Thanks for the reply.. Yes I have installed squidguard… Please look for the screenshot of squid settings below.

squid_screenshot.png
squid_screenshot.png_thumb

That's what it was.  The Roku netflix client wasn't using the domain name, but IP addresses for the Netflix servers.  I guess I should have realized that in the log.  Even though I had the option "Do not allow IP-Addresses in URL" unchecked, I was looked at the squidguard config at /usr/local/etc/SquidGuard/SquidGuard.conf and saw that it had !in-addr which was blocking anything that had an IP address in the URL.  Seems to be working fine now after I removed that.

I'm now on pfSense:
2.4.2-RELEASE-p1
FreeBSD 11.1-RELEASE-p6

Using a Mac mini and MacBook Pro both using Firefox to test the EICAR HTTP files, I completed the 4 steps, twice, and I can still download the HTTP files.  I haven't configured for HTTPS yet.

Another interesting factoid…Using Debian 9 Stretch Linux with Firefox installed, I couldn't download the HTTP files but I still didn't receive the red colored virus message.

No idea.  I don't use transparent mode or SSL-intercept.  Just WPAD to get the URL for filtering and that's all.

SQRobin,

I'm in the same camp.

Did you end up fixing this?

I have 16 Cores, 32GB RAM.  60GB Cache (DiskD - Previously AUFS with zero change), 64MB Cache Memory Size, 256K Max object, Heap GDSF.

RAM and SWAP often go haywire after about 10 hours.  I upped the SSL Daemon Children to 64 recently to assist.

Any other tips?

HTTP/1.1 200 OK
Server: squid
Mime-Version: 1.0
Date: Wed, 07 Feb 2018 15:30:42 GMT
Content-Type: text/plain;charset=utf-8
Expires: Wed, 07 Feb 2018 15:30:42 GMT
Last-Modified: Wed, 07 Feb 2018 15:30:42 GMT
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.1 localhost (squid)
Connection: close

Squid Object Cache: Version 3.5.27
Build Info:
Service Name: squid
Start Time: Wed, 07 Feb 2018 01:26:06 GMT
Current Time: Wed, 07 Feb 2018 15:30:42 GMT
Connection information for squid:
Number of clients accessing cache: 864
Number of HTTP requests received: 289166
Number of ICP messages received: 0
Number of ICP messages sent: 0
Number of queued ICP replies: 0
Number of HTCP messages received: 0
Number of HTCP messages sent: 0
Request failure ratio: 0.00
Average HTTP requests per minute since start: 342.4
Average ICP messages per minute since start: 0.0
Select loop called: 18051093 times, 2.807 ms avg
Cache information for squid:
Hits as % of all requests: 5min: 2.6%, 60min: 3.0%
Hits as % of bytes sent: 5min: 1.1%, 60min: 1.3%
Memory hits as % of hit requests: 5min: 51.2%, 60min: 56.1%
Disk hits as % of hit requests: 5min: 17.8%, 60min: 23.9%
Storage Swap size: 47263468 KB
Storage Swap capacity: 76.9% used, 23.1% free
Storage Mem size: 64732 KB
Storage Mem capacity: 98.8% used,  1.2% free
Mean Object Size: 125.91 KB
Requests given to unlinkd: 0
Median Service Times (seconds)  5 min    60 min:
HTTP Requests (All):  0.05046  0.02742
Cache Misses:          0.08265  0.07825
Cache Hits:            0.00286  0.00091
Near Hits:            0.05633  0.08729
Not-Modified Replies:  0.00179  0.00091
DNS Lookups:          0.01046  0.01331
ICP Queries:          0.00000  0.00000
Resource usage for squid:
UP Time: 50675.981 seconds
CPU Time: 2292.172 seconds
CPU Usage: 4.52%
CPU Usage, 5 minute avg: 29.42%
CPU Usage, 60 minute avg: 29.02%
Maximum Resident Size: 29684640 KB
Page faults with physical i/o: 183
Memory accounted for:
Total accounted:      219900 KB
memPoolAlloc calls:  33590776
memPoolFree calls:  34080247
File descriptor usage for squid:
Maximum number of file descriptors:  939474
Largest file desc currently in use:  9246
Number of file desc currently in use: 9012
Files queued for open:                  0
Available number of file descriptors: 930462
Reserved number of file descriptors:  100
Store Disk files open:                  0
Internal Data Structures:
382429 StoreEntries
11534 StoreEntries with MemObjects
  4520 Hot Object Cache Items
375364 on-disk objects

