Update: Like I thought, disabling dns rule had an immediate impact on the network.

You do not make it appear, it was removed (https://redmine.pfsense.org/issues/7017). Use LDAP.

What does your WPAD file look like?

Should be somewhat similar to this for the basics… Mine's a little different from the most basic, but this works fine for me, even when I have the option to block by IP addresses in the URL set, since the connections aren't proxied and are connecting directly.

function FindProxyForURL(url,host) {   if(isPlainHostName(host))   {     return "DIRECT";   }   if(isInNet(host,"127.0.0.1","255.255.255.0"))   {     return "DIRECT";   }   if(isInNet(host,"192.168.0.0","255.255.255.0"))   {     return "DIRECT"   }   return "PROXY 192.168.1.1:3128"; }

That's not Squid, that's from C-ICAP/ClamAV. You'd need to switch to the manual config there and find whatever to set there in docs. Good luck.

@doktornotor:

notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy.

Configured HAproxy now.  Much better and flexible! And Exchange works perfect.
thx

Well I finally got it to work by adding the CIDR networks in the Bypass Proxy for these Destination IPs field under the Squid Package but I believe there is a problem if I replace the entry with an alias. After adding the alias I was no longer able to connect.

Is this a bug or an error on my part?

Your help would be much appreciated.

Bypass.jpg
Bypass.jpg_thumb
Bypass2.jpg
Bypass2.jpg_thumb
Aliases.jpg
Aliases.jpg_thumb

It's too bad.
Thanks for your feedback.

Pretty much anything belonging with a frontend can be configured in the 'Advanced pass thru' field. Or did you mean something else?

Something like this:

http-response add-header Public-Key-Pins "pin-sha256=\"KEY1\"; pin-sha256=\"KEY2\"; max-age=15768000"

p.s. Do start with low age like 60 seconds, until your sure you've got the configuration right.

Hi sherwinluissss,

I configured pfsense 2.3.2 + squid (transparent with ssl inspection enabled)+ squidGuard. I have couple of issues skype is one of those. call are going fine but it is showing internet issue and not showing user as online it is keep trying to do get the status. can you please let me know how you solved your skype issue with squid. what are the hosts needs to be allowed i allowed skype.com live.com hotmail.com these three are using by skype atthe time of login. could you please help me how to fix this. My second problem is with multiple sip phones trying to connect one external pbx. no voice on incomming calls and no in and outbound voice ext to ext.

Thanks in advance.
Harry

so ok. i got it running.

Reinstalled pfSense (this time i selected http) then restored the config (no problems with that)

it works now, i can access on http

thanks for the help

There is no such thing as a "kosher" certificate for SSL interception (unless you're the Chinese government, if rumors are to be believed).

You must use a self-signed CA for SSL interception, and that CA must be installed on clients.

Ok, so we gonna have to deal with it.

Thanks,

David

Good catch.  Glad to hear t's now working as expected.

Just use squid + squidguard, but set squid's Hard Disk Cache Size to 0 and the Hard Disk Cache System to null.  This is exactly how I use squid.

Hi ,

I recently installed and played with this squid and squidGuard on pfsense 2.3.2 (updated with 2.3.2_1). I ran through the same issue. I mean when ever I enabled squidGuard with common ACL CN in certificate issued by  squid is "http" which doesn't make any sense to me. I thought the problem is with patch So I installed pfsense 2.3.2 again and tried it worked fine. But the reason is not patch. I enabled "Do not allow IP-Addresses in URL" this is causing the issue in my case. I just disabled this and tried it is working fine but when ever i try enable this running into issues. But it should be fixed  if it is a real bug. If this works for anyone please let me know I will create this in pfsense bugs list.

Thanks,
Harry.