@coffeelover I have finally found the problem. I have isolated a computer from the internal network which had a "Adobe Creative Cloud" client installed ant put in autostart. Every time that program launched it would crash squid. I was not able (i dodn't have the time) to investigate all that addresses that program was trying to reach. As soon as i uninstalled the program 9'o clock squid crash disappeared!
I so over the internet similar problems with different sites but does did not manifest on my squid version.
The squid crashed befor it could write in log the offending url and only with FW logging was to cumber stone to find out.
Thank you again.
Good news, I got it working. . . mostly. Found a setup guide that showed me what I was doing wrong.
Only have one small issue left.
I can't get Emby to work on SSL. I have a certificate setup, but, I get this error in my browser when going https. (http works fine.)
From searching the web, it is common for proxies to give this error, but I can't figure out what I need to change if haproxy to correct it.
Emby is using a letsenecrypt certificate, and is is running remote access through 443.
i have the same problem, but doesnt seem to what reza3sw said. though seen i found it to stop working, i have had a change in internet service provider, and having a dual wan, i edited 1 of those for the new service. i did have a config backup a couple mpnths old that in a test i uploaded that on the new pfsense version, and it works.
The proxy config snippet generated from the whitelist uses the acltype dstdom_regex
acl aclname dstdom_regex [-n] [-i] .foo.com ...
# regex matching server [fast]
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# based URL is used and no match is found. The name "none" is used
# if the reverse lookup fails.
Even if it used dstdomain before, the asterisk character was invalid syntax and possibly ignored by the parser.
You have to adapt your whitelist or patch the code.
For adapting your whitelist:
The dot-Character has a special meaning in regex. If you want to include the '.' as in '.microsoft.com', you have to escape it: '.microsoft.com'
(and: squid knows the end of the domain name, you don't have to append the '.' in the end)
The correct migration would be:
*.microsoft.com. → .microsoft.com
The error in your log seems to be a CONNECT issue.
The Browser opens a CONNECT session to the target site and will only accept a socket address, not a URL.
The Rewrite URL from squidguard https://site.com/sgerror.php is parsed as a socket address like host:port
We have squid with SSL MITM, ClamAV and Squidguard with correct url redirect working with the following setting:
squid mitm: splice whitelist, bump otherwise
additional advanced options:
url_rewrite_access deny CONNECT
url_rewrite_access allow all
This will deny CONNECT sessions for non-whitelisted sites and will let the redirect work.
As redirect function in squidguard you need to set "ext url move", not redirect.
As soon as you have access to the full, decrypted data stream it's most probably possible to cache everything.
The, for example, ccs style sheet file, can have a unique name - and won't be re used ever again, so it will get reloaded anyway.
The file creation date can be set to 'now' so the browser will request a fresh copy, even if the content didn't change at all.
etc etc .
@High_Voltage said in new fun and odd issue with squid/wpad on pfsense with android!:
.microsoft.com .windowsupdate.com .akamaitechnologies.com .akadns.net
should not (never) be cached.
Example : if the windows update isn't guaranteed to from "the source" then every windows install is at risk. Microsoft couldn't tolerate that situation, it could kill the company overnight.
acl splice_it ssl::server_name .reddit.com
handles everything going to / coming from is handled the same way.
( no need to read a a manual to understand that ^^ )
@Astraea For me, that requires I maintain the certificates on HAProxy and the web servers themselves. That's why I tell HAproxy to listen on an internal VIP and use that for my DNS host overrides. Inside and outside connections go to the same frontend but without crud like NAT reflection.
I admit that this is one of the problems with Squid as a package with pfSense, it doesn't rely on automatic log rotation and clean-up. I still do it manually, but if there is a software that can do this automatically, I'm in.
Layer 4 connection problem - connection refused is clearly says that port you mention doesn't open or listen. So: or you have firewall issues on your server or app not listen on server IP you are pointing.
I had posted a thread, talking about having made a community github collaborative effort, and asked for help contributing to it, only to have @aGeekhere reply to me linking this, so, I guess that's now a thing by my own sheer coincidental effort haha.
if anyone wants to offer to help with this github collaborative effort, COMPLETELY UNOFFICIAL TO SQUID, please let me know so I can add you as a contributor, because by sheer coincidence, my goal was the same as what this thread sought to achieve, I AM NOT AT ALL related/whatever to squid, I just want the same goal that everyone else in this thread is after....ironic, but I'm loving the amusement this is giving me haha.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.