Certificate error with squid in manual mode

It’s just the same “redirection-problem” of blocked sites. :slight_smile:

Ok, thanks

Hi Filippo,
what do you mean with not https aware? I only want to understand what is happening in detail, so I can try to find out a solution.

I had to say that I tried squid with squidguard with the MITM method at a transparent SSL proxy at my manual installation before.

AFAIK, squidguard cannot parse SNI from squid.
I appreciate your efforts, please continue to investigate.
I’ll be away from keyboard for some days.

@flatspin, I can’t reproduce your findings (the red block page showing URL https://www.facebook.com).
My env:
NethServer 6.8, manual proxy, social networks category blocked
Firefox, advanced settings connect to NethServer 6.8

Tests I made:

  1. access a blocked site via http → I see the red block page, url is http://…
  2. access a bocked site via https → I see Unable to connect ffox page

/var/log/squidGuard/urlfilter.log contains:

2017-01-25 11:00:36 [17917] Request(default/socialnet/-) www.facebook.com:443 192.168.56.1/192.168.56.1 - CONNECT REDIRECT
2017-01-25 11:20:37 [17917] Request(default/socialnet/-) http://anobii.com/ 192.168.56.1/192.168.56.1 - GET REDIRECT
2017-01-25 11:20:48 [17917] Request(default/socialnet/-) anobii.com:443 192.168.56.1/192.168.56.1 - CONNECT REDIRECT

As you can see, https requests have “:443” as expected.
I think this is the best explanation I found:

I think the transparent proxy with ssl in 6.8 decrypts all the ssl traffic and generates a fake certificate. Could it be that the fake certificate is the reason for showing the right block site.

Yes, you’re right. NS-Certificate is installed on all clients, so squid can decrypt and give a new cert to the client.