Update: Before I left the office, decided to test from another laptop. Unfortunately, I was able to access YouTube.
Why some machines access YouTube and others apparently are blocked? What could I be missing? Thanks in advance. José G. On Mon, May 8, 2017 at 7:20 PM José Gregorio Díaz Unda <jgdiazu...@asyste.cl> wrote: > Hi Web and thanks for your help, > > Recently I've updated to: > > *2.3.4-RELEASE (i386) * > *built on Wed May 03 15:22:11 CDT 2017 * > *FreeBSD 10.3-RELEASE-p19* > > > And my packages for content cache/filtering: > > *squid 0.4.36_3* > *squidGuard 1.16.2* > > > I have selected *"Splice All"* for SSL/MITM Mode chich says: *"This > configuration is suitable if you want to use the SquidGuard package for web > filtering. All destinations will be spliced. SquidGuard can do its job of > denying or allowing destinations according its rules, as it does with HTTP. > You do not need to install the CA certificate configured below on clients."* > > Currently I have Transparent HTTP Proxy mode enabled. However, I > uninstalled the local SSL certificate pinned in Firefox. > > After enabling HTTPS/SSL Interception, I created a couple of rules: > > 1. In Domain List box I wrote: mega.cl; > 2. A Target Group named "stream_de_video" and inside "Regular > Expression" box wrote "youtube". > > > Then, I did some tests with Firefox and had these results: > > 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 2. http://www.youtube.com -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 3. https://youtube.com/ -> *"Secure Connection Failed: An error > occurred during a connection to youtube.com <http://youtube.com>. SSL > received a record that exceeded the maximum permissible length. Error code: > SSL_ERROR_RX_RECORD_TOO_LONG"* > 4. https://www.youtube.com/ -> *"Secure Connection Failed: An error > occurred during a connection to youtube.com <http://youtube.com>. SSL > received a record that exceeded the maximum permissible length. Error code: > SSL_ERROR_RX_RECORD_TOO_LONG"* > 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 7. https://www.mega.cl/ -> > *"Secure Connection Failed: An error occurred during a connection to > youtube.com <http://youtube.com>. SSL received a record that exceeded the > maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" * > > I don't understand why 3 and 4 are not matching with the target group, but > apparently youtube it's being blocked when the browser is Firefox. By the > other hand, mega.cl as domain is being blocked with as SSL and non-SSL > traffic. > > However, when I do the same tests using Google Chrome there is a different > history: > > *Using an Incognito Window: *Apparently everything is blocked > > > 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 2. http://www.youtube.com -> *Chrome redirects to a > https://www.youtube.com <https://www.youtube.com> site and the error says > "www.youtube.com <http://www.youtube.com> sent an invalid response. > ERR_SSL_PROTOCOL_ERROR"* > 3. https://youtube.com/ -> *The error says "youtube.com > <http://youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"* > 4. https://www.youtube.com/ -> *"Secure Connection Failed: An error > occurred during a connection to www.youtube.com <http://www.youtube.com>. > SSL received a record that exceeded the maximum permissible length. Error > code: SSL_ERROR_RX_RECORD_TOO_LONG"* > 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an > invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl> > does not use a SSL certificate)* > > > *Using my "Normal Window"* (Non-Incognito): I access Youtube via SSL > > > 1. http://youtube.com -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 2. http://www.youtube.com -> *Chrome redirects to a > https://www.youtube.com <https://www.youtube.com> site and the youtube > content is shown.* > 3. https://youtube.com/ -> *The error says "youtube.com > <http://youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"* > 4. https://www.youtube.com/ -> *Chrome redirects to a > https://www.youtube.com <https://www.youtube.com> site and the youtube > content is shown.* > 5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403 > Forbidden" (Matched with stream_de_video target group)* > 7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an > invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl> > does not use a SSL certificate)* > > > After you mention QUIC, I did some research and found this: How to Block > QUIC Protocol > <https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-QUIC-Protocol/ta-p/120207> > > Apparently, I have to setup a firewall rule to block all UDP traffic for > 80/443. So, I created a new rule in Firewall section for LAN which > basically says: > > > 1. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *80*; > Gateway: * > 2. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *443*; > Gateway: * > > > Now, when I try to access http://www.youtube.com with Chrome, it > redirects to https://www.youtube.com but apparently its blocked: *This > site can’t be reached. The webpage at https://www.youtube.com/ > <https://www.youtube.com/> might be temporarily down or it may have moved > permanently to a new web address. ERR_QUIC_PROTOCOL_ERROR* > > Is that enough or do I have to consider anything else? > > Thank you so much for your guidance. > > José G. > > > > > > > > On Mon, May 8, 2017 at 4:21 PM, WebDawg <webd...@gmail.com> wrote: > >> There are interception modes. >> >> >> >> >> >> Peek >> >> >> Peek and splice >> >> >> And bump. >> >> >> >> >> >> So sqid: >> >> >> >> >> >> I do not have it in front of me right now but it sounds like you do not >> >> >> have the SSL proxy setup right. Only one of those methods does not >> require >> >> >> a SSL cert to be installed on a client system. >> >> >> >> >> >> Also you have to deal with pinned certs in web browsers....also you have >> to >> >> >> deal with chrome udp protocals like QUIC that bypass the proxy entirely... >> >> >> >> >> >> It is either you have the proxy setup wrong or did not setup the sqid >> rules >> >> >> right. >> >> >> >> >> >> Web..... >> >> >> >> >> >> >> >> >> On May 8, 2017 11:34 AM, "José Gregorio Díaz Unda" <jgdiazu...@asyste.cl> >> >> >> wrote: >> >> >> >> >> >> Dear PFSense crew, >> >> >> >> >> >> I'm not sure if this is the right place to post my issue. If not, please >> >> >> let me know. >> >> >> >> >> >> Has somebody setup well SSL Filtering in PFSense? >> >> >> >> >> >> I have installed: >> >> >> >> >> >> PFSense 2.3.3_1 >> >> >> squid 0.4.36_3 >> >> >> squidGuard 1.16.1 >> >> >> >> >> >> Transparent Mode >> >> >> >> >> >> >> >> >> I just want to block Youtube (ssl) for certain group of users via alias, >> >> >> but when Squiduard is enabled, any SSL traffic is blocked. >> >> >> >> >> >> This is a basic task but unfortunately it has been impossible to make it >> >> >> work. >> >> >> >> >> >> Thanks in advance. >> >> >> >> >> >> José G. >> >> >> _______________________________________________ >> >> >> pfSense mailing list >> >> >> https://lists.pfsense.org/mailman/listinfo/list >> >> >> Support the project with Gold! https://pfsense.org/gold >> >> >> _______________________________________________ >> >> >> pfSense mailing list >> >> >> https://lists.pfsense.org/mailman/listinfo/list >> >> >> Support the project with Gold! https://pfsense.org/gold > > > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
