@securityconscious:

Also, save same as three separate files.
wpad.dat
wpad.da
proxy.pac

May I suggest not to save this as 3 different files but to save one single file and create symbolic links: doing so, when you modify your file, you modify it only once and you ensure everything is consistent  :P

@bellera:

Did you disable the IPv6 support?

squid3-devel needs IPv6 support activated. I doesn't matter if you use IPv6 or not.

Hello

I ran into this issue today. Disabled IPV6 support in Advanced -> Networking and squid3-dev + squidgard stopped filtering traffic (no internet on clients).

I have since re-enabled the option but it still does not work. Will restart the machine when possible.

any thoughts on why its still not working after re-enablind the option?

thanks

@killmasta93:

True true, but some sites dont really play nice with MITM, i haven had a few issues with some times using WPAD i cant even imagine the headache with MITM

MITM and WPAD are definitely different stories.
You may have one or the other or both or none  ;D

Issues with WPAD depending on site? I can't imagine what kind of issue, even thinking about fairly complex proxy.pac (because issue would be proxy.pac rather than WPAD if any)

This said, MITM…. well  :-X  for sure if content filter or antivirus at proxy level is mandatory, it does help but I won't comment further  :-X :-X :-\

Hi, i have the same problem did you fixed it

You mean like those new Chromebook R11s with the Playstore?

I have contacted them

If anyone is having the same issue you can fix it by opening sigwhitelist.ign2 in /var/db/clamav and adding Sanesecurity.Foxhole.Zip_SFN1 line into sigwhitelist.ign2. Don't forget to save.

I don't know why but specific url/domain whitelisting does not appear to work through clamav.conf in advanced conf

Remove all packages, then upgrade to pfSense 2.3, then reinstall squid. Packages are not being maintained or fixed on 2.2.x.

Hi Sysadmin,

I cant spot any obvious error in your haproxy configuration looking over its description 'should work..' i think.

For the haproxy config it seems like youve made a setup similar to whats described here: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http

As for the firewall rule (a portforward should not be needed.. unless perhaps if your wan is using a ppp connection), make sure to allow all source ports.

So rule would be something like:
interface: WAN, source address:* source port:* , destination address: WAN-ip, destination port: 80

That should allow access from outside to the listening port of haproxy.

What does and or doesnt work sofar? Can you connect to haproxy but recieve a 503 http error? Have you enabled stats and are the servers shown 'down' in a red color? Can you share the haproxy.conf (at bottom of settings tab)?

Regard,
PiBa-NL

@killmasta93:

sarg but not sure if they took it down on 2.3

Thanks. SARG does seem to be missing from 2.3

Andy

@KOM:

I don't ever run a transparent proxy (less hassles with explicit) so I couldn't really try this myself.  Sorry for wasting your time.  It would have been nice if it had worked.

Well…using WPAD no need to run transparent mode but I have had sometimes issues with some government websites that need to run transparent mode for some odd reason

Also limiters Break NAT reflection also keep that in mind.

sarg also if your on 2.2.6

i would not recomend squid to use the virus scan, it takes a lot of resources and for what i saw its not that stable, i had this enabled it gave me issues when a user wanted to hear music though itunes or radio fm online

Alright, solution for this, in case anyone needs it, is to edit /usr/local/pkg/squid.inc:

Go to section:

// Set up the external authentication programs

There's a switch function there, go to the LDAP section and modify the $port variable assignment to look like this:

$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

In bold the -p oprion I believe is missing in the original .inc file.

As a matter of facts, right below LDAP auth options, come RADIUS options and there the "-p" is present:

case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

Cheers.

Yes the forward-for would insert the clientip, but even without it a wireshark should show the packets coming from the correct client-ip address if you have the 'source ipv4@ usesrc clientip' in the haproxy config. Its almost impossible for IIS to then see that traffic came from pfSense itself..

Also make sure youve got the name exactly right. HTTP_X_FORWARDED_FOR v.s. X-FORWARDED-FOR in the online screenshot might make the difference.?

For squidguard settings, you must click both the Save button on the tab you're working with, and then the Apply button at the top of the General Settings tab.

Over 70 views and no responses, how sad… Nevermind, ive switched to Captive Portal with Radius Authentication.