ClamAV on HTTPS Traffic using Web Proxy - Connection timing out

[Ren]

I'm currently running into issues configuring CLAMAV + Web Proxy to inspect HTTPS traffic. Each time i enable the functionality all websites except for google fail to load as the connection to each site times out.

Firewall Rule for HTTPS set

Code: [Select]

LAN TCP LAN net * * 80 (HTTP) 127.0.0.1 3128 redirect traffic to proxy    
LAN TCP LAN net * * 443 (HTTPS) 127.0.0.1 3129 redirect traffic to proxy
I do not see any errors in the access logs nor cache

Code: [Select]

192.168.5.127 - 54:60:********** - [02/Dec/2017:13:27:22 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:26:40 -0500] "GET http://twitch.tv/ HTTP/1.1" 302 474 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:25:39 -0500] "GET http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today? HTTP/1.1" 200 1724 "-" "Microsoft-WNS/10.0" TCP_REFRESH_MODIFIED:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:24:08 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:23:31 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST

The system log is complaining there isnt a valid cert for  traffic on port 3128. Even though SSL traffic is on port 3129 (im using a valid letsencrypt cert for SSL)

Code: [Select]

Dec 2 13:22:57 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128
Dec 2 13:21:16 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128
What am i missing ?

[bobbythomas]

I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas

[Ren]

I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas

Hmmm why can't i use a letsencrypt cert ? I know the documentations states using a  self signed cert however i wanted to bypass importing of that cert to my workstations by using a cert issued by letsencrypt thats tied to my dynamic dns by duckdns . As such it should be valid cert and not receive any warnings

[mimugmail]

When you want to enable SSL scanning you need a CA which creates a certfiicate for every site you visit on the fly. Don't think this will work with Let's encrypt.

You can roll out the self-signed CA via GPO for example .. ?

This is also the commercial vendors do SSL scanning.

Edit Fabian: Fix Typo

[fabian]

When you want to enable SSL scanning you need a CA which creates a certfiicate for every site you visit on the fly. Don't think this will work with Let's encrypt.

No CA will give you such a certificate as this should result in the removal from trust stores which renders the CA useless.