@eden said in [2.4.x] Squid/ClamAV: Fix for C-ICAP 0.5.x not starting:

Hello all

I am also having this issues with the ICAP service not starting. I have edited then config as requested above no joy. I then decided to reinstall the package but this did not make a difference. I have now uninstall the squid package completely and reinstalled it. Still the service will not start.

If that is the case then your problem is not the same problem as this thread. Start a new thread with details about your configuration, any error messages from logs, etc.

OK fixed it..

Here is how I did it...

Have WAN connectivity assigned via DHCP

dhclient bce0

Update the pkg metadata

pkg-static update -f

Forcefully reinstall all packages

pkg-static upgrade -fy

Note: I have a broadcom NIC, thus BCE0, it might be different on your setup.

Fixed after upgrade tot 2.4.4

I am doing LDAP authenthication with Zentyal AD 0_1537789755976_pfsense ldap.PNG

Can anyone help.

@zeureo1 said in Squid and OpenVPN - remote internet traffic proxying:

add a FW rule on the OpenVPN iface to allow TCP/3128 from OpenVPN subnet to localhost.

Can you please be clear on "adding a FW rule on the OpenVPN iface to allow TCP/3128 from OpenVPN subnet to localhost".
I've been using pfsense for years and I don't believe I've heard of adding FW rule on OpenVPN

del /usr/local/bin/check_ip.php and use the following code. i solve

#!/usr/local/bin/php-cgi -q <?php /* * check_ip.php * * part of pfSense (https://www.pfsense.org) * Copyright (c) 2016-2017 Rubicon Communications, LLC (Netgate) * Copyright (c) 2013-2016 Marcello Coutinho * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ require_once("config.inc"); require_once("globals.inc"); error_reporting(0); global $g; // stdin loop if (!defined(STDIN)) { define("STDIN", fopen("php://stdin", "r")); } if (!defined(STDOUT)) { define("STDOUT", fopen('php://stdout', 'w')); } while (!feof(STDIN)) { $check_ip = trim(fgets(STDIN)); $dbs = glob("{$g['vardb_path']}/captiveportal*.db"); $status = NULL; foreach ($dbs as $db) { if(!strpos($db, "_radius")) { $status = squid_check_ip($db, $check_ip); if (isset($status)){ break; } } } if (!is_null($status)) { fwrite(STDOUT, "OK user={$status}\n"); } else { fwrite(STDOUT, "ERR\n"); } } function squid_check_ip($db, $check_ip) { exec("/usr/local/bin/sqlite3 {$db} \"SELECT ip FROM captiveportal WHERE ip='{$check_ip}'\"", $ip); if ($check_ip == $ip[0]) { exec("/usr/local/bin/sqlite3 {$db} \"SELECT username FROM captiveportal WHERE ip='{$check_ip}'\"", $user); return $user[0]; } } ?>

@fabricioguzzy said in Last version of Squidguard not read/write target rules access:

You are probably talking about this issue

Exactly this problem Fabrizio. Thank you.

I don't think so. It's either thru the vpn or not.

Hello,

As per experience during implementation. There are 2 problems in pFSense Squid.

Base domain can't use "DC=Domain,DC=local", you must use something like OU=something,DC=domain,DC=local . And OU needs to be the same one using in "Search Filter" The AD user needs exists in that OU, user accounts located from other OU, Container or anywhere. Even these accounts in Search filter group". Authentication remains fail

Had a problem again with SquidGuard again today trying to hit amazon web services. aws.amazon.com. SSL error. Disabled Squid and was able to hit the site.

Did a little research online and changed the following:

Services-->Squid Proxy Server: General
changed SSL Certificate Deamon Children to 100.

Keep in mind, the research online I have done on this about Squid says it's highest value can be no more than 32. However, when I change it to 100 pfsense (Squid) never tells me that value is not valid. My guess is it could still be 32 even though it says 100. Not sure though.

Also changed the following in Services-->Squid Proxy Server: General-->Show Advanced Options

In Integrations I replaced:

url_rewrite_children 16 startup=8 idle=4 concurrency=0 with
url_rewrite_children 100 startup=10 idle=10 concurrency=0

Guess it's just a wait and see game now.

I will say this. I have my home home network VLANed for Guest Wireless and I implemented Squid a while back and had to turn it off cause the ole Fortnite wouldn't work for the kid's laptop. I turned Squid and Squidguard back on this morning before leaving with all the changes in this post, and whattda ya know, Fortnite worked when I tested it. So we're definitely on to something here.

Try this tutorial:
https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

My setup, like @alavend is a new SG-3100, running the current pfSense release. Squid is installed and running in transparent mode. Lightsquid is also installed and configured. The problem is that when I try to look at the Reports, Lightsquid prompts for username/password but doesn't like any / every combination I've tried (there have been many: default creds, not default creds, different ports, SSL, not SSL, etc. Windows, Mac, several browsers, etc.).

Can someone please point me to the path/filename.xxx where the Lightsquid authentication creds are stored? I'd like to SSH in and check to make sure the creds I'm putting into the pfSense GUI are being correctly saved (although I guess they might be encrypted). Or the logs that would show the specific error as to why the authentication is failing? This has got to be something simple.

Thanks,

@j-sejo1 The problem was?

IE and Chrome when use Proxy for DNS. the way auth is kerberos.

When use Proxy for IP the way auth is Ntlm.

Firefox by default use NTLM.

Solved: In Propierties, option avanced, IE Disable: Integrations Autentication WIndows.

The best practices: is: on Squid enable auth:

Kerberos
NTLM
Basic