Certificate error with squid in manual mode

I don’t want a certificate error. Because users can’t differentiate if it is a site they don’t have to open or maybe an other problem with a certificate.

Agreed.
Unfortunately, the redirection of a blocked https url can’t go to a webpage, only to a FQDN.
We could build an appropriate page globally available at something like “https://blocked.nethserver.org/” and redirect all nethserver installations to the url by default, leaving the option to the admin to host a customized page where he/she prefers.

Please, try the following customizations as a proof of concept, if it’s okay I’ll update the package:

echo "redirect-https     \"blockedhttps.urlfilterdb.com:443\"" >/etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/18redirect-https
expand-template /etc/ufdbguard/ufdbGuard.conf
/usr/sbin/ufdbsignal -C "sighup ufdbguardd"

Thank you.

3 Likes

Hi,
I’ve done your steps, but I get still a certificate error but not the same as before.


IE still says that the certificate is for another site.

I quote myself:

Honestly, I’m out of ideas. Browsers are implementing stricter checks on certificates to protect the users from attackers. We may find a “fix”, but how long will it work?

I’ll make some more tests in the afternoon. I’ll keep you informed.

1 Like

Which Firefox version do you use? Can you try it with IE 11 to please.

Perhaps we can find the reason for working in 6.8 but not in 7.

Hi Michael, thank you for reply.

I found a solution this morning. I changed the issuer from NethSserver (default) to the FQDN and generatet a new certificate. Now the the certificate is shown as trusted.

Chrome
IE 11 works also.

Thanks for your answer, my issuer is my FQDN (groupware.jonas)

I think I have an other problem, the Browser wants to have a certifcate for the redirected site like https://www.facebook.com, but it gets my own certificate for groupware.jonas.

I re-read a lot of documentation and made some tests. My conclusion is that there’s no technical way to show a clear block page to the user with current browsers.
I can quote ufdbguard documentation:

5.7 Redirection of HTTPS-based URLs
Squid requires that HTTP-based URLS are redirected to other HTTP-based URLs and that HTTPS-
based URLS are redirected to other HTTPS-based URLs. This causes a problem since most web
browsers do not accept a redirection of a HTTPS-based URL. There is no solution for this issue: the
standards of HTTP, ICAP and web proxies do not have support for such feature. Basically, this means
that blocked HTTPS-based sites cause unexpected browser-generated error messages like “cannot
connect to www.example.com” or “www.example.com does not have a valid SSL certificate”.

You can read chapter 3.1 (https://www.urlfilterdb.com/files/downloads/ReferenceManual.pdf).

In 6.8 we used a different redirector (squidGuard) which is not https aware and no longer compatible with newest squid versions.

We may find a different redirector, but I think that’s a protocol and browser issue, we have no control over them.

I appreciate your opinions and experiences with different products.

3 Likes

I created a little blockpage and put it into /var/www/html and now it shows this when I try to reach a blacklisted https-page:

But this doesn’t work with facebook, I think because of HSTS.

With “normal” blacklisted http-sites it shows the block-page of ufdbguard.

This is o.k. for me.
PS: I’m using chrome.

Hi Filippo,
thanks for your work.

Before I came to Nethserver last year I setup squid 3.5.19 with squidguard manually at Ubuntu 14.04 and it works fine.
I had to add the following lines to the squid.conf

# redirect_program
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 20

Hi Ralf,
thanks for your work to.
Does it work with facebook in 6.8. If it so, can somebody explain me the difference between squidguard and urlfilterdb.

Hi Micheal,

I’m using transparent with SSL in NS6 with squidguard and it works fine to block https-sites.

The difference is explained by @filippo_carletti in this thread

I’ve to say at the moment NS6 is more suitable for my personal needs than NS7, but don’t forget it’s still RC not final. So I’m faithfull that NS7 final will fit all needs perfectly!!

2 Likes

Hi Ralf,
I think with a transparent SSL proxy you don’t have any problems with version 7 too, because your squid creates a dynamic certificate for each site. So you can’t have a wrong one.
But I can’t use the transparent version, it doesn’t work with the banking stick and it’s a big security risk.

It’s just the same “redirection-problem” of blocked sites. :slight_smile:

Ok, thanks

Hi Filippo,
what do you mean with not https aware? I only want to understand what is happening in detail, so I can try to find out a solution.

I had to say that I tried squid with squidguard with the MITM method at a transparent SSL proxy at my manual installation before.

AFAIK, squidguard cannot parse SNI from squid.
I appreciate your efforts, please continue to investigate.
I’ll be away from keyboard for some days.

@flatspin, I can’t reproduce your findings (the red block page showing URL https://www.facebook.com).
My env:
NethServer 6.8, manual proxy, social networks category blocked
Firefox, advanced settings connect to NethServer 6.8

Tests I made:

  1. access a blocked site via http → I see the red block page, url is http://…
  2. access a bocked site via https → I see Unable to connect ffox page

/var/log/squidGuard/urlfilter.log contains:

2017-01-25 11:00:36 [17917] Request(default/socialnet/-) www.facebook.com:443 192.168.56.1/192.168.56.1 - CONNECT REDIRECT
2017-01-25 11:20:37 [17917] Request(default/socialnet/-) http://anobii.com/ 192.168.56.1/192.168.56.1 - GET REDIRECT
2017-01-25 11:20:48 [17917] Request(default/socialnet/-) anobii.com:443 192.168.56.1/192.168.56.1 - CONNECT REDIRECT

As you can see, https requests have “:443” as expected.
I think this is the best explanation I found:

I think the transparent proxy with ssl in 6.8 decrypts all the ssl traffic and generates a fake certificate. Could it be that the fake certificate is the reason for showing the right block site.

Yes, you’re right. NS-Certificate is installed on all clients, so squid can decrypt and give a new cert to the client.