Cache/Proxy

• A

  Squid + SquidGuard URL Filtering Question
  • asan

  2
  0
  Votes
  2
  Posts
  191
  Views

  A

  Problem solved. Set SSL/MITM Mode to Splice All.
• D

  (SOLVED) Squid HTTPS/SSL Interception blocks Warframe login.
  • DMaverick

  4
  0
  Votes
  4
  Posts
  270
  Views

  D

  Ok after some reading, it seems I don't need to filter https. All I really need to do is block certain https domains from my kids on my home network while allowing all other traffic, prevent kids from circumventing proxy, monitor traffic stats per IP, and no issues with online games like logging into Warframe. To block https domains, I found some info on setting the ssl intercept to "splice all" and putting ".*" in the acl whitelist, then use squidguard to block https. However, I'm not exactly sure how to set this up with squidguard or if it will fix my Warframe login issue. I'm trying to learn this so I don't really want to use something like OpenDNS if I can help it. I'm running psSense in a VM with working backup so I'll try any suggestions because I can easily restore my pfSense firewall. Thanks.
• M

  squid/clamav
  • mod

  1
  0
  Votes
  1
  Posts
  147
  Views

  No one has replied

• M

  The following error was encountered while trying to retrieve https://http/*
  • mzmrk

  5
  0
  Votes
  5
  Posts
  3377
  Views

  V

  It worked for me. PfSense 2.4.4 (amd64) Squid + Squidguard.
• S

  HAProxy: Serving simple http page and OpenVpn instance
  • Symon_

  1
  0
  Votes
  1
  Posts
  136
  Views

  No one has replied

• M

  Squid3-dev ICAP Protocol Error on 32-bit
  • MIT

  29
  0
  Votes
  29
  Posts
  42619
  Views

  W

  Just add domain in Whitelist with http and you`r issue will solve.
• M

  Blocking Facebook with E2Guardian
  • mateusscheper

  1
  0
  Votes
  1
  Posts
  120
  Views

  No one has replied

• C

  multiple https with haproxy
  • coreyjohnson75

  27
  0
  Votes
  27
  Posts
  948
  Views

  C

  @mats So part of the problem was my rules but the final stick ended up being a bug in the upgrade to the most current release where my default gateway was no longer 'marked' default.... what a headache. I did finally manage to get Zimbra OSE running in a docker alongside a NextCloud docker to work for files as well. Only then did I fully realize that since I chose the Open Source edition, I cannot fully integrate it into my android for calendars and such which is a major letdown. I was so impressed with the webmail features that I over looked the limitations of the free version. I may look into iRedMail. I didn't like the webmail portions but in the end I doubt I will really be using it compared to the ability to have fully integrated calendar & contacts.
• P

  Squid Proxy + Reverse proxy conflict
  • packetman_

  2
  0
  Votes
  2
  Posts
  131
  Views

  P

  Ended up canceling Squid for HAProxy.
• K

  HAproxy Action on 2.2.6?
  • killmasta93

  5
  0
  Votes
  5
  Posts
  152
  Views

  K

  using the HAproxy Devel did the trick
• T

  Pfsense Squid block http traffic
  • tiperera

  7
  0
  Votes
  7
  Posts
  423
  Views

  I

  @landrocket The best way I have found to set up squid on a home network is without transparent. It is pretty simple to set the proxy setting's in the browser. Also has the added benefit if you have a problem connecting you can reset your browser and just bypass the proxy until you figure out the problem (check the real time log's) The way I set up mine is pretty much default. (Create Internal Cert. of Auth.) 1)Enable Proxy 2)Select Lan and Loopback 3)Allow User's 4)Resolve IPv4 first 5)Disable ICMP Pinger helper 6)Enable SSL filtering 7)Splice Whitelist Bump otherwise 8)Select Lan 9)Proxy port-3129 10)Compatibility mode-intermediate 11)Cert. Adapt Not Before 12)X-Forward (transparent) 13)Disable Via Header 14)URL Whitespace (Strip) 15)X-Forward (transparent) After you reboot the firewall you can go to the ACL's tab and can enter in site's that you don't want to SSL bump- here is what I use. Window's Updates, Live Mail, OneDrive, Steam etc. Some of them might not be relevant anymore. But steam will take the proxy down quick if it isn't whitelisted. I am sure there is a way around that but I didn't want to put in the effort. 0_1540791260483_Whitelist.txt
• S

