Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.2.4 SQUID 3 HTTPS transparent proxy problems

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 3 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toby-rdc
      last edited by

      Hello

      I have been using pfsense 2.1.5 with squid dev package and have successfully been using HTTPS transparent proxy. I have been
      using one of several tutorials on internet to arrange this.

      Now i want to do this on pfsense 2.2.4 with the SQUID3 package. I can not get it to work. http works fine but no https traffic is working.
      I have activated https proxy on the interface as i did oin 2.1.5 and it worked well.

      Any ideas ? Do i need to download the same lib files as with 2.1.5 and the dev package ?

      Best regards
      Toby

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @toby-rdc:

        I can not get it to work

        That's a well-known issue.

        1 Reply Last reply Reply Quote 0
        • T
          toby-rdc
          last edited by

          As my mail states, i know that it is an issue. What i am looking for is a solution  ;)
          The non functional https transparent proxy is a show stopper for us. If we can not get it to
          work again it will force us to move over to other platforms instead.
          The ability to filter SSL is essential today as more and more sites are using it.

          /Toby

          1 Reply Last reply Reply Quote 0
          • K
            kivimart
            last edited by

            Here is my solution.

            I onley have 1 nic

            Original non transparent proxy on port 3128 on wan interface

            Then i add this line below Custom ACLS (Before Auth)

            "http_port IpAdressProxy:3129 accel vhost allow-direct" where ip adress is the the statick of the proxy server.

            Then on mikrotik router i have Firewall rule that  redirect port 80 to port 3129

            then i can use standard proxy and transparent.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @toby-rdc:

              As my mail states, i know that it is an issue.

              No idea to whom you sent some mail. As my reply states, you provided absolutely ZERO useful info for debugging whatever your issue is.

              1 Reply Last reply Reply Quote 0
              • T
                toby-rdc
                last edited by

                http traffic passes through the proxy with no problems. I checked this is the logs. When using an https site, nothing happens in the users browser and eventually  a timeout occurs.
                In the squid logs you can actually see http://www.yahoo.com for an example but not on https.
                There are no other error message for the user but the browser timeout. As i said, with 2.1.5 this worked perfect. both http and https
                in transparent mode.
                But it is not the same squid package in 2.1.5 as in 2.2.4 so is suppose their has been some changes.
                The combination of pfsense with a SSL proxy is of very high value. Without it , the value of the pfsense router decreases.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  I'd have to repeat my original suggestion. Lacking paranormal skills, I'm out of this.

                  1 Reply Last reply Reply Quote 0
                  • T
                    toby-rdc
                    last edited by

                    Sorry for not being clear. I have extracted some info from the system logs thqt might be useful, I returned back to 2.1.5 but i can not
                    make it work their either .
                    Here is the logs

                    php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/11/03 16:45:37| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 29744 KB Page faults with physical i/o: 0'
                    Nov 3 16:45:44 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept
                    Nov 3 16:46:47 php: /pkg_edit.php: [Squid] - Squid_resync function call pr: bp: rpc:no
                    Nov 3 16:46:48 php: /pkg_edit.php: Starting Squid
                    Nov 3 16:46:48 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept

                    toby

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Squid Cache (Version 3.3.10)? WTH is this? How did you install this on 2.2.x?

                      May I suggest you flatten and rebuild that box from scratch? Seriously, upgrading this package from any previous versions (2.7.x, 3.1.x, 3.3.x) and across major pfSense releases is a complete no go. And - ditto for downgrading.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.