Pfsense 2.2.4 SQUID 3 HTTPS transparent proxy problems

toby-rdc

Hello

I have been using pfsense 2.1.5 with squid dev package and have successfully been using HTTPS transparent proxy. I have been
using one of several tutorials on internet to arrange this.

Now i want to do this on pfsense 2.2.4 with the SQUID3 package. I can not get it to work. http works fine but no https traffic is working.
I have activated https proxy on the interface as i did oin 2.1.5 and it worked well.

Any ideas ? Do i need to download the same lib files as with 2.1.5 and the dev package ?

Best regards
Toby

doktornotor

@toby-rdc:

I can not get it to work

That's a well-known issue.

toby-rdc

As my mail states, i know that it is an issue. What i am looking for is a solution  ;)
The non functional https transparent proxy is a show stopper for us. If we can not get it to
work again it will force us to move over to other platforms instead.
The ability to filter SSL is essential today as more and more sites are using it.

/Toby

kivimart

Here is my solution.

I onley have 1 nic

Original non transparent proxy on port 3128 on wan interface

Then i add this line below Custom ACLS (Before Auth)

"http_port IpAdressProxy:3129 accel vhost allow-direct" where ip adress is the the statick of the proxy server.

Then on mikrotik router i have Firewall rule that  redirect port 80 to port 3129

then i can use standard proxy and transparent.

doktornotor

@toby-rdc:

As my mail states, i know that it is an issue.

No idea to whom you sent some mail. As my reply states, you provided absolutely ZERO useful info for debugging whatever your issue is.

toby-rdc

http traffic passes through the proxy with no problems. I checked this is the logs. When using an https site, nothing happens in the users browser and eventually  a timeout occurs.
In the squid logs you can actually see http://www.yahoo.com for an example but not on https.
There are no other error message for the user but the browser timeout. As i said, with 2.1.5 this worked perfect. both http and https
in transparent mode.
But it is not the same squid package in 2.1.5 as in 2.2.4 so is suppose their has been some changes.
The combination of pfsense with a SSL proxy is of very high value. Without it , the value of the pfsense router decreases.

doktornotor

I'd have to repeat my original suggestion. Lacking paranormal skills, I'm out of this.

toby-rdc

Sorry for not being clear. I have extracted some info from the system logs thqt might be useful, I returned back to 2.1.5 but i can not
make it work their either .
Here is the logs

php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/11/03 16:45:37| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 29744 KB Page faults with physical i/o: 0'
Nov 3 16:45:44 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept
Nov 3 16:46:47 php: /pkg_edit.php: [Squid] - Squid_resync function call pr: bp: rpc:no
Nov 3 16:46:48 php: /pkg_edit.php: Starting Squid
Nov 3 16:46:48 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept

toby

doktornotor

Squid Cache (Version 3.3.10)? WTH is this? How did you install this on 2.2.x?

May I suggest you flatten and rebuild that box from scratch? Seriously, upgrading this package from any previous versions (2.7.x, 3.1.x, 3.3.x) and across major pfSense releases is a complete no go. And - ditto for downgrading.