Fix for me too!
Thanks!  8)

You'd be best off using a separate Squid/Dansguardian server running internally than using the PFS for your proxy. That way you can incorporate AD into the proxy's authentication service and your popups will no longer be a problem.

http://www.petespcs.co.uk/2011/10/dans-guardian-and-ntlm-from-active-directory/

Hi Carlo,

I've been playing with it a bit think this might help.
By putting the config setting below in the advanced settings of haproxy would allow socket access to users in the admins group:

stats socket /tmp/haproxy.adminsocket group admins mode 0020 level admin echo "show sess" | socat stdio /tmp/haproxy.adminsocket

That way at least the sudo wouldn't be needed.

Regards
PiBa-NL

Squid 2.7 is dead broken crap. Stop using it. (If some of the developers chimes in here and tells you otherwise, I still am telling you it's dead broken shit that shouldn't be touched with a 10ft pole.)

-Squid General Settings
–- Proxy Interface(s) (LAN, OPT1, OPT2, selected)
--- Allow Users on Interface (unchecked)

-ACLs
---Allowed Subnets (added  LAN, OPT1, OPT2 adresses)

Not sure why you're doing it that way.  Why not just check the Allow Users on Interface box and not bother with the Allowed Subnets?  They are one and the same.

I've been playing around with the squid settings and have been able to get it to work on my setup using the tcp_outgoing_address setting in the custom ACL (before auth) option under Proxy Server: General Settings. This only works provided you have a static address for the VPN interface.

acl vpn_clients src 192.168.1.5 192.168.1.9  192.168.2.14/31 #replace with corresponding ip addresses for you src clients going via VPN tcp_outgoing_address 172.10.10.10 vpn_clients #replace with IP of VPN interface

You will also need to add a firewall rule on your LAN interface to route traffic for these source IP addresses via the VPN so that HTTPS is also routed via the proxy.

Make a config backup (or even a full backup) and try for yourself, perhaps. It should work now without breaking the CP. Did not test, don't have a use case for this. (Plus, obviously the method of patching core system files sucks.) :D

Yeah, when things are screwed in the start, it becomes a giant PITA to fix later. I never got to doing anything but random bugfixes with this package. The code gives me headaches realiably, cannot make myself finish anything there. Getting lost over and over again.

P.S. We have tons of "ridiculous" characters in my language as well (ěščřžýáíéďťňúůó). You just get used to avoid them in places where it might cause trouble. This stuff just causes headaches and lots of additional work with computers. There still are much worse languages though even in Europe, e.g. setting your locale to things like et-EE is a great way to cause tons of unexpected compile issues and cryptic bugs – such as totally unexpected values because of failed regexp matching.

So I managed to get everything working.  It is very doable to get a transparent proxy working without directly routed subnets being on the pfSense.  The issue that was blocking me were some of the rules on my FW, specifically traffic shaping.  It seems like that rule was taking precedence over the transparent proxy settings and because of this, the traffic never reached the "Remote Cache" server.

I'm up and running now.

No, it won't be fixed until 2.3 is out and PBI shit is gone. You have a postinstall note there and instructions in the GUI.

Hi Dok,

Yes, some downloads from Apple.com and others, but mostly browsing traffic as far as I can tell…

Seems to work fine on my end since your fix...

Below here are some screenies from our prod servers. :)

sqstat-01.jpg
sqstat-01.jpg_thumb
sqstat-02.jpg
sqstat-02.jpg_thumb

Nice waste of time.

Thanks a lot dear for quick help.
You made my weekend good :)

Even though there have been tons of fixes in the Squid3 package meanwhile - there are still MANY use cases that would be handled much easier and with a whole lot less overhead with things like pfBNG - especially now with the pfBlockerNG 2.0 version that has DNSBL functionality.

Sorry but I don't think that network design makes much sense. If you're trying to use transparent proxy, then you can't have the netgear as your default gateway, it must be pfsense. Best you give up on the transparent proxy and use WPAD or statically define the proxy server settings.

go back to the drawing board with your design, it just won't work.

doktornotor: please, leave the attitude at the door, or just leave. Your positive contributions are very much appreciated, but the jackassery like this thread reflects badly on all of us.

Hello,

I had both HTTP and HTTPS servers behind squid reverse proxy. All was working well until a few days ago.
Suddenly, HTTPS stopped working, redirecting to pfsense login page.
Tried to reboot, upgrade to last version, but still blocking…

Any hint ?

hi thx, problem is solved, my issue was some exclusions in squidguard.