Hi Web and thanks for your help, Recently I've updated to:
*2.3.4-RELEASE (i386) * *built on Wed May 03 15:22:11 CDT 2017 * *FreeBSD 10.3-RELEASE-p19* And my packages for content cache/filtering: *squid 0.4.36_3* *squidGuard 1.16.2* I have selected *"Splice All"* for SSL/MITM Mode chich says: *"This configuration is suitable if you want to use the SquidGuard package for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. You do not need to install the CA certificate configured below on clients."* Currently I have Transparent HTTP Proxy mode enabled. However, I uninstalled the local SSL certificate pinned in Firefox. After enabling HTTPS/SSL Interception, I created a couple of rules: 1. In Domain List box I wrote: mega.cl; 2. A Target Group named "stream_de_video" and inside "Regular Expression" box wrote "youtube". Then, I did some tests with Firefox and had these results: 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 2. http://www.youtube.com -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 3. https://youtube.com/ -> *"Secure Connection Failed: An error occurred during a connection to youtube.com <http://youtube.com>. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"* 4. https://www.youtube.com/ -> *"Secure Connection Failed: An error occurred during a connection to youtube.com <http://youtube.com>. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"* 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 7. https://www.mega.cl/ -> *"Secure Connection Failed: An error occurred during a connection to youtube.com <http://youtube.com>. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" * I don't understand why 3 and 4 are not matching with the target group, but apparently youtube it's being blocked when the browser is Firefox. By the other hand, mega.cl as domain is being blocked with as SSL and non-SSL traffic. However, when I do the same tests using Google Chrome there is a different history: *Using an Incognito Window: *Apparently everything is blocked 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 2. http://www.youtube.com -> *Chrome redirects to a https://www.youtube.com <https://www.youtube.com> site and the error says "www.youtube.com <http://www.youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"* 3. https://youtube.com/ -> *The error says "youtube.com <http://youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"* 4. https://www.youtube.com/ -> *"Secure Connection Failed: An error occurred during a connection to www.youtube.com <http://www.youtube.com>. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"* 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl> does not use a SSL certificate)* *Using my "Normal Window"* (Non-Incognito): I access Youtube via SSL 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 2. http://www.youtube.com -> *Chrome redirects to a https://www.youtube.com <https://www.youtube.com> site and the youtube content is shown.* 3. https://youtube.com/ -> *The error says "youtube.com <http://youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"* 4. https://www.youtube.com/ -> *Chrome redirects to a https://www.youtube.com <https://www.youtube.com> site and the youtube content is shown.* 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 Forbidden" (Matched with stream_de_video target group)* 7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl> does not use a SSL certificate)* After you mention QUIC, I did some research and found this: How to Block QUIC Protocol <https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-QUIC-Protocol/ta-p/120207> Apparently, I have to setup a firewall rule to block all UDP traffic for 80/443. So, I created a new rule in Firewall section for LAN which basically says: 1. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *80*; Gateway: * 2. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *443*; Gateway: * Now, when I try to access http://www.youtube.com with Chrome, it redirects to https://www.youtube.com but apparently its blocked: *This site can’t be reached. The webpage at https://www.youtube.com/ <https://www.youtube.com/> might be temporarily down or it may have moved permanently to a new web address. ERR_QUIC_PROTOCOL_ERROR* Is that enough or do I have to consider anything else? Thank you so much for your guidance. José G. On Mon, May 8, 2017 at 4:21 PM, WebDawg <webd...@gmail.com> wrote: > There are interception modes. > > Peek > Peek and splice > And bump. > > So sqid: > > I do not have it in front of me right now but it sounds like you do not > have the SSL proxy setup right. Only one of those methods does not require > a SSL cert to be installed on a client system. > > Also you have to deal with pinned certs in web browsers....also you have to > deal with chrome udp protocals like QUIC that bypass the proxy entirely... > > It is either you have the proxy setup wrong or did not setup the sqid rules > right. > > Web..... > > > On May 8, 2017 11:34 AM, "José Gregorio Díaz Unda" <jgdiazu...@asyste.cl> > wrote: > > Dear PFSense crew, > > I'm not sure if this is the right place to post my issue. If not, please > let me know. > > Has somebody setup well SSL Filtering in PFSense? > > I have installed: > > PFSense 2.3.3_1 > squid 0.4.36_3 > squidGuard 1.16.1 > > Transparent Mode > > > I just want to block Youtube (ssl) for certain group of users via alias, > but when Squiduard is enabled, any SSL traffic is blocked. > > This is a basic task but unfortunately it has been impossible to make it > work. > > Thanks in advance. > > José G. > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