Maybe I will turn off the logs then and just reactivate them one day if I have issues :)

Bad idea.  When you really need them, they won't be there.  Just set them to rotate and ignore them.

I had be able to install squid but updating to 2.3.2 to 2.3.4.
Enable just security/errata on 2.3.4 and done.
2.3.2 looks death.
Thanks.

Is going to be difficult to show u all the steps, but I will advice u to search on www.youtube.com to start your training.
Once u have more detail info of your issue, return here and show us the problem with more details  :)
example: https://www.youtube.com/watch?v=W2gy1bLHm5o

My PFBox setup is squid + squidguard wpad i will give it a try. or maybe putting an IP Address in Proxy Server-> Access Control -> ACLs will do the trick?

What news are you expecting?  WPAD requires an HTTP server, not HTTPS.

https://technet.microsoft.com/en-us/library/cc995261.aspx?f=255&MSPPError=-2147217396

Implementing DNS or DHCP

Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both:

WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names. When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery. A valid DHCP server must be installed. When using DNS to publish WPAD, automatic discovery must be configured to use port 80. Alternatively, the outgoing Web requests must be configured to listen on port 80. WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

When you make any changes to squidguard, you need to remember to go back to the General settings page and click the Apply button or nothing you did will take effect.

Clear cache.
Proxy Server: Cache ManagementLocal Cache

Hi,

this does not work when the explicit proxy is configured.
example, I configure the squid + sslbump on a vlan (ex: vlan10), i configure snort on the vlan10 with all appID = Result nothing is detected
without the proxy everything is detected by appID.

Thanks

Best regards,

fred

Personally, I find pfBlocker too heavy of a package for me to want to deal with just to block ads.  I use Pi-hole myself on a cheap little Pi.  Works like a charm.

Thanks In advance brother

I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.

Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

Stunnel rule
Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
Listen on port 3456
Redirect to 192.168.1.15  (Camera software box)
Redirects on port 81

NAT rule
Interface  WAN
Protocol  TCP
Dest Address  WAN Address
Dest Ports  3456
NAT IP  192.168.1.1
NAT Ports  3456

NAT created FW rule
Protocol  IPv4 TCP
Source  *
Destination  192.168.1.1
Port  3456

Absolutely sure.  We don't use policies or any other sorts of enforcements.  We tried to build our network around KISS.

I took a look at the trace I saved:
The process querying for the WPAD data got no name (is called "unavailable"), but the "GET /wpad.dat" packet says:  "User-Agent: WinHttp-Autoproxy-Service/5.1".  So I believe it is a std Windows process.
If you never set up proxy settings to be automatic, it does not query for wpad.dat (at least not within the first 2-3 hours after initial Win10 install - I did not wait any longer).  It starts doing this after the first time you set up the proxy settings to be automatic.  Windows initially gets the wpad.dat and then the proxy answers "304 Not Modified" for the following queries.  And after each of these following queries for wpad.dat, "manual settings" are unchecked, "automatic settings" are unchecked, but wpad.dat settings are active again.  And any data entered into the manual fields are cleared.
It may take 10 minutes or it may take 60 minutes for the following "GET /wpad.dat" to be sent.  For me it looked like "out of a sudden someone asks for wpad.dat and resets my settings".  At first I thought it would be time to do something else because I can't concentrate anymore…
The clean install of Windows 10 does not even have any AV software, which often does some sort of proxy stuff.
Maybe it has to do with a specific Windows version after lots of OS updates that come in after install.  I have no clue...
I just wanted to let others know, because this drove me crazy.  Maybe it's gone again with next Windows updates.