Don't know why package maintainer don't set correct default values.

It seems there's a check when "proxy.domain.com" is in there you get a warning.
If you set "www.domain.com" there's no error :P

You can download the squid3 it has an option to cache updates such as windows updates and free anti-virus updates.  The older version needs a bit of tuning.  Here is the tut https://doc.pfsense.org/index.php/Squid_Package_Tuning

But while we bypass proxy for some particular IP's the same site is opening for bypassed IP's but remaining IP's are blocked as above Mod-Security.

Should be fixed in pkg v0.22, pullrequest send. https://github.com/pfsense/pfsense-packages/pull/834 will probably be committed and be on the package repository in a day or so.

I think you have misunderstood me. I did not just stop filter that hostname. It simply stopped filtering anything.

2.2-RELEASE (i386)
built on Thu Jan 22 14:04:25 CST 2015
FreeBSD 10.1-RELEASE-p4

Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
2 CPUs: 1 package(s) x 2 core(s)

Install pkgs: squid3 (Transparent HTTP proxy enable, c-icap&clamd disable), corn, sarg

log:
Mar 16 00:00:13 squid[88317]: Squid Parent: (squid-1) process 92076 started
Mar 16 00:00:12 php: swapstate_check.php: Squid cache and/or swap.state exceeded size limits. Removing and rotating. File was 3891776 bytes, 0% of total disk space.
Mar 16 00:00:12 squid[86533]: Squid Parent: (squid-1) process 86945 exited with status 0
Mar 16 00:00:10 squid[88317]: Squid Parent: (squid-1) process 87786 exited with status 1
Mar 16 00:00:10 (squid-1): Failed to verify one of the swap directories, Check cache.log for details. Run 'squid -z' to create swap directories if needed, or if running Squid for the first time.
Mar 16 00:00:10 squid[88317]: Squid Parent: (squid-1) process 87786 started
Mar 16 00:00:07 squid[88317]: Squid Parent: (squid-1) process 87478 exited with status 1
Mar 16 00:00:07 (squid-1): Failed to verify one of the swap directories, Check cache.log for details. Run 'squid -z' to create swap directories if needed, or if running Squid for the first time.
Mar 16 00:00:06 squid[88317]: Squid Parent: (squid-1) process 87478 started
Mar 16 00:00:05 squid[86533]: Squid Parent: (squid-1) process 86945 started
Mar 16 00:00:05 squid[86533]: Squid Parent: will start 1 kids
Mar 16 00:00:05 php: swapstate_check.php: The command '/usr/pbi/squid-i386/sbin/squid -k kill -f /usr/pbi/squid-i386/local/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: Could not send signal 9 to process 13758: (3) No such process'
Mar 16 00:00:03 squid[88317]: Squid Parent: (squid-1) process 80899 exited with status 1
Mar 16 00:00:03 (squid-1): Failed to verify one of the swap directories, Check cache.log for details. Run 'squid -z' to create swap directories if needed, or if running Squid for the first time.
Mar 16 00:00:03 squid[88317]: Squid Parent: (squid-1) process 80899 started
Mar 16 00:00:00 kernel: pid 13758 (squid), uid 62: exited on signal 6
Mar 16 00:00:00 php: swapstate_check.php: Creating squid cache subdirs in /var/squid/cache
Mar 16 00:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 16 00:00:00 php: swapstate_check.php: Creating Squid cache dir /var/squid/cache
Mar 16 00:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 23:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 22:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 21:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 20:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 19:29:41 kernel: arp: xxx.xx.xx.1 moved from 00:17:10:89:12:60 to 00:17:10:89:10:20 on em2
Mar 15 19:29:38 kernel: arp: xxx.xx.xx.1 moved from 00:17:10:89:10:20 to 00:17:10:89:12:60 on em2
Mar 15 19:29:34 kernel: arp: xxx.xx.xx.1 moved from 00:17:10:89:12:60 to 00:17:10:89:10:20 on em2
Mar 15 19:29:31 kernel: arp: xxx.xx.xx.1 moved from 00:17:10:89:12:60 to 00:17:10:89:10:20 on em2
Mar 15 19:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.
Mar 15 18:00:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y-date +%d/%m/%Y args, compress(on) and none action after sarg finish.

sorry for not being clear, I solved it creating a group acl at the last order and assignin my network as source like you said thanks

Probably chrome probing for DNS/etc.

http://serverfault.com/questions/235307/unusual-head-requests-to-nonsense-urls-from-chrome

Yes I totally agree with you.

