[SOLVED]SquidGuard with HTTPS

  • Hello,

    Iam currently trying to set up a squid proxy with filter on PFSENSE. My objective is too allow access only to some URLs, for example google.fr.

    With my configuration i can execute "wget google.fr" without any problem, but if i try to get this same url in https (https://google.fr), I get "Gateway Time Out: Unable to establish SSL connection" from my proxy.
    In SquidGuard ACL, if I allow "all" I will be able to get my URL in https.

    I have no idea of what to do now, below my configuration for squid server and squid filter.

    # Do not edit manually !
    http_port transparent
    icp_port 0
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/pbi/squid-amd64/etc/squid/errors/English
    icon_directory /usr/pbi/squid-amd64/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    logfile_rotate 0
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src
    uri_whitespace strip
    cache_mem 8 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 100 16 256
    minimum_object_size 0 KB
    maximum_object_size 10 KB
    offline_mode off
    # No redirector configured
    # Setup some default acls
    acl all src
    acl localhost src
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
    acl sslports port 443 563  443
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    acl allowed_subnets src 
    cache deny dynamic
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    # Always allow localhost connections
    http_access allow localhost
    request_body_max_size 0 KB
    reply_body_max_size 0 deny all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all
    # Custom options
    url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
    url_rewrite_bypass off
    url_rewrite_children 16 startup=8 idle=4 concurrency=0
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    # Default block all to be sure
    http_access deny all
    # ============================================================
    # SquidGuard configuration file
    # This file generated automaticly with SquidGuard configurator
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    	urllist GOOGLE_GEOCODE/urls
    	log block.log
    dest HECTRONICS {
    	urllist HECTRONICS/urls
    rew safesearch {
    	log block.log
    acl  {
    	default  {

  • squidGuard relies on squid.  How do you have squid configured?  Which version of pfSense & squid?  Are you running in explicit or transparent mode?  If transparent (boo!), are you intercepting SSL?

  • thanks for this responses.

    Iam running squid v2.7.9 pkg v.4.3.6 and squidGuard v1.9.14.

    Squid configuration is stated in my first post, other than that i did the minimum and didn't see any mention of SSL interception in the GUI.
    I'm working in transparent mode but it wouldnt be a problem at all to switch to non-transparent. (I already tested it to check if it wasnt the problem).

    Which piece of configuration would be useful ?

  • OK

    • Don't use squid2.  Use squid3.  Squid2 is ancient and broken for some things.

    • Don't use transparent mode.  Use explicit mode in conjunction with WPAD.  Make sure to block ports 80/443 on LAN so that the proxy use is enforced.

    • Make sure your clients are set to autodetect the proxy.  This has been the default in Windows for many years.  Android may have to be set manually.

  • Hey,

    Thanks for the reply. In fact  I downloaded the package from PFsense GUI, i had no idea i could get a more up-to-date version (or how, but this can be fixed).

    My clients are in fact linux server, my goal being the access to some webservices exposed on the web for my applications.


  • OK, so I set squid3 up.

    But still the same error : "unable to establish SSL connection".
    I tried to enable SSL Interception aswell but I'm not sure it does what i want, no transparent proxy, no idea…

  • Okay problem solved :

    the key was to declare urls in Domain List rather that URL list. It works now.

    thanks for your help !

Log in to reply