sure, your pfsense squid proxy will use the upstream proxy also for SSL connections, you need to add the following line in your configuration:

    always_direct deny all


Log in to reply