  Captive Portal stops firewall rules
  • sarmad

  9
  0
  Votes
  9
  Posts
  137
  Views

  S

  @derelict Thank you, i will try this, and hope that pfSense 2.4.4 will work without problems
• K

  After upgrading to HAProxy 0.59_2 nothing works anymore!!!!
  • kdillen

  33
  2
  Votes
  33
  Posts
  48354
  Views

  P

  @nick2253 Sorry but that was not what i'm saying. To make haproxy health-checks use SSL you should enable the "SSL checks" checkbox behind each server.
• M

  Problem with Squid
  • Malad

  1
  0
  Votes
  1
  Posts
  173
  Views

  No one has replied

• M

  Where is Varnish ?
  • marn

  4
  0
  Votes
  4
  Posts
  163
  Views

  

  Varnish was removed years ago. Very few people used it, and it required keeping a compiler on the firewall which is generally a bad idea. Also, don't use ezjail or jails in general on the firewall. Either virtualize things or separate them. Don't try to force the firewall to take on roles for which it isn't well-suited.
• C

  Error The requested URL could not be retrieved cant seem to resolve
  • comet424

  18
  0
  Votes
  18
  Posts
  469
  Views

  R

  @comet424 I forgot to mention that the best source for information on pfSense is in the book written by the experts. Recently it has been made free to the public. Even when it was not free, it was worth every penny. https://www.netgate.com/docs/pfsense/book/ Good luck Raffi
• L

  Separate Transparent HTTP Proxy for PCI DSS
  • labasus

  6
  0
  Votes
  6
  Posts
  152
  Views

  

  If the proxy is in a DMZ separate from the clients then it's easy to do with NAT. port forward in on LAN for a destination of any, port 80, sent to a target of the proxy on the proxy port Repeat for 443 if you're doing SSL Maybe exclude the firewall from that, and local things, but that's the general gist. That's all the squid package does internally, just forwards to 127.0.0.1 instead of another box. If the proxy is in the same subnet as the clients then it's trickier since you'd have to exclude the proxy box as a source in that rule, and work around other issues to mask the source, so don't do that.
• M

  HAproxy and caching
  • marn

  6
  0
  Votes
  6
  Posts
  249
  Views

  M

  @piba haha, i think i have to learn more about acls before asking questions ^^ Thank for your help
• H

  Update from HAProxy Package 0.59_11 to 0.59_14 pulled HAProxy 1.8.14-52e4d43
  • hostm

  2
  0
  Votes
  2
  Posts
  116
  Views

  H

  I found a solution, but I want to share it for people with the same problem. I could reproduce it by doing the update on the other machine and saving the logfile. The following happens: >>> Upgrading pfSense-pkg-haproxy... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: haproxy17: 1.7.11_1 [pfSense] Installed packages to be UPGRADED: pfSense-pkg-haproxy: 0.59_11 -> 0.59_14 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 1 The process will require 2 MiB more space. 650 KiB to be downloaded. [1/2] Fetching pfSense-pkg-haproxy-0.59_14.txz: .......... done [2/2] Fetching haproxy17-1.7.11_1.txz: .......... done Checking integrity... done (1 conflicting) - haproxy17-1.7.11_1 [pfSense] conflicts with haproxy-1.7.11 [installed] on /usr/local/man/man1/haproxy.1.gz Checking integrity... done (0 conflicting) Conflicts with the existing packages have been found. One more solver iteration is needed to resolve them. The following 4 package(s) will be affected (of 0 checked): New packages to be INSTALLED: haproxy17: 1.7.11_1 [pfSense] Installed packages to be UPGRADED: pfSense-pkg-haproxy: 0.59_11 -> 0.59_14 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 1 The process will require 2 MiB more space. Fetching haproxy-1.8.14.txz: .......... done [1/4] Deinstalling haproxy-1.7.11... [1/4] Deleting files for haproxy-1.7.11: ........ done [2/4] Installing haproxy17-1.7.11_1... [2/4] Extracting haproxy17-1.7.11_1: ........ done [2/4] Installing haproxy-1.8.14... pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/man/man1/haproxy.1.gz ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/sbin/halog ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/sbin/haproxy ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/etc/rc.d/haproxy ignored by forced mode [2/4] Extracting haproxy-1.8.14: ........ done [3/4] Upgrading pfSense-pkg-haproxy from 0.59_11 to 0.59_14... [3/4] Extracting pfSense-pkg-haproxy-0.59_14: .......... done Removing haproxy components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Syslog entries... done. Saving updated package information... overwrite! Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...done. Menu items... done. Services... done. Writing configuration... done. >>> Cleaning up cache... done. Success For any reason haproxy-1.8.14 is installed over the haproxy-1.7.11_1 including the binary. Solution: Per console I did: pkg remove haproxy-1.8.14 pkg remove haproxy17-1.7.11_1 pkg install pfSense-pkg-haproxy-0.59_14 So only 1.7.11_1 was installed, the complete configuration remained untouched (although I took a backup before). Regards, Daniel
• I

