Https block sgerror only in transparent mode



  • Hello

    Pfsense 2.6; Squid3; Squidguard; blacklists enabled

    For testing the webconfigurator is running at http://IP:80

    Non Transparent / No SSL Bump:
    –> Everything works fine with correct wpad except showing sgerror for blocked https sites

    Transparent / No SSL Bump:
    --> Everything works fine setting up firewall ip as gateway address except showing sgerror for blocked https sites
    ----> after that i read that it is impossible to redirect https without ssl-bump so i configured hhtps/ssl interception

    Non Transparent / With ssl bump
    --> after some issues everything works fine except showing sgerror for blocked https sites

    Transparent / with ssl bump
    --> everything works fine

    ----> So what am i missing here that Transparent Proxy setting and configuring Firewall IP as Gateway works fine but non transparent not?
    ----> sgerror.php is configured as ext url err page : (tested with http and https on firewall and different server)

    Maybe i cannot run transparent and non tranparent at the same interface but it works except showing sgerror redirect when configured proxy settings
    I can see a difference in the log blocking facebook:
    Configured Gateway: https://www.facebook.com/ Request(Standard/Filter_Standard/-) - GET REDIRECT  (succesfull display of sgerror)
    Configured Proxy: www.facebook.com:443  Request(Standard/Filter_Standard/-) - CONNECT REDIRECT  (ssl_error_bad_cert_domain)
    If i remove facebook.com from Filter_Standard the site itself works fine without a ssl warning or error.

    There is no problem changing the actual setup like "Gateway for every Client"(transparent) to "automatic proxy search"(non-transparent) or "preconfigured proxy"
    But only if sgerror is displayed for every blocked connection.

    Im getting very strange errors depending on using https webinterface or http or different ports:
    ssl error without any hints (browser)
    ssl_error_bad_cert_domain (browser)
    could not retrieve https://http/ (direct from squid)
    I mean where is the problem if squid can succesfully block https connects and showing a cert issue ... why not showing sgerror.php?

    PS: Is it possible to make a list of ip's where ssl-bump is not used without using an additional interface



  • Try to use "int error page"



  • nearly the same result:

    http://facebook.com -> blocked with sgerror.php
    https://facebook.com -> ssl error "certificate was generated for other address" (translated error massage)

    https://twitter.de -> allowed website works without error



  • @Hanswerner:

    http://facebook.com -> blocked with sgerror.php

    Is your block page shown with http or https? I mean sgerror.php



  • after i solved that ssl error i get following message from squid:
    could not retrieve hostname from: https://http/*
    so i thing the page is delivered with http and the browser wants to open https://http://sgerror.php….

    I think you can setup this with the webconfigurator setting (System -> Advanced)
    if i cahnge to https webconfigurator i get the same error with https://https/*

    I think the problem is located somwhere how squid reads the request(from squid.log):
    transparent setting: only ip as gateway and nothing else: https://www.facebook.com
    configured as non transparent and setup with wpad or manual: www.facebook.com:443

    my next try will be a setup from scratch to prevent configuration problems because of massive testing



  • Let me know if you get this sorted.  Sounds like a similar issue to what i'm having.

    https://forum.pfsense.org/index.php?topic=109208.0



  • Ok…
    configured new pfsense in VM.
    everything stays the same. It is impossible to tell squid to redirect correctly.

    NON - Transparent with or without ssl - man in the middle
    http://eample.com blocked and redirect to sgerror.php
    https://example.com blocked but NO REDIRECT:

    same setup only enabling the transparent setting:
    everything works

    i believe its a bug. during my configurations there were so many bugs in reloading config or something like squidgard stops working after setting something complete different...



  • @Hanswerner:

    https://example.com blocked but NO REDIRECT:

    Can you open block page with https itself? just type https://YUORIP/sgerror.php

    Check if you disallow numeric URLs, if yes - add your pfSense to exclusion.



  • Opening blockpage itself depends on webconfigurator http or https setting. Both works.
    it doesnt matter if i chose internal or external page.
    The only problem here is the default redirect of the blacklist advertisement filter that redirects to the ip  with a domain cert error instead of fqdn without error ;)
    (this could be managed with the webconfigurator setting)

    the very interesting thing is, that everything is working nice in transparent mode (witch ssl-bump) and gateway setting via dhcp. Everything except some strange cert errors because there is a lack of options for squid to correctly mimik the server cert…
    (for example if www.example.com loads js from www.cd.example.com -> squid is too dump to generate different cert for different connection and so you get cert domain errors)



  • "Do not allow IP-Addresses in URL" doesnt matter… :(



  • End Workaround: I changed squid error page to sgerror.php

    Better the users get blocked message than proxy errors.. but … crap



  • According to Amos Jeffries, a squid developer/maintainer, it's a browser problem:

    http://www.squid-cache.org/mail-archive/squid-users/201202/0216.html



  • Hi all.
    Is there any update on this case ?
    I have exactly the same problem with a pfsense version 2.3.2.

    Thanks.
    Regards.
    Olivier.



  • Hi, Me too.

    Any advice?



  • @Hanswerner:

    End Workaround: I changed squid error page to sgerror.php

    Better the users get blocked message than proxy errors.. but … crap

    Hi,

    How to change squid error page to sgerror.php?

    Thanks.



  • I reported this issue as a bug in https://redmine.pfsense.org/issues/6777

    I hope that the programmers can help us, in my situation, this issue is present in pfsense 2.3.2



  • Ressurecting this thread…

    I'm having similar issues, more... even when the external error page is loaded, no CSS on that page is applied.



  • After some search, It's a behavior standard in Browsers.

    See this: https://bugzilla.mozilla.org/show_bug.cgi?id=479880

    So any page blocked by Squid(+SquidGuard) that is HTTPS will not display the error page, just the generic error message from the browser on Tunnel connection error.



  • any updates on this ?


  • Rebel Alliance Developer Netgate

    @shyaminayesh:

    any updates on this ?

    No because it is not a bug, it's working in the only way that it can with SSL/TLS.