Https block sgerror only in transparent mode

  • Hello

    Pfsense 2.6; Squid3; Squidguard; blacklists enabled

    For testing the webconfigurator is running at http://IP:80

    Non Transparent / No SSL Bump:
    –> Everything works fine with correct wpad except showing sgerror for blocked https sites

    Transparent / No SSL Bump:
    --> Everything works fine setting up firewall ip as gateway address except showing sgerror for blocked https sites
    ----> after that i read that it is impossible to redirect https without ssl-bump so i configured hhtps/ssl interception

    Non Transparent / With ssl bump
    --> after some issues everything works fine except showing sgerror for blocked https sites

    Transparent / with ssl bump
    --> everything works fine

    ----> So what am i missing here that Transparent Proxy setting and configuring Firewall IP as Gateway works fine but non transparent not?
    ----> sgerror.php is configured as ext url err page : (tested with http and https on firewall and different server)

    Maybe i cannot run transparent and non tranparent at the same interface but it works except showing sgerror redirect when configured proxy settings
    I can see a difference in the log blocking facebook:
    Configured Gateway: Request(Standard/Filter_Standard/-) - GET REDIRECT  (succesfull display of sgerror)
    Configured Proxy:  Request(Standard/Filter_Standard/-) - CONNECT REDIRECT  (ssl_error_bad_cert_domain)
    If i remove from Filter_Standard the site itself works fine without a ssl warning or error.

    There is no problem changing the actual setup like "Gateway for every Client"(transparent) to "automatic proxy search"(non-transparent) or "preconfigured proxy"
    But only if sgerror is displayed for every blocked connection.

    Im getting very strange errors depending on using https webinterface or http or different ports:
    ssl error without any hints (browser)
    ssl_error_bad_cert_domain (browser)
    could not retrieve https://http/ (direct from squid)
    I mean where is the problem if squid can succesfully block https connects and showing a cert issue ... why not showing sgerror.php?

    PS: Is it possible to make a list of ip's where ssl-bump is not used without using an additional interface

  • Try to use "int error page"

  • nearly the same result: -> blocked with sgerror.php -> ssl error "certificate was generated for other address" (translated error massage) -> allowed website works without error

  • @Hanswerner: -> blocked with sgerror.php

    Is your block page shown with http or https? I mean sgerror.php

  • after i solved that ssl error i get following message from squid:
    could not retrieve hostname from: https://http/*
    so i thing the page is delivered with http and the browser wants to open https://http://sgerror.php….

    I think you can setup this with the webconfigurator setting (System -> Advanced)
    if i cahnge to https webconfigurator i get the same error with https://https/*

    I think the problem is located somwhere how squid reads the request(from squid.log):
    transparent setting: only ip as gateway and nothing else:
    configured as non transparent and setup with wpad or manual:

    my next try will be a setup from scratch to prevent configuration problems because of massive testing

  • Let me know if you get this sorted.  Sounds like a similar issue to what i'm having.

  • Ok…
    configured new pfsense in VM.
    everything stays the same. It is impossible to tell squid to redirect correctly.

    NON - Transparent with or without ssl - man in the middle blocked and redirect to sgerror.php blocked but NO REDIRECT:

    same setup only enabling the transparent setting:
    everything works

    i believe its a bug. during my configurations there were so many bugs in reloading config or something like squidgard stops working after setting something complete different...

  • @Hanswerner: blocked but NO REDIRECT:

    Can you open block page with https itself? just type https://YUORIP/sgerror.php

    Check if you disallow numeric URLs, if yes - add your pfSense to exclusion.

  • Opening blockpage itself depends on webconfigurator http or https setting. Both works.
    it doesnt matter if i chose internal or external page.
    The only problem here is the default redirect of the blacklist advertisement filter that redirects to the ip  with a domain cert error instead of fqdn without error ;)
    (this could be managed with the webconfigurator setting)

    the very interesting thing is, that everything is working nice in transparent mode (witch ssl-bump) and gateway setting via dhcp. Everything except some strange cert errors because there is a lack of options for squid to correctly mimik the server cert…
    (for example if loads js from -> squid is too dump to generate different cert for different connection and so you get cert domain errors)

  • "Do not allow IP-Addresses in URL" doesnt matter… :(

  • End Workaround: I changed squid error page to sgerror.php

    Better the users get blocked message than proxy errors.. but … crap

  • According to Amos Jeffries, a squid developer/maintainer, it's a browser problem:

  • Hi all.
    Is there any update on this case ?
    I have exactly the same problem with a pfsense version 2.3.2.


  • Hi, Me too.

    Any advice?

  • @Hanswerner:

    End Workaround: I changed squid error page to sgerror.php

    Better the users get blocked message than proxy errors.. but … crap


    How to change squid error page to sgerror.php?


  • I reported this issue as a bug in

    I hope that the programmers can help us, in my situation, this issue is present in pfsense 2.3.2

  • Ressurecting this thread…

    I'm having similar issues, more... even when the external error page is loaded, no CSS on that page is applied.

  • After some search, It's a behavior standard in Browsers.

    See this:

    So any page blocked by Squid(+SquidGuard) that is HTTPS will not display the error page, just the generic error message from the browser on Tunnel connection error.

  • any updates on this ?

  • Rebel Alliance Developer Netgate


    any updates on this ?

    No because it is not a bug, it's working in the only way that it can with SSL/TLS.

Log in to reply