have verified traffic is going through the proxy by using one of those proxy detection sites.

Don't do it that way.  SSH in or connect via console and look at /var/squid/logs/access.log (going from memory here).  Every URL fetched will be written here if squid is working properly.  Verify that it is processing your HTTPS URLs.

With https the payload is encrypted thus making it impossible to filter keywords.

I thought it could if SSLBump was enabled during compile.  SSH in again and run squid -v to see what options it was compiled with.  I haven't played with this at all since I only need URL filtering and not keyword filtering.

Thanks for the suggestion.  I'll try it in a few hours.

Is there an error message of some kind or does it simply time out?  Anything in /var/logs/squid/access.log?  Have you restarted the server after installing squid?  After installing, did you change any settings besides checking the Transparent mode?  Btw, transparent mode will not work with HTTPS unless you install a certificate on every client computer.  Look into configuring WPAD auto-detection instead.

squidGuard isn't really a service.  It's an application that gets called by squid for every URL that squid processes, so the service status thingy for squidGuard is useless.

After you install squid, you need to either reboot the server or restart the squid service.  It seems to block all web access until you bounce it.

I can't thank enough…. you guys are too prompt. Thanks to BBCan and doktornotor for the pointer.

This is what I did :-    copied the file to /etc/inc/priv/squid3.priv.inc.

Gave access rights  to webcfg:squid3 to user manager

It worked :)

A special thanks to doktornotor as he comes to rescue whenever I am struck.

with warm regards,
Ashima

This nonsense is fixed properly as a part of https://github.com/pfsense/pfsense-packages/pull/1080 (specifically this commit).

Couldn't work since it was trying to patch a file that's actually not distributed  ::) Why's the LDAP part being patched fails my understanding as well, the line is commented out in the first place.

Replacing domain with ip would have also fixed it.

@Abhishek:

Ok, so what is the possible way to deploy squid in multi wan environment

Just deploy Squid on another server, not pfSense  ;)

Hi Dennes,

I have not tried to loadbalance RDP.. But here some of my thoughts about the subject.

For haproxy you should only use "Transparent ClientIP" (tproxy) if you absolutely need the client ip on the backend servers for a known purpose. The RDP-TCP connection itself wont need it. And it wont help in getting the same client connect to the same server every time..

'Balance Source' would probably work good assuming all servers stay up.. And might have 10 users on server A while 50 users are connected to server B. And even a newly connecting user could be added on server B depending on how the hash ends up..

'Least Connections' could be another option to use, together with "Stick-table persistence" on 'source ip', though you will have to think about how long a source-ip is 'remembered'..

You could also try the build-in loadbalancer, and compare if there is any performance difference between the two.?. Though i think you will find it has to few options to accompany the desired stickyness.

My two cents..
PiBa-NL

OK, it works!
Thank you doktornotor.

@JStyleTech:

Possibility #1 - If your caching currently works and your SSL is setup correctly, there might just be a limitation with the "Maximum object size" under the "Local Cache" Tab of Squid.  If you want to cache a 100Mb file this setting should be at least "100000" as it represents kilobytes.  I currently have mine set to 300000.

richie1985 allready post his squid.conf
and "maximum_object_size" is set to  512000 KB

@JStyleTech:

Possibility #2 - perhaps you have an proxy exception rule applied to either an IP address or URL which could be linked to a hosted CDN.  If you don't use any proxy exception rules then you can ignore this, but
if you do you might try disabling the rule temporarily and simply retest.

I've personally setup two Aliases for this specific reason "Proxy_Bypass_Hosts" and "Proxy_Bypass_Ranges".  I use these specifically to whitelist sites, IP's and/or IP Ranges using ARIN and Robtex when addressing problem applications or services.

Cand find anything that point to an exeption in the squid.conf

@azharkov:

@doktornotor:

Not until pfSense 2.3 is out, for sure.

Check
https://forum.pfsense.org/index.php?topic=99141.msg556045#msg556045

Hey thanks bro  ;D

well this thread also have same issue like me

https://forum.pfsense.org/index.php?topic=87493.msg480628#msg480628

WPAD would probably be the way to go. I've just spend some time configuring it on my network. You might have to manually configure mobile devices. Android doesn't appear to be too user friendly just yet with wpad.  You might be able to specify a personal acl that points to a list of sites you want blocked. I don't know how exactly to implement this with pfsense.  Generally squid has a .conf file where you can specify this but I am not seeing one here.

thanks PiBa-NL for your reply and suggestions.

Ok some logs

When I stop and start squid I get

Sep 22 10:27:31 squid[22754]: Squid Parent: (squid-1) process 23039 started Sep 22 10:27:31 squid[22754]: Squid Parent: will start 1 kids Sep 22 10:27:22 php-fpm[84775]: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/09/22 10:27:17| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl" squid: No running copy' Sep 22 10:26:48 php-fpm[67812]: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/09/22 10:26:42| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"

In squid real time if I do squidclient -h 192.168.1.1 -p 3128 mgr:info
I get

22.09.2015 10:33:03 192.168.1.244 TCP_DENIED/403 127.0.0.1:59243 - - 22.09.2015 10:32:12 192.168.1.244 TCP_DENIED/403 127.0.0.1:59243 - - 22.09.2015 10:32:01 192.168.1.1 TCP_MISS/403 cache_object://192.168.1.1/info - 192.168.1.1 22.09.2015 10:31:46 192.168.1.1 TCP_MISS/403 cache_object://192.168.1.1/info - 192.168.1.1 22.09.2015 10:31:43 192.168.1.1 TCP_MISS/403 cache_object://192.168.1.1/info - 192.168.1.1 22.09.2015 10:31:40 192.168.1.1 TCP_MISS/403 cache_object://192.168.1.1/info - 192.168.1.1 22.09.2015 10:31:22 192.168.1.1 TCP_MISS/403 cache_object://192.168.1.1/info - 192.168.1.1 22.09.2015 10:29:59 192.168.1.244 TCP_DENIED/403 127.0.0.1:59243 - - 22.09.2015 10:26:28 192.168.1.244 TCP_DENIED/403 127.0.0.1:59243 - -

I don't understand the problem.  If you don't care about URL filtering, why do you care about what is sitting in the cache?