I'll try to reproduce the issue again and get back to you.

Nicolas

Doese failover work?

Hi there,

any news concerning that issue? Same problem over here…just spend nearly the whole day trying to fix it. Could one of you guys solve it?

Cheers

You could do a tail -f /var/squid/logs/access.log and see if you get hits or misses when manually running Windows Update, or you could update a client and watch the bandwidth monitor to see if there is WAN activity that matches the LAN activity.  No WAN activity + large LAN activity means it's using the cache.  Just be warned though.  I have played with Dynamic Content caching in the past and it was not reliable for me.    Every request for a segment of the download would cause the entire file to be downloaded, so a 100MB update ended up making Squid download many gigabytes.  My WAN was saturated for an hour while LAN was flat.  I disabled Dynamic Content after that.

did you solved the problem?

I realized on my installation that the new squid package does NOT start squidguard immediately, but on the first access to a website!

This is supposedly how the new SquidGuard works.  I'm not sure how it's a problem unless you must see the little green/white triangle.  As long as it works, that is what's important.

Hi!

I have this problem too.

There should be no need for that with the current package. The gd library is there and the package should be invoking ldconfig to nudge the system to find it without such hacks.

Check to see if it's there at all:

All righty, thank you for the explanation :)

Nicolas

I had this same issue with squid 2.7.9.  This worked for me:

Set squid proxy to listen on port 3129 (or any port you choose, the GUI wouldn't allow me to leave it blank)
Add custom option: http_port 3128 transparent

Port forward on LAN:
Traffic TCP Src * Srcport * Dest * Destport HTTP(80) TargetIP pfsensebox IP Targetport 3128

My guess is that on the GUI without the transparent box checked, squid was not operating transparently on port 3128 until specifically defined to do so.

Unfortunately my ultimate goal was to use this rule to apply limiters to the traffic but apparently there is a bug with limiters and squid in transparent mode that I can't seem to get around!

https://doc.pfsense.org/index.php/Lightsquid_Troubleshooting

Try running Firefox on the XP box and see if that is any different.

I'll try

Clarification
the computer is old old
the operating system is old

Update from yesterday
But it was already too late and I turned off my computer

The computer in question was one hour ahead

I set the computer time and date accurate
And now

Only two sites inaccessible
And show the same message as before

f.y.i. in (somewhat) recent versions of the package its possible to create multiple 'binds' using the normal webgui options. So its possible to have 1 frontend listen on both :443(with ssl-offloading) and :80. So you don't need the bind in 'advanced pass through' anymore.

Have you looked in your SquidGuard filter log?

Hi, :)
So with ssl filtering, windows update does not want to do this. There in there a manipulation to do to solve this problem.
Sorry for my bad english  ;D

@Derelict:

Don't use transparent mode and only hosts set to use it as a proxy will use it.

Alright I will try doing that, thank you.

So what was the solution???

You are running into the application cert pinning I think, I've seen this on a few IOS/android apps but makes sense here as well, and I've confirmed that is what they are doing as well in the following link:

http://googleonlinesecurity.blogspot.com/2013/05/changes-to-our-ssl-certificates.html

At this time, Google Drive's PC application does not support SNI and performs some degree of certificate pinning for transfers.  (This is going to cause you a lot of issues with SSL MITM setups).

One fairly easy way to work around this is with a DNS based filter and with pfSense you can easily control what DNS server a client is using.

Thanks,
Adam

thanks for your response, I will look and review what you say, I'm hoping to solve this problem, otherwise im gonna give a shot with lusca.