I still have the same issue with light squid on a fresh install of 2.4.2-RELEASE (amd64). Lite squid will not run and I can find any info in the logs. Can anyone help me solve this issue.

@yahav02:

SB can help???

Date-Time Message
10.12.2017 20:31:34 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:34 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:32 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:32 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:31 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:31 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204

Those are normal.
If I remember correctly that is the Request's from the client being sent to the C-ICAP and ClamAV.

The Response is after it has been scanned by ClamAV and if a virus is found you will see a generate
response page in the C-ICAP Server Table.

might try to restart the openvpn service.?. other than that it 'should work' at least for the regular traffic.. (i never tried together with squid for the vpn..)

Edit:
ah it works.? great :)

Hi Ronald,
Nah keeping it in the topic is fine. pm's take more work if someone else has the same question they might find the answer here, or participate in the discussion :). pm's cant have that effect.. and there is no sensitive information discussed currently..

Regarding squid ciphers there is an "Compatibility mode" option for modern/intermediate .. or maybe this still works i dunno: https://forum.pfsense.org/index.php?topic=63262.msg524828#msg524828

As for caching, ive got no real experience with it.. my gut feeling is that squid is primarily meant as a forward-proxy, and should probably stick to that.. and varnish is mentioned several times on haproxy's site "Basically, HAProxy and Varnish completes very well" https://www.haproxy.com/blog/haproxy-and-varnish-comparison/
Perhaps indeed nginx might work, or apache.. both seem more purposed at the task for handling incomming client requests for 1 website..

As for acl abilities, haproxy can do some acl's / stickiness / ssl offloading and or sni.. and does those very well imho.

Regards,
PiBa-NL

@sirtow:

Hi all, I'm on 2.4.2-RELEASE trying to setup transparent ssl proxy.  With all default squid configuration,  i noticed that ssl certificates generated  have an ip instead of hostname for cn.  Is there a way to fix this?

Thank you

Sound's like you did'nt create the certificate right.

In the pfSense Cert. Manager make sure you select the Create an internal Certificate Authority dropdown box.

No issue, u can get the file from the console(ssh):

Solution:

1. Diagnostics => Command Prompt
2. rm -rf /var/squid/logs/
3. rm -rf /var/lightsquid/report/
4. Reboot
5. LightSquid Refresh and Full Refresh.

I had try both, looks like pfsense+squid+squidguard have something wrong with this part. ???

4Gb's ram is more realistic as long as you don't go overboard with your configuration.

Ok, I have HTTPS Reverse Proxy working, I get a valid ssl connection to my services that are being handled by the Proxy.

Adding a new question to the previews post. I can see a valid ssl connection to my service in chrome, but this is the connection between my pc and the proxy correct? How can I validate that the proxy is making a valid ssl connection with the service?

Thank You

I hate me sometimes…

I hate inconsistent interfaces.  The way squidguard does this is completely different from every other part of pfSense.  No other option makes you go back to a different page to apply the settings like squidguard.  It catches people all the time like it did to you.

I got this working by simply binding squid to the two interfaces that made up the bridge (in my case). Eg rather than Bridge0, I used LAN and OPT1 (ath0). I have an atheros wireless card in the netgate box so this is really the only way to get it all working. Doesn't miss a beat.

Iae pessoal!

Consegui liberar o Whatsapp no pfsense 2.4.2 A25, fiz o seguinte:

Criei 4 Alias

1º Nome = "whatsapp", Tipo = "host's", IP ou FQDN = "web.whatsapp.com"; - (Este fará a liberação do site inicial).

2º Nome = "web_whatsapp_com", Tipo = "Rede's", Rede ou FQDN = "31.13.85.51/32, 2a03:2880:f205:c5:face:b00c::167/128, mmx-ds.cdn.whatsapp.net/32" - (Estes endereços foram obtidos pela Ferramenta de Diagnostico DNS Lookup - OBS: essas informações foram obtidas para o Brasil, faça o DNS Lookup caso esteja em outro pais, pois, os ips podem ser diferentes).

3º Nome = "whatswss", Tipo = "Host's", IP ou FQDN = "w1.web.whatsapp.com, w2.web.whatsapp.com, w3.web.whatsapp.com, w4.web.whatsapp.com, w5.web.whatsapp.com, w6.web.whatsapp.com, w7.web.whatsapp.com, w8.web.whatsapp.com - (Este fará a liberação do socket wss).

4º  Nome = "w2_web_whatsapp_com", Tipo = "Rede's", Rede ou FQDN = "169.55.74.45/32, 169.55.74.36/32, 158.85.224.179/32, 158.85.224.174/32, 169.55.74.56/32, 169.55.69.156/32, 158.85.224.173/32, 169.44.84.154/32, dyn.web.whatsapp.com/32 " - (Estes endereços foram obtidos pela Ferramenta de Diagnostico DNS Lookup para liberação do socket wss - OBS: essas informações foram obtidas para o Brasil, faça o DNS Lookup caso esteja em outro pais, pois, os ips podem ser diferentes).

Como meu escopo é liberado por grupos, ex: "Engenharia, Financeiro, Compas, TI e Gerência", utilizei uma Expressão Regular para limitar os acessos, ex:

Criei uma Categoria LiberaWhats, no campo Expressão Regular digitei o seguinte "./web.whatsapp.com/.|whatsapprede|.*/w.web.whatsapp.com/.|.rsdf$"
São 3 expressões, uma para o site inicial, outra para permitir a o java script e outra para o socket wss,  após cria-lá vá no grupos ACL no meu caso o grupo Gerência a categoria ficou como Allow, já nos demais deixei como Deny, assim fica liberado somente para um grupo.

OBS: Estou utilizando proxy transparente.

Make sure you have the unofficial repo added  and make sure you've got that CA generated for SSL MITM. After setting that up in E2G settings, it should work fine.