Buy this man a beer !!!

Spot on and thank you for your help !!!

I never really liked watching the logs from the GUI I found that it had quite a bit of lag I use SSH and tail to view them

tail -f /var/squid/logs/access.log

Made the digest_generation junk off by default in 0.4.36_1. (No GUI option, not worth it.)

https://github.com/pfsense/FreeBSD-ports/pull/313

I'd frankly suggest to install the syslog-ng package rather than messing with the pfSense logger. (And yes, you need squid.inc patched for this kind of changes.)

I'm use Active Directory DNS but the same problem.

I'm verify if when access page, squid get authentication but after login and password, in access log page is DENIED but in BROWSER page load. After 3 minutes page open sucessfully.

This fact ocurred only first authentication after 3 minutes all pages open fastely.

I'm receive this error:

23.02.2017 12:18:53 Starting new basicauthenticator helpers…
23.02.2017 12:18:52 pinger: Initialising ICMP pinger ...
23.02.2017 12:18:52 Service Name: squid
23.02.2017 12:18:52 Starting Squid Cache version 3.5.19 for amd64-portbld-freebsd10.3...
23.02.2017 12:15:04 Shutdown: Basic authentication.
23.02.2017 12:15:04 Shutdown: Digest authentication.
23.02.2017 12:15:04 Shutdown: Negotiate authentication.
23.02.2017 12:15:04 Shutdown: NTLM authentication.
23.02.2017 12:14:29 Starting new basicauthenticator helpers...

After this all sites is openning.

Tks

Fix what? It's working.

No, Snort does not look at X-Forwarder-For headers. Those are useful for webservers. There is no such thing available, frankly. icap_send_client_ip will add X-Client-IP header. These do NOT rewrite the source IP in the packets, this is L7 stuff.

tproxy is not used anywhere in the package, plus not really sure why are people pulling SSL/MITM/certs to the topic (which has long been available in the package and is working)

We pull that from FreeBSD. I don't see us maintaining a patch to change the value when there has only ever been one report of one server that is broken by it. You can submit a request to FreeBSD to have that increased if you want. If they do it, we'll get the change eventually when it makes its way into a branch we build from.

No, I'm not evading your point at all. The stuff like WU/Avast/godknows what caching was already there. It was removed because it was BROKEN. If it works for you, add it manually and move on, It didn't work for vast majority of users, worse, it broke other things, noone has time to maintain similar things. Squid is NOT the way to distribute Windows updates. Even if you can use every tool as a hammer, it's just not a good idea.

Just to be crystal clear about this, look at

https://redmine.pfsense.org/issues/3847 http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion

So yeah, it just doesn't work any more. Then there was Avast – they've switched to streaming updates ages ago. Nothing to cache there, dead code. Symantec - ditto. The only thing that might possibly be working is the Avira stuff, but that's just due to the fact that their AV is very much dead and has not moved anywhere for past 10 years or so, except for inventing more and more aggressive ways of nagging users with fullscreen advertising pop-ups. Why should a pfSense package care about someone using a dead AV?

When you have barely 1 person to occasionally maintain the code, you just do not add bloat well known to break every couple of months to the code. And if it's already there, you remove it.

There are mixed reports when it comes to caching of dynamic content. Some users say it's working, some (including doktornotor) say it isn't (and can't). I see a good possibility that doktornotor's view on that matter is prejudiced, so I wouldn't give up so soon.

Can't help with the specific problem though as I'm not using Avira, sorry. Here's the Squid config of someone claiming to achieve high cache hit rates, maybe the patterns in that config will help.

Edit: there's also this thread on here.

Yes, leave DHCP role on your pfSense and let the proxy have static IP.

hello,
Not sure how often you would like to upload/process your logfile.

you can:

configure cron to send it via email, configure your "log collector box" to:
– sftp/scp to pfsense and get the file to its drive,
-- ssh to pfsense and copy file to its drive (not sure if there is pfsense supports sshfs),

quite a few options i'd say.

Oh, ok - figured it out….Squid has to listen on loopback (Reverse Proxy interface), NAT rule has to redirect to loopback (Redirect target IP), and NAT reflection has to be disabled (not 100% sure on this one but will test some more).

After that, seems to work ok - only issue I'm running into is getting an automatic redirect to the /owa folder - if anyone has anything on that I'd appreciate the info - thanx.

To the WAN IP, where the proxy is listening. Sigh.

@doktornotor:

OK, hire some admin I guess.

Thanks for the advice…

Do NOT edit the config files, use the GUI.

OK, thanks for verifying.