I have contacted them

If anyone is having the same issue you can fix it by opening sigwhitelist.ign2 in /var/db/clamav and adding Sanesecurity.Foxhole.Zip_SFN1 line into sigwhitelist.ign2. Don't forget to save.

I don't know why but specific url/domain whitelisting does not appear to work through clamav.conf in advanced conf

Remove all packages, then upgrade to pfSense 2.3, then reinstall squid. Packages are not being maintained or fixed on 2.2.x.

Hi Sysadmin,

I cant spot any obvious error in your haproxy configuration looking over its description 'should work..' i think.

For the haproxy config it seems like youve made a setup similar to whats described here: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http

As for the firewall rule (a portforward should not be needed.. unless perhaps if your wan is using a ppp connection), make sure to allow all source ports.

So rule would be something like:
interface: WAN, source address:* source port:* , destination address: WAN-ip, destination port: 80

That should allow access from outside to the listening port of haproxy.

What does and or doesnt work sofar? Can you connect to haproxy but recieve a 503 http error? Have you enabled stats and are the servers shown 'down' in a red color? Can you share the haproxy.conf (at bottom of settings tab)?

Regard,
PiBa-NL

@killmasta93:

sarg but not sure if they took it down on 2.3

Thanks. SARG does seem to be missing from 2.3

Andy

@KOM:

I don't ever run a transparent proxy (less hassles with explicit) so I couldn't really try this myself.  Sorry for wasting your time.  It would have been nice if it had worked.

Well…using WPAD no need to run transparent mode but I have had sometimes issues with some government websites that need to run transparent mode for some odd reason

Also limiters Break NAT reflection also keep that in mind.

sarg also if your on 2.2.6

i would not recomend squid to use the virus scan, it takes a lot of resources and for what i saw its not that stable, i had this enabled it gave me issues when a user wanted to hear music though itunes or radio fm online

Alright, solution for this, in case anyone needs it, is to edit /usr/local/pkg/squid.inc:

Go to section:

// Set up the external authentication programs

There's a switch function there, go to the LDAP section and modify the $port variable assignment to look like this:

$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

In bold the -p oprion I believe is missing in the original .inc file.

As a matter of facts, right below LDAP auth options, come RADIUS options and there the "-p" is present:

case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

Cheers.

Yes the forward-for would insert the clientip, but even without it a wireshark should show the packets coming from the correct client-ip address if you have the 'source ipv4@ usesrc clientip' in the haproxy config. Its almost impossible for IIS to then see that traffic came from pfSense itself..

Also make sure youve got the name exactly right. HTTP_X_FORWARDED_FOR v.s. X-FORWARDED-FOR in the online screenshot might make the difference.?

For squidguard settings, you must click both the Save button on the tab you're working with, and then the Apply button at the top of the General Settings tab.

Over 70 views and no responses, how sad… Nevermind, ive switched to Captive Portal with Radius Authentication.

This is absolutely perfect! I have added HAProxy as a trusted proxy. It's working flawlessly now! Thanks for your help!

Today I learned… :)

######cache Pfsense
refresh_pattern -i .(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache content
refresh_pattern -i .(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache videos
refresh_pattern -i .(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(m1s|mp2v|m2v|m2s|m2ts|mp2t|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(json)$ 0 90% 200000 refresh-ims
refresh_pattern -i (/cgi-bin/|?) 0 90% 200000
#cache binaries
refresh_pattern -i .(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(exe|msi)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache microsoft and adobe and other documents
refresh_pattern -i .(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache specific sites
refresh_pattern -i ^http://liveupdate.symantecliveupdate.com.(zip)$ 0 0% 0
refresh_pattern -i ^http://premium.avira-update.com.(gz) 0 0% 0
refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims

refresh_pattern -i (get_video?|videoplayback?|videodownload?|.mp4|.webm|.flv|((audio|video)/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.    10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.$    241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale

refresh_pattern -i (yimg|twimg).com.*        1440 100% 129600 override-expire ignore-reload reload-into-ims
refresh_pattern -i (ytimg|ggpht).com.*        1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims

#images facebook
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i ((facebook.com)|(85.131.151.39)).(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store
refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store

refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf)                    10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
refresh_pattern (audio|video)/(webm|mp4) 129600 99% 129600 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale
refresh_pattern -i ^http://.squid.internal.  241920 100% 241920 override-lastmod override-expire ignore-reload ignore-must-revalidate ignore-private ignore-no-store ignore-auth store-stale

same probleme with me and even the blacklists do not downloading

Not exactly a solution to the problem via pfSense, but I've done this with authentication on NGINX.  Theoretically, you could put an NGINX reverse proxy with auth setup on your internal server (I use auth_basic, but LDAP or other methods would work).  Then, if you hit https://nginx/myservice, you get the auth page.  Apache should work too.

I need to use something similar at work to "secure" a closed source timesheet server that is pretty poorly done, but I'm stuck with it.  I feel better using modern auth to protect the web interface to prevent threats on the poorly designed second level of auth provided by the timesheet server.

Yes put this to custom adv opt.
http_port  8080 
if you use enable ssl you can use something like below
http_port  8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/  ;

assuming you use the latest squid package from pfsense repo and pfsensen 2.3.2. not sure if it will work other version. the first one should work on all version. https will only tunnel.