I’m been messing around with squid as a transparent proxy but I’m having problems with facebook. Everything else seems to work fine but this is what I get if I try to go to facebook:
If I set a bunch of the facebook and akamaihd servers to bypass the proxy then it mostly works but after a while some images stop loading properly. I assume this is because the bypass proxy setting works by IPs which it resolves from the host names I used. But if those host names resolve differently in the browser then I get the errors.
It would be great if I could get a way to either have facebook completely bypass the proxy all the time or get it to work properly though the proxy.
The only other site I’ve had the same problem with is steam which also used akamaihd for it’s content delivery so i’m guessing it has something to do with that.
setting up test now PS. if you are going to run a vm of pfsense in windows then to connect to it you have to make a vm of windows (win host will connect to the ethernet adapter) and no vm vlans
This is using the HTTPS proxy on squid 3 on pfsense by the way. Not sure if the same thing happens with the HTTP proxy but I think facebook forces https anyway.
I think I've found the cause of the problem. It appears that pfsense does not trust the certificates used by akamaihd. If I disable remote certificate verifying on the proxy server then everything works fine, but obviously that isn't a good solution. I'm going to see if it's possible to update the root CAs in pfsense.
If the client doesn't have the CA you're using in squid installed then they'll get certificate errors when visiting https sites. But the problem with Facebook is that pfsense is unable to verify the real certificate from akamaihd.net so the content isn't loaded and there is no option for the client to ignore the error.
I've tried manually adding the certificate to the trusted certs used by pfsense but it doesn't make any difference as well and trying different ssl bump settings. But currently the only way around it is to disable certificate verifying, which isn't a good solution.
Yeah that's what I'm doing. I think that's the only way I'm going to get it to work properly as the problem isn't with squid but the host system. The problem I see with moving the proxy server off of pfsense is that I have four gateways which I use for different things and I'm not sure how I would preserve that with an external proxy.
Well I've sort of found a solution. I had tried using ACLs to bypass ssl_bump for the akamai domain but it didn't work. It turns out that this is because the connect request is made with the IP address and not the domain, so the ACL either has to be the IP or the reverse DNS name. So adding these lines to the custom ACL before auth section of the squid configuration page on pfsense (or to the squid.conf file) bypasses the proxy for akamai:
Your workaround did not work for me. But5 I found a simpler solution. On the webgui, on the proxy server config, on the transparent proxy section add akamaihd.net to the "Bypass Proxy for These Destination IPs"
I'm pretty sure I tried that and it only worked temporarily. Ultimately I stopped using squid on pfsense because if this problem with their CA certificates and also because you can no longer have squid use a vpn without making it the default gateway.