@doktornotor:

Well I don't get the question really… that's the whole purpose of the feature. If you don't want it, do NOT make the proxy transparent (or whitelist stuff that's not supposed to get proxied).

Again thanks for the guidance

But to control some sites, I need to enable this option, and on the other hand, I have the problem

Unsupported hack: https://forum.pfsense.org/index.php?topic=121387.msg670943#msg670943

Well it simply never worked in pfSense, no idea whether it ever worked in FreeBSD but the 7+ years old hints about rdr don't produce any working result for anyone who tried.

yes that was the problem. After I disabled it, it worked fine. Thank you

Thanks for your input KOM,

Much appreciated!

If anyone else can shed some light that would be fantastic!

Cheers,
Nick.

You cannot mess with squid.conf directly. There are at least 3 advanced fields for custom ACLs in the GUI (General tab, click the Show Advanced Options button) – may I suggest investigating the GUI configuration more thoroughly?

Found the right configuration with the help of the Squid Users mailing list.
I had to add different options to ignore cache control and force the cache to keep and serve the content.
But it's working now.
For the record, I'm posting the working Squid Configuration below.

http_port 10.10.10.10.108:3128 icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname pfSense Firewall cache_mgr pfsense@virtualdesk.cloud access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds forwarded_for on uri_whitespace strip refresh_pattern -i \.(jpg|gif|png|txt|docx|xlsx|pdf) 30240 100% 43800 override-expire ignore-private ignore-reload store-stale cache_mem 128 MB maximum_object_size_in_memory 20480 KB memory_replacement_policy lru cache_replacement_policy lru minimum_object_size 0 KB maximum_object_size 50 MB cache_dir ufs /var/squid/cache 100 16 256 offline_mode on cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp:    1440  20%  10080 refresh_pattern ^gopher:  1440  0%  1440 refresh_pattern -i (/cgi-bin/|\?) 0  0%  0 refresh_pattern .    0  20%  4320 #ACL allow all acl allsrc src all http_access allow allsrc request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings https_port 10.10.10.10.108:443 accel cert=/usr/local/etc/squid/599eae0080989.crt key=/usr/local/etc/squid/599eae0080989.key defaultsite=tenant.sharepoint.com vhost # cache_peer 13.107.6.151 parent 443 0 ignore-cc no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_sharepoint

Try this

https://datalogus.blogspot.com/2016/06/pfsense-231-security-explicit-squid.html

Noone read the GUI descriptions these days? Sigh…

Stop ticking that checkbox or configure a valid CA certificate created in Cert. Manager.

Disregard, turns out these sites were being blocked by Snort.

@tman222:

What changes were made between 0.4.39 and 0.4.40?

Nothing except for the widget.

Thanks that worked.

cjb

I dont understand what the point of running defaults is?

After looking back over my settings, it appears that i had this selected!..

** cough **

Config

<squidguard><logdir>/var/squidGuard/log</logdir> <dbhome>/var/db/squidGuard</dbhome> <ldap_enable></ldap_enable> <ldapbinddn></ldapbinddn> <ldapbindpass></ldapbindpass> <ldapversion>3</ldapversion> <stripntdomain></stripntdomain> <striprealm></striprealm> <binpath>/usr/local/bin</binpath> <workdir>/usr/local/etc/squidGuard</workdir> <sgxml_file>/usr/local/etc/squidGuard/squidguard_conf.xml</sgxml_file> <enabled>on</enabled> <blacklist_enabled>on</blacklist_enabled> <blacklist_url>http://www.shallalist.de/Downloads/shallalist.tar.gz</blacklist_url> <destinations><name>FileExtension</name> <domains></domains> <expressions>(.*\/.*\.(asf|wm|wma|wmv|cab|mp3|avi|mpg|swf|mpeg|mp.|mpv|mp3|wm.|vpu|exe))</expressions> <redirect_mode>rmod_none</redirect_mode> <log>on</log> <name>DomainWhitelist</name> <domains>wellsfargo.com bankofamerica.com googleadservices.com skypeassets.com 23.73.247.53 23.2.99.20 23.11.250.157 apps.skypeassets.com skype.com</domains> <redirect_mode>rmod_none</redirect_mode></destinations> <rewrites><name>safesearch</name> <log>on</log> <targeturl>(google\..*/search?.*q=.*)</targeturl> <replaceto>\1\&safe=active</replaceto> <mode>i</mode> <targeturl>(google\..*/images.*q=.*)</targeturl> <replaceto>\1\&safe=active</replaceto> <mode>i</mode> <targeturl>(google\..*/groups.*q=.*)</targeturl> <replaceto>\1\&safe=active</replaceto> <mode>i</mode> <targeturl>(google\..*/news.*q=.*)</targeturl> <replaceto>\1\&safe=active</replaceto> <mode>i</mode> <targeturl>(yandex\..*/yandsearch?.*text=.*)</targeturl> <replaceto>\1\&fyandex=1</replaceto> <mode>i</mode> <targeturl>(search\.yahoo\..*/search.*p=.*)</targeturl> <replaceto>\1\&vm=r&v=1</replaceto> <mode>i</mode> <targeturl>(search\.live\..*/.*q=.*)</targeturl> <replaceto>\1\&adlt=strict</replaceto> <mode>i</mode> <targeturl>(search\.msn\..*/.*q=.*)</targeturl> <replaceto>\1\&adlt=strict</replaceto> <mode>i</mode> <targeturl>(\.bing\..*/.*q=.*)</targeturl> <replaceto>\1\&adlt=strict</replaceto> <mode>i</mode></rewrites> <default><name>default</name> <disabled></disabled> <timename></timename> <redirect_mode>rmod_int</redirect_mode> <rewritename>safesearch</rewritename> <log>on</log> <notallowingip></notallowingip> <destname>!FileExtension ^DomainWhitelist !blk_BL_aggressive !blk_BL_alcohol !blk_BL_anonvpn !blk_BL_chat !blk_BL_dating !blk_BL_drugs !blk_BL_fortunetelling !blk_BL_jobsearch !blk_BL_models !blk_BL_music !blk_BL_podcasts !blk_BL_porn !blk_BL_radiotv !blk_BL_religion !blk_BL_ringtones !blk_BL_sex_education !blk_BL_sex_lingerie !blk_BL_spyware !blk_BL_tracker !blk_BL_violence !blk_BL_warez !blk_BL_weapons blk_BL_webphone !blk_BL_webradio !blk_BL_webtv all</destname></default> <enablelog>on</enablelog> <enableguilog>off</enableguilog> <logrotation>off</logrotation> <adv_blankimg>off</adv_blankimg> <current_lan_ip>192.168.0.254</current_lan_ip> <squid_transparent_mode>on</squid_transparent_mode> <current_gui_protocol>http</current_gui_protocol></squidguard>

Ok, thx… that is not solution I am trying to find...

Anyway I can check that squid + dynamic caching is working with tail -f command but I am trying to find solution in the long term and I am interested what kind of "savings" I can achieve... Also it would be nice to know what installation packets / images I can found from cache...