  Problem with update ACL's in SquidGuard, My users lose internet
  • ismael.segovia

  6
  0
  Votes
  6
  Posts
  141
  Views

  L

  @ismael-segovia Looks like smth similar to - https://forum.netgate.com/topic/113490/squid-and-squidguard-are-not-starting/12
• 

  HAProxy stopped accepting connections
  • umademelosemyusernamepfsense

  3
  0
  Votes
  3
  Posts
  116
  Views

  

  @piba It seems related to certificates, but, the whole system is acting weird, again related to certificates. I checked if they're OK and they are. I reinstalled the CAs and, issued new certificates and it still wouldn't work. Apart from that, system 2.4.4 starts to slow down and starts losing packets, I see tons of red and black from retransmissions in captures. I don't know how to make sense of packet captures myself, but, I know that's not supposed to happen on a working network. What I do to correct is not reinstall the system, but not using the console but actually deleting the disk and reinstalling from scratch. Restoring to factory won't fix issues; I found some commands, though, that apparently are just for that but they aren't for system 2.4.4. Modifying them a little go them working and the system seemed alright again, after restoring a backup back from September I just needed to delete an VPN interface before testing again HAProxy, and when I did the system hung again. So, after all this, it seems very likely HAProxy isn't the culprit but until I get a working stable system and back the hell out of it, I can't test again. :/ Before 2.4.4 I could change and change and change stuff and it would route on for months, no biggie, but now it appears that changes affect something, maybe a database or something. "Storage!" I thought, maybe some disk-access/speed or file system issue, but the disk is local, flash-based, the system has plenty memory and I've gone back and forth between the ultra-resilient ZFS and U..HF..--something, the old one, and it doesn't seem to make a difference. Sorry for the missing details, though. I'll keep testing.
• A

  squid proxy server is not caching
  • abdo22

  2
  0
  Votes
  2
  Posts
  158
  Views

  A

  I have known where is my problem the Squid package is broken after uninstall and reinstall the package the cache started to work
• Q

  Reverse Proxy just goes to last in list
  • qwerty123

  3
  0
  Votes
  3
  Posts
  214
  Views

  Q

  Thanks for the response. I've been messing around with it a bit more this-morning and think I figured it out. I set everything up a year or so ago and forgot a lot of how I did it. I have haproxy listening to 443 then taking some SNI's and sending them to the auth sub-proxy area and others getting sent to the regular ssl (unauth) sub-proxy frontend place. In the sub-proxy front-ends, I have one listening to say :2044 and had shared frontends clicked. In that subsection, I had the redirection to the backend. I resolved it by getting rid of the :2044 shared frontend and using a custom acl backend set to "ssl_fc_sni_reg myth.<name>". I think my problem was I had a shared frontend setup, for whatever reason, and now it's working fine. I'm no haproxy expert; just a beginner, but I hope this may shed some light into somebody else's problem.
• E

  Comodo SSL for pfsense webgui
  • emammadov

  5
  0
  Votes
  5
  Posts
  185
  Views

  

