Some troubles configure proxy and https website

NethServer Version: 7.3.1611
Module: proxy web + web filter

Hi, i have installed nethserver, joined it to my domain and configured proxy server with krb authentication.

With http sites the system works fine, but when i try to contact https website the browser tell me that certificate is non trusted and i can’t contact webpage.

Another strange things is that if i use IE, the browser redirect me to my nethserver webpage, firefox and chrome no.

on release note i have read that with squid 3.5 there is a new feature ssl bump which eliminates the problem of certificate when i contact https website, so why I have this problem on the certificates?

thank you

Andrea

Hi Andrea,
please have a look at the certificate. Is it the certificate of the site or of your server? If it is your server certificate you have to import it as root certificate.

1 Like

hi, i use the self-signed certificate created during installation

bye

Andrea

Have you imported it in Internet-Explorer? In Firefox you have to accept it as exception.
Please have a look at this thread too.

ok, but this feature from 7.3 release

“We changed the behavior of the Transparent HTTPS proxy dropping the MITM (Man In The Middle) feature that inspects all the encrypted traffic, substituting it with a new implementation that sniffs only the beginning of the connection to discover the destination website (for filtering purposes). Basically, it means that we peek at the beginning of the connection to discover the destination website (and block it if desired) and then** let the traffic flow unaltered from the client PC to the secure website**. Some improvements introduced with this solution:
No certificate to install on browsers
No untrusted certificate warning
No sniffing on sensitive information
Seamless filtering of unwanted web sites, both HTTP and HTTPS”

doesn’t work with proxy authentication?

thanks

bye

Andrea

Transparent or authenticated.
Proxy mode is mutually exclusive, it’s a radio button.
You are using auth, so the above note from the release notes doesn’t apply to your system.

@malmsteen, could you temporarily disable the web filter and see what happens? Please, describe carefully everything you see (screenshots could be useful).

It’s possible to implement the same behaviour of HTTPS filtering in trasparent mode on the authenticated mode too?

hi, if i disable the webfilter i can access to https website like twitter and facebook

thanks

Andrea

if i enable web filter

this is result

thanks

Andrea

ok

so, there is other ways to block https with authenticated proxy and without install certificate on all clients?

thanks

Andrea

Do not use proxy unless you are ready to manage all the issues that come with it. Many devices do not work behind it, you will have to manually add exempt hosts etc. I had at least 5 devices that wouldnt get internet behind the transparent proxy. Internet was also so unstable I had to disable it. Im guessing it was maybe a performance issue with the server? Anyways, NO you cannot through the GUI use authenticated with transparent ssl, maybe through CLI I wouldnt recommend making changes backend like that.

1 Like

@saitobenkei, I can’t understand the question.
Please, describe in full details what you expect and what you find/see.

@malmsteen, I can’t reproduce the problem.
Please, have a look at the logs: /var/log/squid/cache.log and access.log.
Also, /var/ufdbguard/logs/ufdbguardd.log (look for twitter).

Hallo,

this behaviour coming from ufdbguard when its blocking https sites…
Please read the ufdbguard manual it’s described there but if I’m understanding right there is no solution for that at the moment.

1 Like

For sites you have blocked? This comes from ufdbguard like @denis.robel said. If the error appears to sites you don’t block we have to look what wents wrong.

Hi, this morning i try to connect to some https site that are not blocked by web filter, this is ufdbguardd.log output:

“2017-03-29 08:58:50 [5152] BLOCK it_user1 10.39.5.162 src_pippo files safebrowsinggooglecom:443 CONNECT
2017-03-29 08:58:51 [5152] BLOCK it_user1 10.39.5.162 src_pippo files shavarservicesmozilla.com:443 CONNECT
2017-03-29 08:59:04 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:05 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:05 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files www.googlecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:09 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 09:00:31 [5152] BLOCK it_user1 10.39.5.162 src_pippo files mailyahoocom:443 CONNECT”

and from access.log

“1490770749.617 0 10.39.5.162 TCP_DENIED/407 4169 CONNECT wwwgooglecom:443 - HIER_NONE/- text/html
1490770749.652 31 10.39.5.162 TCP_TUNNEL/200 1732 CONNECT wwwgooglecom:443 it_user1 HIER_DIRECT/10.39.1.51 -
1490770831.351 0 10.39.5.162 TCP_DENIED/407 4169 CONNECT mailyahoocom:443 - HIER_NONE/- text/html
1490770831.417 62 10.39.5.162 TCP_TUNNEL/200 1732 CONNECT mailyahoocom:443 it_user1 HIER_DIRECT/10.39.1.51 -”

i also try to create a new filter rule like this

without any category checked and in this situation https://mail.yahoo.com works fine but with google and twitter i have the same problem.

thanks

bye

Andrea

@filippo_carletti: I understand that the https proxy and scan works as described only if the proxy is configured as transparent. There’s the possibilty to have the same behaviorur when the proxy is configured in authenticated mode?

Hi Andrea,
can you post your squid.conf and ufdbguard.conf please.
Your log says sites are blocked, there could be anything wrong in conf files.

The squid proxy has the same behavior in every mode.
When authenticated, you also know the user name (it can be shown in reports): a user can be blocked by username. When transparent or manual, you don’t know the user name. That’s it.