Client side setup to support pfsense + squid with transparent ssl and squidguard



  • Greetings.  Been setting up PFsense + squid + blocklist + SSL transparent proxy over the past week, and it most of the tutorials and help docs fall short when it comes to client side setup. Not only that, the ability of the modern teenager w/ 3 devices to detect when Dad is “messing with the Internet”  >:(is absolutely amazing.

    Well, I just got the client side setup for Apple iOS 8.4, Windows 7 (IE, FireFox, Chrome), Windows 10 (Chrome, FF), Android 5.0.1 (AT&T, Samsung Note 4), and also Windows Update working a few moments ago. Here’s some helpful advice to complete the puzzle.

    Key Concepts for the non-experts:

    The Squid proxy functions properly in HTTP “transparent” mode (port 80) because that protocol is not authenticated – meaning that there is no inherent method or mechanism for the client to gain assurance of the servers identity, and vice-verse. Not so for HTTPS, or SSL/TLS (Secure Socket Layer /  Transport Layer Security). The browser checks and confirms the identify the site, and Squid gets in the way because it is handling the SSL transaction, not the client browser or other app. You need to inform the client operating system and in one case a client browser that the certificate that Squid hands back is in the chain of trust.

    Method I’ve used so far:

    The method I chose to accomplish this is outlined below – I will be brief on the well doc’d areas on the pfSense site.

    1. Create a certificate in pfsense (System, Cert Manager). You will need to “Create an Internal Certificate Authority”.
    2. I used “real” information, such as an email address, location, and name. For name, I chose “Internal CA”, because that is the name that you will see in the browser certificate UI’s.
    3. Configure Squid, in HTTP transparent mode, and make sure that it is functional. (again, covered elsewhere on this wiki).
    4. I also chose to install squidguard, and import the block list from http://www.shallalist.de/Downloads/shallalist.tar.gz. And configured a lot of stuff (routinely, we have guests with minors, so I am very conservative).
    5. Enable the https transparent proxy, then satisfy yourself it works by performing two specific tests.
      a. Try to visit Google, Facebook, Youtube – all SSL sites. The browsers will all return errors.
      b. Try Windows update – this should fail w/ an eight digit error code.
    6. Export the certificate from the Internal CA on PFsense. This is the SECOND ICON from the left, next to the “e”, in pfsense 2.2.4 w/ the default visual UI. DO NOT EXPORT THE PRIVATE KEY. Not only is it a ginormous security issue, it just won’t work for you.
    7. On my home network, I saved it to a public CIFS share.
    8. On windows 7, you will need to start a Microsoft Mgmt Console. In the Run dialog, type in MMC, hit enter, respond to the admin rights prompt (you are running as a normal user, right…???), Then choose FILE | Add Remove Snap In. Pick “certificates”, and Add. I chose “Computer Account” on the next screen, because I want my PFSense Internal CA certificate to be used access the system (Windows Update will need this). Finish. Close. Open “Trusted Root Cert Authorities”, and then right click on certificates, chose “Import”. And point to your certificate you exported earlier. This recipe works for I.E. and Chrome.
    9. For FireFox 40.0.1, go to Options, Advanced, Certificates. Choose View Certs. The “Import”  from the “Authorities” tab.
    10. For IoS – Apple IPad 8.4.1 – believe it or not, the process is as simple as emailing the certificate to yourself (I was shocked…), tapping on it, and then importing into iOS. You need to confirm trust a few times, but it was amazingly simple.
    11. Now I had the epiphany that I should check some other stuff, and sure enough, Windows Update failed on both Win7 and Win10. Some more googling brought me the list of download servers that Win Update uses. The easiest method is to “whitelist” these servers, so that squid lets it go. I’d bet that there is a more sophisticated method, but by adding the servers to the AC: White List area in squid, Win Update worked.
    12. Continuing w/ the epiphany, I decided to check an Android 5.0.1 phone (Samsung Note 4). Sure enough – same basic process as iOS. I emailed the certificate to a Gmail account. The Gmail app would not permit download, but it would let me tap on the attachment and install the certificate for “VPN and apps”. My test was to reconnect back to WiFi, and send/receive email through the Gmail app.
    13. Only site I’ve found that doesn’t work is Google mail – and only in Firefox, not in chrome (v 45.0) and IE 11.19.
      Windows Update Sites needed for Win7 and Win10 (I don’t have Win8.1 to test with at the moment).

    download.windowsupdate.com
    *.download.windowsupdate.com
    download.microsoft.com
    *.update.microsoft.com
    *.update.microsoft.com
    update.microsoft.com
    update.microsoft.com
    *.windowsupdate.com
    *.windowsupdate.microsoft.com
    windowsupdate.microsoft.com
    *.windowsupdate.microsoft.com
    ntservicepack.microsoft.com
    wustat.windows.com