The pfSense Store

Author Topic: pfSense, Squid, and HTTPS  (Read 1298 times)

0 Members and 1 Guest are viewing this topic.

Offline unmode

  • Newbie
  • *
  • Posts: 9
    • View Profile
pfSense, Squid, and HTTPS
« on: August 14, 2013, 06:16:04 am »
Hi all,

I'm sure this is a noob question, so please bear with.

I've installed pfSense with Squid and pointed it to an upstream proxy cache.

LAN > pfSense > Upstream Proxy > Internet

I've also enabled transparent proxy.

HTTP traffic works fine, I can access websites as normal, but I'm having a problem with HTTPS sites.

HTTPS can't be transparently proxied, of course, but even if I configure the browser manually with the proxy server details I can't access HTTPS sites.

I've also tried by disabling transparent proxy, which doesn't work either.

HTTPS works fine if I remove pfSense from the equation.

Basically I need a way to get HTTPS traffic through pfSense.

Can anyone help?

Thanks in advance.

Offline unmode

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #1 on: August 16, 2013, 02:20:53 am »
Nobody?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 1556
    • View Profile

Offline stephenw10

  • Hero Member
  • *****
  • Posts: 8120
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #3 on: August 16, 2013, 04:57:20 am »
Odd because usually HTTPS traffic simply bypasses Squid unless you block it deliberately.

Steve

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 2247
  • Debugging...
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #4 on: August 16, 2013, 06:08:20 am »
HTTPS is being blocked in rules somewhere either deliberately or not.  There is probably a block rule somewhere or a NAT rule that forwards to nowhere.  I've seen rules like that set up in attempt to filter HTTPS.  Maybe you copied one of their rules in an example somewhere not realizing it.

Offline unmode

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #5 on: August 19, 2013, 02:36:04 am »
Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 2247
  • Debugging...
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #6 on: August 19, 2013, 02:42:16 am »
I have no idea personally.  The idea that someone could successfully proxy (not socks5 proxy) HTTPS sounds alot like Man-In-The-Middle stuff too me. Basically, by default squid doesn't touch HTTPS.  Just HTTP.

I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.
« Last Edit: August 19, 2013, 02:45:23 am by kejianshi »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 1556
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #7 on: August 19, 2013, 02:50:19 am »
Thanks for the advice. Can you recommend how an HTTPS rule would ideally be set up?

Please, read the entire thread already referenced once above: http://forum.pfsense.org/index.php/topic,62256.0.html (And I'd personally just recommend to NOT do this at all.)

Offline unmode

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #8 on: August 19, 2013, 05:08:25 am »
Thanks. In theory though you could just pass the HTTPS traffic through the firewall rather than proxying it.

Thanks for the continuing replies doktornotor, but as stated in my original post I'm not trying to proxy HTTPS traffic, just let it pass through the firewall.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 2247
  • Debugging...
    • View Profile
Re: pfSense, Squid, and HTTPS
« Reply #9 on: August 19, 2013, 09:20:46 am »
I suggest you go through your NAT and Firewall rules and look for any reference to port 443/HTTPS that shouldn't be there.