Hello, I have already configured it in transparent mode but it still does not block the squid guard, I do not know if I have something wrong configured, now with what you say about HTTPS, the CAs certificate I believe it, I import it because it shows me a form to create import and if I do not configure that it does not let me enable the Enable SSL filtering option.


Thank you for your reply. I leave it as it is.
In TCP Port, section is empty. Default 80 for HTTP, 443 for HTTPS. How can I add two port in the same section? It only allows one port number. If I add for example 445, then it should apply both?

@zehcolmeia:

@milou:

Try more 5 click in 2 seconds, and download begin.

unbelieveble…. work this...

I am not very sure how many time i clicked, but i click very fast around 30 times in 2 second, and it just work like a magic!
Thankssssssssssssssssssss guys :D

When you make your changes, do you remember to go back to the General settings tab and click Apply?  If you don't do that, your changes will not take effect.

Boa tarde,

Conseguiu resolver amigo, estou passando por essa dificuldade.

Here is the answer I think, but I can't decipher it:

Delayed error responses
When Squid fails to negotiate a secure connection with the origin server and bump-ssl-server-first is enabled, Squid remembers the error page and serves it after establishing the secure connection with the client and receiving the first encrypted client request. The error is served securely. The same approach is used for Squid redirect messages configured via deny_info. This error delay is implemented because (a) browsers like FireFox and Chromium do not display CONNECT errors correctly and (b) intercepted SSL connections must wait for the first request to serve an error.
Furthermore, when Squid encounters an error, it uses a trusted certificate with minimal properties to encrypt the connection with the client. If we try to mimic the true broken certificate instead, the user will get a browser error dialog and then, if user allows, the Squid error page with essentially the same (and possibly more detailed/friendly) information about the problem. Using a trusted certificate avoids this "double error" effect in many cases. And, after all, the information is coming from Squid and not the origin server so it is kind of wrong to mimic broken origin server details when serving that information.
Squid closes the client connection after serving the error so that no requests are sent to the broken server.
It is important to understand that Squid can be configured to ignore or tolerate certain SSL connection establishment errors using sslproxy_cert_error. If the error is allowed, Squid forgets about the error, mimics true broken certificate properties, and continues to talk to the server. Otherwise, Squid does not mimic and terminates the server connection as discussed above. Thus, if you want users to see broken certificate properties instead of Squid error pages, you must tell Squid to ignore the error.

from https://wiki.squid-cache.org/Features/MimicSslServerCert

Dont worry hope you get better "winter is coming" but what did the trick was ticking Resolve DNS IPv4 First with that it worked everything so odd i have never seen this before

Thank you

Whenever you make a change to squidguard, you have to remember to go back to the General settings tab and click Save then Apply.

Yes I know that this is "dstdomain" format but for demonstration purpose it works.
Correct format is something like this:
(.).yahoo.com
..yahoo.com
.yahoo.com

To be honest I would prefer to have a choice in squid module implemented in pfsense which format of whitelist/blacklist will be used.
On my linux squid boxes I use dstdomain everywhere.

Nope.  Didn't work.

Still extremely unstable.  Sigh…..

Looking into memory pools now and certificate memory issues.  Any ideas welcome still....

I found the ways using the belows.
I need to change backend not frontend.  :)

https://forum.pfsense.org/index.php?topic=121730.0
https://www.digitalocean.com/community/tutorials/how-to-use-haproxy-as-a-layer-7-load-balancer-for-wordpress-and-nginx-on-ubuntu-14-04

Finally, i resolved my problem.

I downloaded the repository to a computer, later i install an apache server and put inside the repositoty.
With Winscp yo must connect to pfsense server and modify the file: pfsense-Repo.conf  in /usr/local/share/pfSense and /usr/local/share/pfSense/pkg/repos . Change https by http and put in tha line your apache site ip

FreeBSD: { enabled: no }

pfSense-core: {
  url: "pkg+http://YOUR APACHE IP/pfSense_v2_3_4_amd64-core",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

pfSense: {
  url: "pkg+http://YOUR APACHE IP/pfSense_v2_3_4_amd64-pfSense_v2_3_4",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes

Have you looked at this post:
https://forum.pfsense.org/index.php?topic=117017.0

I get an "403 Access denied" - the message is generated by my pfSense (browser bar's IP address if the pfSense).

As for common ACL - I see

"Test" (which is a blacklist for www.youtube.com only. (Used, you guessed it, as a test only)
Default access "All"  which is "Deny"

Wouldn't EVERYTHING be blocked according to this above?

Actually this is one worked better for me

https://forum.pfsense.org/index.php?topic=139939.0