Hmm make sure to setup a proper ACL and get to know regular expressions (www.regexr.com) Example for mysite: [image: 2v3qyhv.jpg] And ACL [image: 2113pm8.jpg] And Actions [image: 2irm15w.jpg]

Squid users have really nothing in common with captive portal users nor with users set up in System - User Manager. Completely confused about what you are trying to do there.

@aGeekHere: ah thanks was a bit hard to find https://doc.pfsense.org/index.php/Package_Port_List @aGeekHere: with https://github.com/pfsense/FreeBSD-ports/commits/devel/www/pfSense-pkg-squidGuard i get Sorry, this commit history is taking too long to generate GitHub sucks.

@emammadov: Then keeping ClamAV Antivirus turned on doesn't make sense? "Content filtering (such as Antivirus) will not be available for SSL sites"

The backend "Frontend3-offloading" under the header "offloading backend with special check" is sending traffic to the second 1443 frontend.

Just because you can, doesn't mean you should. Put the hostname in an alias, put the alias name in the squid settings. That will (a) stop a bad hostname from tanking squid and (b) allow pfSense to update the alias if the results of the hostname resolution changes.

@doktornotor: The problem probably is that you switched the error messages locale to NL but the state of Squid localization sucks goats nuts, to put it mildly. Leave that at English, unless you'd like to finish the translations and submit them upstream. Hello doktor, Thanks! Nothing to worry about then. Can you tell me where I can change this? Logging settings for squid (access.log) is turned off.

Buy this man a beer !!! Spot on and thank you for your help !!!

I never really liked watching the logs from the GUI I found that it had quite a bit of lag I use SSH and tail to view them tail -f /var/squid/logs/access.log

Made the digest_generation junk off by default in 0.4.36_1. (No GUI option, not worth it.) https://github.com/pfsense/FreeBSD-ports/pull/313

I'd frankly suggest to install the syslog-ng package rather than messing with the pfSense logger. (And yes, you need squid.inc patched for this kind of changes.)

I'm use Active Directory DNS but the same problem. I'm verify if when access page, squid get authentication but after login and password, in access log page is DENIED but in BROWSER page load. After 3 minutes page open sucessfully. This fact ocurred only first authentication after 3 minutes all pages open fastely. I'm receive this error: 23.02.2017 12:18:53 Starting new basicauthenticator helpers… 23.02.2017 12:18:52 pinger: Initialising ICMP pinger ... 23.02.2017 12:18:52 Service Name: squid 23.02.2017 12:18:52 Starting Squid Cache version 3.5.19 for amd64-portbld-freebsd10.3... 23.02.2017 12:15:04 Shutdown: Basic authentication. 23.02.2017 12:15:04 Shutdown: Digest authentication. 23.02.2017 12:15:04 Shutdown: Negotiate authentication. 23.02.2017 12:15:04 Shutdown: NTLM authentication. 23.02.2017 12:14:29 Starting new basicauthenticator helpers... After this all sites is openning. Tks

Fix what? It's working.

No, Snort does not look at X-Forwarder-For headers. Those are useful for webservers. There is no such thing available, frankly. icap_send_client_ip will add X-Client-IP header. These do NOT rewrite the source IP in the packets, this is L7 stuff.

tproxy is not used anywhere in the package, plus not really sure why are people pulling SSL/MITM/certs to the topic (which has long been available in the package and is working)

We pull that from FreeBSD. I don't see us maintaining a patch to change the value when there has only ever been one report of one server that is broken by it. You can submit a request to FreeBSD to have that increased if you want. If they do it, we'll get the change eventually when it makes its way into a branch we build from.

No, I'm not evading your point at all. The stuff like WU/Avast/godknows what caching was already there. It was removed because it was BROKEN. If it works for you, add it manually and move on, It didn't work for vast majority of users, worse, it broke other things, noone has time to maintain similar things. Squid is NOT the way to distribute Windows updates. Even if you can use every tool as a hammer, it's just not a good idea. Just to be crystal clear about this, look at https://redmine.pfsense.org/issues/3847 http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion So yeah, it just doesn't work any more. Then there was Avast – they've switched to streaming updates ages ago. Nothing to cache there, dead code. Symantec - ditto. The only thing that might possibly be working is the Avira stuff, but that's just due to the fact that their AV is very much dead and has not moved anywhere for past 10 years or so, except for inventing more and more aggressive ways of nagging users with fullscreen advertising pop-ups. Why should a pfSense package care about someone using a dead AV? When you have barely 1 person to occasionally maintain the code, you just do not add bloat well known to break every couple of months to the code. And if it's already there, you remove it.

There are mixed reports when it comes to caching of dynamic content. Some users say it's working, some (including doktornotor) say it isn't (and can't). I see a good possibility that doktornotor's view on that matter is prejudiced, so I wouldn't give up so soon. Can't help with the specific problem though as I'm not using Avira, sorry. Here's the Squid config of someone claiming to achieve high cache hit rates, maybe the patterns in that config will help. Edit: there's also this thread on here.

Yes, leave DHCP role on your pfSense and let the proxy have static IP.