SquidGuard url_rewrite issue with Squid 3.5

moley2016

Hi all,

I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard.  Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3.  Now squidguard is working on HTTP but not HTTPS.

I'm thinking the url_rewrite is the problem.  When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk).  In IE i can bypass this and get the attached screen.

I can't see anything in the logs that says much other than this in cache.log:

2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

Can anyone help/point me in the right direction?

Thanks in advance

Hanswerner

Hello,

i found out, that you can stop service in webgui and start squidGuard in emergency mode from command line to see debug info

command: squidGuard

my problem isnt solved but maybe it helps

Naughty

would you please tell me how you make pfsense work with squid+squidguard  as webfilter only ?
i mean are you able to make them work in non-transparent mode and block both http and https ?

hbarnhart

@moley2016:

Hi all,

I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard.  Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3.  Now squidguard is working on HTTP but not HTTPS.

I'm thinking the url_rewrite is the problem.  When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk).  In IE i can bypass this and get the attached screen.

I can't see anything in the logs that says much other than this in cache.log:

2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

Can anyone help/point me in the right direction?

Thanks in advance

Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard, but Rewrite set to none? I had the same problem. There should be a safesearch option in the Rewrite drop down box. Select it, save and click the Apply button on the General Settings page. I believe that's what fixed my problem.

menezes

I have same problem with pfsense 2.3

I made the safesearch configuration but did not work

Any other idea?

aGeekhere

Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard

that has not worked for quite a while,

before 2.3 I used DNS Resolver and created a Host Overrides

Host      Domain        IP
www     google.com 216.239.38.120

However this stoped working in 2.3