Need help with Squid in Explicit mode for SSL Filtering



  • I have installed Squid3-dev 3.3.10 and Squidguard-dev on pfSense 2.1.5.

    SSL Filtering works nicelly in transparent mode, but I need to make it work in explicit (non-transparent) mode.

    The problem I am experiencing is that the Certificate generated for SSL sites is created with "Issued to: http" instead of "Issued to: http://www.sslsite.com". Does not includes the FQDN.

    I need explicit mode because I need to authenticate the users, as to filter based on users/groups.

    If this error is for 3.3.10 then which version was OK?  Then how to install it without braking the GUI?



  • When you use squid in non-transparent mode, or what I call standard mode, there is no need for a client cert at all.  Since your clients will be directed to use the proxy, there are no browser MitM warnings that a certificate solves.



  • @KOM:

    When you use squid in non-transparent mode, or what I call standard mode, there is no need for a client cert at all.  Since your clients will be directed to use the proxy, there are no browser MitM warnings that a certificate solves.

    KOM

    Can you direct me to a tutorial for Squid/Squidguard with SSL Filtering on standard mode within pfsense?

    Or maybe provide in this thread a sample configuration?



  • No tutorial required.  In pfSense, turn off Transparent mode for squid.  There, you're done.  For each client, either manually configure the proxy address, or use WPAD to help them find it automatically.



  • @KOM:

    No tutorial required.  In pfSense, turn off Transparent mode for squid.  There, you're done.  For each client, either manually configure the proxy address, or use WPAD to help them find it automatically.

    I turned off transparent mode already. I did WPAD also to set the browsers. But the Browsers receive a Certificate from Squid as I told on my initial post of this thread (Issued to incomplete)



  • With Squid running in standard explicit (not transparent) mode, there is no such certificate at proxy level because encryption is done between web server and client.
    Explicit proxy is required in order to apply some profiling "per user" or "per group".

    However, due to the nature of HTTPS, this profiling can only be used to authorize or not HTTPS based URL. It will not permit to look at HTTPS content (and therefore apply antivirus or content filtering at proxy level).

    In case you do want to implement such control, which is BTW different from profiling as explained above, then the only way to achieve it is to break the end-to-end encryption with MITM, meaning certificate generated at proxy level  :o . Weird but it works. I've to say that I've never deployed MITM in prod (and hope I will never have to  :-[) and can't really help on any error based on this.
    My point is more to highlight difference between profiling aspects and potential content filtering for HTTPS flow.

    Focusing on MITM, I don't understand your point / problem.
    Is it an issue due to certificate generated by non-trusted CA (e.g. self-signed certificate) or issue due to missing information that is preventing MITM to work?



  • I think the the squid3-dev 3.3.10 has a bug for MITM in standar mode.

    I have attached some pictures to my configuration and the outcome.

    Pictures 1 to 4 are my Squid configuration. 
    Picture 5 is the certificate generated by squid and received by the browser when is a ssl blocked site.
    Picture 6 is the Browser error for the ssl blocked site.
    Picture 7 is the certificate generated by squid and received by the browser when is a ssl permited site.

    When I say blocked is that is configured on Squidguard to be blocked (!blk_BL_socialnet)
















  • Turn off the HTTPS/SSL Interception.



  • @KOM:

    Turn off the HTTPS/SSL Interception.

    Turned off and then I get another error.
    I tried with removed Custom ACLS and it gets the same error.




  • First, reboot.  It's amazing how many squid glitches I've fixed by a reboot.  Sometimes I need to reboot the client too.  Second, log in to shell and check /var/squid/logs/cache.log.  Also, check the System log.



  • I will like to revive this thread.  Since as this moment there is a new pfsense version with squid new version.

    Is it still a problem redirecting https blocked pages, or there is now a work around?

    I fill that is awkward that transparent mode works and standard mode does not work.



  • I haven't tried squid under 2.3 yet so I don't have anything to say about it.



  • Hi,

    getting the cert error that a cert is issued to "http" seems for me to be related to a squidguard target category or a blacklist which contains "unallowed" characters.
    I have no problems with the "shallalist.de" blacklist. So I would suggest to determine which Target Categorie is leading to this problem to disable them all, click first "Save" and the "Apply" und squidguard General page and try again. If it is working then try to add target categories one after another with the same steps as long as it stops working.

    Then if you have identified the target category causing the problem, then try to find the problematic characters or symbols and the with this information open a bug report on reminde.pfsense.org.
    I did not found the causing characters until now.

    Regards.