SquidGuard url_rewrite issue with Squid 3.5



  • Hi all,

    I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard.  Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

    I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3.  Now squidguard is working on HTTP but not HTTPS.

    I'm thinking the url_rewrite is the problem.  When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk).  In IE i can bypass this and get the attached screen.

    I can't see anything in the logs that says much other than this in cache.log:

    2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

    Can anyone help/point me in the right direction?

    Thanks in advance



  • Hello,

    i found out, that you can stop service in webgui and start squidGuard in emergency mode from command line to see debug info

    command: squidGuard

    my problem isnt solved but maybe it helps



  • would you please tell me how you make pfsense work with squid+squidguard  as webfilter only ?
    i mean are you able to make them work in non-transparent mode and block both http and https ?



  • @moley2016:

    Hi all,

    I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard.  Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

    I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3.  Now squidguard is working on HTTP but not HTTPS.

    I'm thinking the url_rewrite is the problem.  When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk).  In IE i can bypass this and get the attached screen.

    I can't see anything in the logs that says much other than this in cache.log:

    2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

    Can anyone help/point me in the right direction?

    Thanks in advance

    Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard, but Rewrite set to none? I had the same problem. There should be a safesearch option in the Rewrite drop down box. Select it, save and click the Apply button on the General Settings page. I believe that's what fixed my problem.



  • I have same problem with pfsense 2.3

    I made the safesearch configuration but did not work

    Any other idea?



  • Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard

    that has not worked for quite a while,

    before 2.3 I used DNS Resolver and created a Host Overrides

    Host      Domain        IP
    www     google.com 216.239.38.120

    However this stoped working in 2.3


Log in to reply