  You can use a comodo certificate for the web gui if you want to Use the certificate manager to create a CSR Submit the CSR to Comodo Import the certificate when you receive it Tell the webgui to use the certificate. But yeah, you can't use a "real" certificate for SSL MITM. You don't have the private key so you can't generate the spoofed certs on-the-fly. You have to deploy your own CA to all of your clients to do what you want to do. Moving thread to Packages > cache/proxy.
• H

  Outbound NAT and Squid
  • Hgjoier84

  3
  0
  Votes
  3
  Posts
  310
  Views

  H

  Thanks for the response! So is there any way to do URL filtering in pfSense and then NAT traffic to multiple public IP addresses?
• L

  Pfsense2.4.4 squid ssl filter random block problem
  • lncsence

  1
  0
  Votes
  1
  Posts
  123
  Views

  No one has replied

• S

  SQUID TAG_NONE/409
  • slim2016

  3
  0
  Votes
  3
  Posts
  1442
  Views

  

  Get rid of squid altogether or exempt your Netflix devices so they can go around it. Unless you're using it as the base for squidguard URL filtering, it's almost useless these days since the dynamic web is very difficult to cache and often causes problems.
• M

  Force Haproxy session expiration
  • mindaugezas

  1
  0
  Votes
  1
  Posts
  60
  Views

  No one has replied

• T

  Squid Reverse-proxy - "Address already in use"
  • tracks62

  1
  0
  Votes
  1
  Posts
  90
  Views

  No one has replied

• G

  WARNING: Consider increasing the number of redirector processes in your config file.
  • gtrovato

  6
  0
  Votes
  6
  Posts
  220
  Views

  

  No, I don't believe there is any priority handling in squid. Just create enough child processes to handle the number of users you have.
• W

  Proxy HA slow redirect https to http - [ miragration vm with different subnet ]
  • wesleylc1

  3
  0
  Votes
  3
  Posts
  127
  Views

  W

  @piba said in Proxy HA slow redirect https to http - [ miragration vm with different subnet ]: haproxy upgrade from 1.8.13 to 1.8.14. @PiBa According to Pieter response, the case was resolved after the haproxy upgrade from 1.8.13 to 1.8.14.
• T

  how to configure Squid Proxy to bypass SSL interception for Line chat app?
  • thanhlangso

  5
  0
  Votes
  5
  Posts
  312
  Views

  A

  @thanhlangso may i ask what was the solution because i need something similar to whats app
• D

  haproxy site returns 404 on every other refresh...
  • DavidBrowett

  3
  0
  Votes
  3
  Posts
  134
  Views

  D

  Hi PiBa, and thanks for the response. Would you believe, I have just managed to get it going. Interesting one, IIS site was missing a binding for that particular host header. Strange that it didn't work considering that it's the only site on that server and it was listening on the right port, etc, but it has made the difference to it! Lesson learned!
• M

  igmpproxy "Permission denied"
  pppoe igmpproxy permission deni • • mot

  1
  0
  Votes
  1
  Posts
  112
  Views

  No one has replied

• K

  Instagram proxy
  • kadamwiser

  8
  0
  Votes
  8
  Posts
  206
  Views

  K

  @bepo said in Instagram proxy: network plan pf-sense is the network firewall with public ip NAT. Many things behind it that we do not care bout. Instagram client is outside the local network over the internet. I moved proxy interface to wan. Instagram bot say invalid proxy type. Any chance to have SOCKSv5 o SOCKSv4?
• V

  Help with starting to use HAProxy - LB ip address is not delegated to virtual machines
  • veljko

  1
  0
  Votes
  1
  Posts
  107
  Views

  No one has replied

• N

  Squid Proxy to log user agent, referrer etc
  • ng87

  3
  0
  Votes
  3
  Posts
  133
  Views

  N

  thanks a lot. Will go through that documentation and try it out.
• C

  Squid update to 4.x production version?
  • cloudfw

  1
  0
  Votes
  1
  Posts
  156
  Views

  No one has replied

• L

  Username lightsquid
  • luccasjonas

  1
  0
  Votes
  1
  Posts
  84
  Views

  No one has replied

• 

  Lightsquid not removed properly, I think....
  • occamsrazor

  3
  0
  Votes
  3
  Posts
  91
  Views

  

  @jimp said in Lightsquid not removed properly, I think....: Install lightsquid again and then uninstall it, which should remove its service tags Thank you! That worked.....