wow how the time passed posting this more then a year ago :0

Well i tried the redirect URL but I just gave up and when a user cant get in a website they notify me and i fix it,

Bump? anyone?

Help, I got same issue.
After rebooting the machine, it works.
Cant afford to keep restarting the machine, needing permanent fixed.

Any advised?

You cannot just redirect HTTPS unfortunately. Might have more luck with actually changing contents - like https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html (not verified with transparent intercept option like you desire).

force google and bing into safe search mode and block the rest.
https://forum.pfsense.org/index.php?topic=112335.0

Never mind. Just found the solution.

For anyone else having this issue: change your "Http check method" to "GET"

Thanks anyway!

@paullibin07:

Hi There,
We are using Squid proxy with Pfsence to filter logs and Light Squid to show the reports.

In reports it showing IP based reports but as we are using DHCP we can not relay on the IP based reports, Is there any option to generate Mac based reports so can easily identify the user details.

Can you guys help me for that.

Wow that's a lot of RAM, are you even utilising all of that? I find that squid although helps in some cases, in this day and age it doesn't work as well as you'd expect. Due to content being dynamic, and sometimes changing from download to download. And of course the fact that sites are moving to HTTPS.

@vielfede:

tutorial seems ok…
Did you check the system logs?
are services started?

Squid only has 3 log files available and they don't seem to tell alot about network traffic.. Here they are anyways: (3 cache log files)

cache.log.0.txt
cache.log.1.txt
cache.log.txt

@dexener:

This is a feature from squidproxy  :P

Here you can find my conf.  (no mitm just web filtering) although with squid package version 0.4.37 I noticed some improvement but There is still some problems (see topic).
https://forum.pfsense.org/index.php?topic=132719.0

Indeed the only one flawlessly working conf for web https proxy filtering is aGeeekHere's one (using splice all+wpad+transparent): https://forum.pfsense.org/index.php?topic=112335.0

I hope in a new better package…

I still have issues with Squid SSL proxy filtering and after some searching discovered several threads in which some claim to have fixed the SSL ERROR 92 issue when visiting some sites. I now realize I have to self test my pfsense setup for rules and blocking after finding some proposed fixes which whilst enabling Squid SSL filter, left Squid not filering at all! The same was true of SquidclamAV and testing if DNS cache was actually working or not. Here are my simple tests:

1. Squid SSL filter ERROR 92 website blocked.
https://ami.com

You need this site for important BIOS files!

2. SquidclamAV HTTP & HTTPS anti virus;
http://www.eicar.org/download/eicar.com

If you can download the SSL test file your Squid SSL filter is broken!

3. Ad blocking with pfblockerNG (e.g Cameleon) disable local browser Adblock:
Try www.008.free-counters.co.uk

If you get their server page, Ad blocking isn't working. If the page is black, it's working.
Download and save the txt files for your DNSBL feeds, extract sites in the list and test they are blocked.

Also try www.aol.com - plenty of ads there to block.

4. Is squid proxy server cacheing after initial setup?
From the pfsense box console option 8 shell:

du -sh /var/squid/cache/00

Check the folder size, browse to sites you haven't been to, resend the above command. If the folder size increases, squid proxy cache is working. Browse back to sites you have been to, resend the command line and check the folder size hasn't changed.

I still can't get Squid SSL proxy filtering to work for all sites, whilst correctly rejecting the eicar.com SSL download. It isn't related to local browser CA because the error screen comes from Squid.  Any suggestions please or am I a muppet?

@jok:

I'm trying to publish Outlook Anywhere and RDS gateway through proxy Squid reverse.

@myselfo:

Anyway, I fine-tuned the lines a little so only RPC is excluded from antivirus while still having it filtering all other Exchange related URLs:

acl my_OWA_RPC url_regex -i ^https://my.domain.com/rpc.*$ adaptation_access service_avi_req deny my_OWA_RPC adaptation_access service_avi_resp deny my_OWA_RPC

Hi guys,

I understand that Outlook Anywhere works great with squid reverse after these changes (I got it working too, using a different solution).

But any luck with RDS?
Did any of you manage to get Remote Desktop Services (RDweb, RD gateway, RemoteApps, etc.) to work with Squid Reverse Proxy?

Last time I tried it wasn't possible at all. The explanation I found it's quite reasonable: since the RDS traffic is not pure HTTP/HTTPS, it's also RDP encapsulated, it can't be easily managed by a proxy that is not aware of this.

But maybe things have changed. Any idea on this?

Thank you!

@aGeekHere:

What I did is use a WPAD as default (all devices are set to auto configure proxy) then i used transparent proxy with mitm splice all to catch everything that cannot use the proxy (blocking port 80 and 443).

I have no issues with windows updates with this setup and all my devices can connect to the proxy.

Thanks Geek… I  know your conf (WPAD+transparent) works flawlessly (I tested it).
Nevertheless it's quite disappointing have to use WPAD if i already use transparent.
Moreover bbassotti stated He was able to get it work without WPAD

sure in squidguard if using shallalist blk_BL_anonvpn] deny

If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

the problem can be solve with a this shape.

OR

With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com

@Curious:

Argh still can't get this to work.

I'm 100% sure traffic is hitting HAProxy it's just not being passed to the backend.

Make sure you have firewall rules permitting incoming traffic and also check if haproxy see your webserver as online.

I know this. The point is that squidguard is buggy and have some know issues reporting erros from https sites like http://https:// redirect.

Your front-end is configured in TCP mode, but you asking for HTTP processing (ACLs based on HTTP Hostname).
Switch front-end to HTTP mode.