NethServer Version: 7.3.1611 Module: proxy web + web filter
Hi, i have installed nethserver, joined it to my domain and configured proxy server with krb authentication.
With http sites the system works fine, but when i try to contact https website the browser tell me that certificate is non trusted and i can’t contact webpage.
Another strange things is that if i use IE, the browser redirect me to my nethserver webpage, firefox and chrome no.
on release note i have read that with squid 3.5 there is a new feature ssl bump which eliminates the problem of certificate when i contact https website, so why I have this problem on the certificates?
Hi Andrea,
please have a look at the certificate. Is it the certificate of the site or of your server? If it is your server certificate you have to import it as root certificate.
“We changed the behavior of the Transparent HTTPS proxy dropping the MITM (Man In The Middle) feature that inspects all the encrypted traffic, substituting it with a new implementation that sniffs only the beginning of the connection to discover the destination website (for filtering purposes). Basically, it means that we peek at the beginning of the connection to discover the destination website (and block it if desired) and then** let the traffic flow unaltered from the client PC to the secure website**. Some improvements introduced with this solution:
No certificate to install on browsers
No untrusted certificate warning
No sniffing on sensitive information
Seamless filtering of unwanted web sites, both HTTP and HTTPS”
Transparent or authenticated.
Proxy mode is mutually exclusive, it’s a radio button.
You are using auth, so the above note from the release notes doesn’t apply to your system.
@malmsteen, could you temporarily disable the web filter and see what happens? Please, describe carefully everything you see (screenshots could be useful).
Do not use proxy unless you are ready to manage all the issues that come with it. Many devices do not work behind it, you will have to manually add exempt hosts etc. I had at least 5 devices that wouldnt get internet behind the transparent proxy. Internet was also so unstable I had to disable it. Im guessing it was maybe a performance issue with the server? Anyways, NO you cannot through the GUI use authenticated with transparent ssl, maybe through CLI I wouldnt recommend making changes backend like that.
@saitobenkei, I can’t understand the question.
Please, describe in full details what you expect and what you find/see.
@malmsteen, I can’t reproduce the problem.
Please, have a look at the logs: /var/log/squid/cache.log and access.log.
Also, /var/ufdbguard/logs/ufdbguardd.log (look for twitter).
this behaviour coming from ufdbguard when its blocking https sites…
Please read the ufdbguard manual it’s described there but if I’m understanding right there is no solution for that at the moment.
For sites you have blocked? This comes from ufdbguard like @denis.robel said. If the error appears to sites you don’t block we have to look what wents wrong.
@filippo_carletti: I understand that the https proxy and scan works as described only if the proxy is configured as transparent. There’s the possibilty to have the same behaviorur when the proxy is configured in authenticated mode?
The squid proxy has the same behavior in every mode.
When authenticated, you also know the user name (it can be shown in reports): a user can be blocked by username. When transparent or manual, you don’t know the user name. That’s it.