If transparent proxy doesn't work well for you (I've personally found it buggy and decided against it); I've found success in setting up Group Policy to force the WPAD file on users. Defining the AutoConfigURL registry value works well. But if you're totally blocking 80 and 443 all together, I believe you can just set the ProxyServer registry value and not even need the WPAD file. (that is, depending on your environment. I'm assuming an all Windows Active Directory setup.) https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/ https://support.microsoft.com/en-us/help/819961/how-to-configure-client-proxy-server-settings-by-using-a-registry-file

This is just what I have so far. I'm willing to do a more detailed write-up after I've had a chance to explore. Essentially just follow the Windows config portion of the guide for creating the DNS entry, user and keytab file. The username can be anything. It doesn't have to be named squid. The guide shows RC4-HMAC-NT being used, but both pfSense and Server 2008 support AES256-SHA1, so this should be possible to adjust. Put both the krb5.keytab and krb5.conf files in /etc. (It seems like it'd be a good idea to change the group owner of the keytab file to squid and then lock it down with 640 permissions, but the Squid helpers crash when doing this. I'm not sure why. The helpers run as the squid user. Maybe somebody else can chime in?) My kbr5.conf currently looks like this ("yourdc" is your domain controller, and "yourdomain" is your FQDN. This is caps sensitive); [libdefaults]     default_realm = YOURDOMAIN.COM     default_tkt_enctypes = rc4-hmac des3-hmac-sha1     default_tgs_enctypes = rc4-hmac des3-hmac-sha1     default_keytab_name = /etc/krb5.keytab [domain_realm]     .yourdomain.com = YOURDOMAIN.COM     yourdomain.com = YOURDOMAIN.COM [realms]     YOURDOMAIN.COM = {         default_domain = yourdomain.com         kdc = yourdc.yourdomain.com:88         admin_server = yourdc.yourdomain.com     } Then just put the following under the "Custom Options (Before Auth)" section in the Advanced part of the Squid config page (yourhostname is the name you defined in DNS and also when making the keytab file on the DC); auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -i -d -s HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM -k /etc/krb5.keytab auth_param negotiate children 10 startup=5 idle=5 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny all The -i and -d flags are for debugging. They're probably worth taking out when no longer needed as they are extremely noisy. For anyone planning to use this, keep in mind that this isn't going to work with Transparent Proxy enabled because this relies on the client being sent a HTTP 407 auth response. One problem I'm working on is when something doesn't work correctly (either kerberos fails or the client doesn't support it), it will prompt the user for credentials. This credentials window is completely useless. Regardless of what is typed in, it will still fail (and possibly transmit credentials in clear text). This happens on Chrome, IE and Edge. I'm currently reading through the Squid docs for a graceful way to handle this. *** Also, for any devs reading this - this seems like something that would be fairly painless to implement into the web UI. I can't be the only person that would benefit from this ***

Dude. in that guide he is showing you both ways transparent and non transparent, If you choose transparent in squid you do nothing at all to the client, If you want a manual proxy then you set the proxy setting on client

@ryanhunt: @AR15USR: No expert here but I believe you will need wpad setup for this to work.. UPDATE: OK, I feel like an idiot - it was working all along. I used to test a proxy was working by typing in gibberish in the browser and getting the squid error, however for some reason Chrome simply reports ERR_NAME_NOT_RESOLVED rather than giving me a Squid error. I was looking for the squid error - but I was actually using a transparent proxy! Good way to test for people is to visit a site like http://www.lagado.com/proxy-test - helped me :) Hello ryanhunt, It's good to know that transparent mode works on 2.4.  For those of us with 32 bit machines installed however that doesn't help us to much.  In an effort to narrow this issue down can you pass a copy of the squid config file that is working for you?

It is not safe.

@look2: I found this one, but i Don't have any "custom options" Click on advanced button on squid general tab to see custom options fields.

I used this thread starting at reply #72: https://forum.pfsense.org/index.php?topic=87982.60

It works now: Went to IIS Manager -> Default web site -> Bindings -> Edit Https/443 -> Check Require Server Name Indication -> Hostname (enter the url hostname) and press OK. Seems that this is required under special circumstances. Thanks for the help!

Sometimes it takes a bit. This is a clip from my realtime view on squid_monitor.php Message bytecode.cld is up to date (version: 301, sigs: 58, f-level: 63, builder: anvilleg) safebrowsing.cld is up to date (version: 45957, sigs: 2889505, f-level: 63, builder: google) daily.cld is up to date (version: 23401, sigs: 2075458, f-level: 63, builder: neo) main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) ClamAV update process started at Sat May 20 12:18:00 2017 –------------------------------------ Clamd successfully notified about the update. Database updated (9183811 signatures) from db.us.clamav.net (IP: 200.236.31.1) bytecode.cld is up to date (version: 301, sigs: 58, f-level: 63, builder: anvilleg) safebrowsing.cld updated (version: 45957, sigs: 2889505, f-level: 63, builder: google) Downloading safebrowsing-45957.cdiff [100%] daily.cld updated (version: 23401, sigs: 2075458, f-level: 63, builder: neo) Downloading daily-23401.cdiff [100%] Trying host db.us.clamav.net (200.236.31.1)… Can't connect to port 80 of host db.us.clamav.net (IP: 64.6.100.177) nonblock_connect: connect timing out (30 secs) Trying host db.us.clamav.net (64.6.100.177)... Can't connect to port 80 of host db.us.clamav.net (IP: 168.143.19.95) nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 208.72.56.53)

If you're running in transparent mode then there is no need to block anything on LAN.

I've been having issues with the certificate system as well. The process seems so simple in pfSense, but my windows systems don't seem to like the certificates (I haven't tried it on any of my other computers yet). In fact I had to download Firefox because Chrome wouldn't even allow me to add an exception to reach pfSense after changing the web GUI certificate. As a test to see if your CA is working in windows you could create a cert for the web GUI. Then try to access the web GUI via HTTPS. What I would really like to do is create a CA in active directory, then import that to pfSense as the CA to use, but for the life of me I can't figure it out.

Why do you need regex for this? Why not use host overrides? Point mydomain1 to server 1 Mydomain2 to server 2