Squid3 ssl inspection with Transparent mode

  • dear i have pfsense 2.2 with squid and squid guard,
    i needed to open ssl inspection as user can bypass traffic management using https,
    however since in enabled it i couldn't use skype or webex session as it relay on https i need to add it to bypass so i added the 2 url to "Bypass Proxy for These Destination IPs" but didn't work as it doesn't take regex or wildcard
    is there is other place to configure squid to not check skpe and webex cert or any other workaround .
    when i used to use TMG it was normal to add destination server to not check it's cert and it was like *.microsoft.com"

  • Firewalls can't see the DNS, all they see is the IP address. SQUID can see the domain, but only after it intercepted and inspected the HTTPS connection.

    That being said, I'm not a good resource on this subject and I'm interested to see what others have to say.

  • i have an idea but when i test it, it didn't work problery,
    i will disable transparent mode for squid, and turn on ssl inspection
    squid will listen on 8080 for http and for https will listen to 3219
    then i configured a pac file to use as it will instruct the browser which destination it will use something like
    function FindProxyForURL(url, host) {
        if (shExpMatch(url, "gsmarena.com")) return "localhost";
        if (shExpMatch(url, "skype.com")) return "DIRECT";
        if (shExpMatch(url, "webex.com")) return "DIRECT";
        if (shExpMatch(url, "cisco.com")) return "DIRECT";
        if (shExpMatch(url, "live.com")) return "DIRECT";
        if (shExpMatch(url, "https://*" )) return "";
      if (isInNet(myIpAddress(), "", ""))
    {return "PROXY" ;}

    return "PROXY";

    however when i browse any https website i find the cert is from the same site not pfsense issued, which mean it's not insected, also i set gsmarena to direct to localhost which shouldn't open gsmarena.com but it open normally.

    i dont know if it's error in the pac file setting or something needed to be configured on pfsense.

    also if there is any way to deny users to access internet without the pac file to make sure they don't by pass the proxy filtering by setting thier browser to connect without proxy

  • no one have any idea or solution,
    i think i will go back to tmg.
    the funny thing pfsense has web filtering and bandwidth limiter and lots of feature but not a good ssl inspection feature, which make those feature useless as user easily use https to bypass all those rules,
    tmg has good ssl inspection feature but lack other important feature, however i could deal with ability to block some site and limit internet usage manually but being absolute no one would be able to bypass my rule like in pfsense, without effecting other program like webeex and skype.

  • Because SSL inspection is a MITM, it breaks a lot of security features with SSL and opens up a slew of attack vectors. It is considered bad practice from a network security standpoint, even if considered good security practices from an employee management standpoint.

  • i know what you mean, but if this is the point, so they should remove the feature and say it's not exist for security reasons or whatever,
    but they choose to put half of it, as you could enable it but you won't be able to bypass any sites with FQDN you must get all IPs and bypass it.

Log in to reply