Probems with facebook and squid

I’m been messing around with squid as a transparent proxy but I’m having problems with facebook. Everything else seems to work fine but this is what I get if I try to go to facebook:

If I set a bunch of the facebook and akamaihd servers to bypass the proxy then it mostly works but after a while some images stop loading properly. I assume this is because the bypass proxy setting works by IPs which it resolves from the host names I used. But if those host names resolve differently in the browser then I get the errors.

It would be great if I could get a way to either have facebook completely bypass the proxy all the time or get it to work properly though the proxy.

The only other site I’ve had the same problem with is steam which also used akamaihd for it’s content delivery so i’m guessing it has something to do with that.

setting up test now
PS. if you are going to run a vm of pfsense in windows then to connect to it you have to make a vm of windows
(win host will connect to the ethernet adapter) and no vm vlans

This is using the HTTPS proxy on squid 3 on pfsense by the way. Not sure if the same thing happens with the HTTP proxy but I think facebook forces https anyway.

I think I've found the cause of the problem. It appears that pfsense does not trust the certificates used by akamaihd. If I disable remote certificate verifying on the proxy server then everything works fine, but obviously that isn't a good solution. I'm going to see if it's possible to update the root CAs in pfsense.

on mine i am using squid 3 and squidguard
i dont know if i'm using https porx but i think i'm having a similar problem (not me but client complaints)

If the client doesn't have the CA you're using in squid installed then they'll get certificate errors when visiting https sites. But the problem with Facebook is that pfsense is unable to verify the real certificate from akamaihd.net so the content isn't loaded and there is no option for the client to ignore the error.

I've tried manually adding the certificate to the trusted certs used by pfsense but it doesn't make any difference as well and trying different ssl bump settings. But currently the only way around it is to disable certificate verifying, which isn't a good solution.

are you by chance using squid as a mitm ssl proxy??? my setup does not suffer from this but im using a wpad setup on squid3

Yeah that's what I'm doing. I think that's the only way I'm going to get it to work properly as the problem isn't with squid but the host system. The problem I see with moving the proxy server off of pfsense is that I have four gateways which I use for different things and I'm not sure how I would preserve that with an external proxy.

Good book I've used in the past for Squid, lookup.

Squid Proxy Server 3.1: Beginner's Guide

Link: https://www.packtpub.com/networking-and-servers/squid-proxy-server-31-beginners-guide

Well I've sort of found a solution. I had tried using ACLs to bypass ssl_bump for the akamai domain but it didn't work. It turns out that this is because the connect request is made with the IP address and not the domain, so the ACL either has to be the IP or the reverse DNS name. So adding these lines to the custom ACL before auth section of the squid configuration page on pfsense (or to the squid.conf file) bypasses the proxy for akamai:

acl bypass_domain dstdom_regex akamai
ssl_bump none bypass_domain

I had tried before using dstdomain .akamaihd.net but this didn't work but using regex and just akamai works with the reverse DNS name.

This is really just a workaround as the real problem is with pfsense not verifying the server certificates correctly.

dont use facebook.

1 Like

Your workaround did not work for me. But5 I found a simpler solution.
On the webgui, on the proxy server config, on the transparent proxy section add akamaihd.net to the "Bypass Proxy for These Destination IPs"

I'm pretty sure I tried that and it only worked temporarily. Ultimately I stopped using squid on pfsense because if this problem with their CA certificates and also because you can no longer have squid use a vpn without making it the default gateway.