SquidGuard url_rewrite issue with Squid 3.5

moley2016 · Apr 3, 2016, 5:11 PM

Hi all,

I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard. Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3. Now squidguard is working on HTTP but not HTTPS.

I'm thinking the url_rewrite is the problem. When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk). In IE i can bypass this and get the attached screen.

I can't see anything in the logs that says much other than this in cache.log:

2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

Can anyone help/point me in the right direction?

Thanks in advance

Hanswerner · Apr 11, 2016, 12:27 PM

Hello,

i found out, that you can stop service in webgui and start squidGuard in emergency mode from command line to see debug info

command: squidGuard

my problem isnt solved but maybe it helps

Naughty · Apr 15, 2016, 5:11 PM

would you please tell me how you make pfsense work with squid+squidguard as webfilter only ?
i mean are you able to make them work in non-transparent mode and block both http and https ?

hbarnhart · May 11, 2016, 2:23 PM

@moley2016:

Hi all,

I've installed pfSense 2.2.6 64bit and have been using it as a web filter with Squid and SquidGuard. Everything was working fine except the rewritten cert on HTTPS connections was being picked up by Firefox and Chrome as a weak certificate (SHA1).

I updated squid using this guide https://forum.pfsense.org/index.php?topic=99141.0 which has upgraded squid to 3.5.3. Now squidguard is working on HTTP but not HTTPS.

I'm thinking the url_rewrite is the problem. When i go to an https page i get a messsage that the cert if for the domain "http" and doesn't match the actual site (e.g. www.google.co.uk). In IE i can bypass this and get the attached screen.

I can't see anything in the logs that says much other than this in cache.log:

2016/04/03 16:51:48 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.212.106/192.168.212.106 - CONNECT'. Future Squid will treat this as part of the URL.

Can anyone help/point me in the right direction?

Thanks in advance

Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard, but Rewrite set to none? I had the same problem. There should be a safesearch option in the Rewrite drop down box. Select it, save and click the Apply button on the General Settings page. I believe that's what fixed my problem.

menezes · May 11, 2016, 2:55 PM

I have same problem with pfsense 2.3

I made the safesearch configuration but did not work

Any other idea?

aGeekhere · May 11, 2016, 11:38 PM

Do you have the "Use SafeSearch Engine" box check under Common ACL of Squidguard

that has not worked for quite a while,

before 2.3 I used DNS Resolver and created a Host Overrides

Host Domain IP
www google.com 216.239.38.120

However this stoped working in 2.3