• Squid Authentication Window Keeps Popping Up

    2
    0 Votes
    2 Posts
    800 Views
    M
    Over 70 views and no responses, how sad… Nevermind, ive switched to Captive Portal with Radius Authentication.
  • SquidGuard, full install, use RAM for /var

    1
    0 Votes
    1 Posts
    567 Views
    No one has replied
  • Completely stumped as to why HAProxy does not connect me to backend.

    9
    0 Votes
    9 Posts
    7k Views
    F
    This is absolutely perfect! I have added HAProxy as a trusted proxy. It's working flawlessly now! Thanks for your help! Today I learned… :)
  • Dynamic cache

    11
    0 Votes
    11 Posts
    6k Views
    S
    ######cache Pfsense refresh_pattern -i .(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache content refresh_pattern -i .(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache videos refresh_pattern -i .(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(m1s|mp2v|m2v|m2s|m2ts|mp2t|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims refresh_pattern -i .(json)$ 0 90% 200000 refresh-ims refresh_pattern -i (/cgi-bin/|?) 0 90% 200000 #cache binaries refresh_pattern -i .(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(exe|msi)$ 0 90% 200000 refresh-ims refresh_pattern -i .(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache microsoft and adobe and other documents refresh_pattern -i .(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache specific sites refresh_pattern -i ^http://liveupdate.symantecliveupdate.com.(zip)$ 0 0% 0 refresh_pattern -i ^http://premium.avira-update.com.(gz) 0 0% 0 refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims Youtube Video refresh_pattern -i (get_video?|videoplayback?|videodownload?|.mp4|.webm|.flv|((audio|video)/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale refresh_pattern -i ^https?://..googlevideo.com/videoplayback.    10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale refresh_pattern -i ^https?://..googlevideo.com/videoplayback.$    241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale Image Youtube refresh_pattern -i (yimg|twimg).com.*        1440 100% 129600 override-expire ignore-reload reload-into-ims refresh_pattern -i (ytimg|ggpht).com.*        1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims #images facebook refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth refresh_pattern -i ((facebook.com)|(85.131.151.39)).(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store Video Facebook refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf)                    10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate refresh_pattern (audio|video)/(webm|mp4) 129600 99% 129600 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale refresh_pattern -i ^http://.squid.internal.  241920 100% 241920 override-lastmod override-expire ignore-reload ignore-must-revalidate ignore-private ignore-no-store ignore-auth store-stale
  • SquidGuard on Pfsense 2.3.2-Release Problem

    2
    0 Votes
    2 Posts
    832 Views
    B
    same probleme with me and even the blacklists do not downloading
  • Squid reverse proxy authentication

    14
    0 Votes
    14 Posts
    13k Views
    T
    Not exactly a solution to the problem via pfSense, but I've done this with authentication on NGINX.  Theoretically, you could put an NGINX reverse proxy with auth setup on your internal server (I use auth_basic, but LDAP or other methods would work).  Then, if you hit https://nginx/myservice, you get the auth page.  Apache should work too. I need to use something similar at work to "secure" a closed source timesheet server that is pretty poorly done, but I'm stuck with it.  I feel better using modern auth to protect the web interface to prevent threats on the poorly designed second level of auth provided by the timesheet server.
  • 0 Votes
    2 Posts
    2k Views
    K
    Yes put this to custom adv opt. http_port  8080  if you use enable ssl you can use something like below http_port  8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/  ; assuming you use the latest squid package from pfsense repo and pfsensen 2.3.2. not sure if it will work other version. the first one should work on all version. https will only tunnel.
  • How to apply https transparent proxy by ip range

    7
    0 Votes
    7 Posts
    6k Views
    K
    OP wants to know how to transparent only selected IPs. ssl bumb is already added in the new squid config. including this one ssl_bump server-first all. Yes he can add to donnot proxy source address using alias on the Bypass Proxy for These Source IPs if he does not want to use th NAT. It will be added in the NAT eventualy. But if you want to enable http to all client while only selected client will have https transparent to avoid certificate confussion then use the nat posted above. use destination port 443 to not redirect if not selected client.
  • Run SARG on Another Machine to Analyze Squid Logs in pfSense 2.3.2

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Squid error

    3
    0 Votes
    3 Posts
    1k Views
    S
    Thank you.
  • Allow User To Authenticate and Bypass Filter

    5
    0 Votes
    5 Posts
    4k Views
    C
    @Willo: @chris4916, I'm wondering if the authentication couldn't be "transparent" by authenticating to either a local user database or AD?  So when they browse, it silently authenticates in the background? This wording is quite confusing especially when topic is proxy. Avoid "transparent authentication" wording, IMHO  ;) This said, technically, yes you can enable SSO (single sign on) at browser level and configure Squid (and your browser) to support Kerberos (because SSO is Kerberos based) but be aware that: 1 - this is an extra level of complexity. Perhaps not the one to start with 2 - Behaviour differs depending on browsers 3 - This works with Squid / Squidguard but I don't know if pfSense packages allows such configuration 4 - last but not least, this means to have Kerberos domain configured (and used). This is often achieved with Windows domain. I would suggest that you not try to achieve everything from scratch in one shot. Start with authentication and filter then once this works, you can think about changing your authentication mechanism and move to SSO
  • MOVED: FTP Problem

    Locked
    1
    0 Votes
    1 Posts
    615 Views
    No one has replied
  • Squidguard does not enforce Google Safe Search

    10
    0 Votes
    10 Posts
    3k Views
    r0utevv3R
    Your method doesn't work for me. I have already follow your instructions and still nothing. Please help!
  • Squid Reverse Proxy or HAProxy?

    16
    0 Votes
    16 Posts
    12k Views
    K
    Thank  you so much It was something with the acl i fixed see picture, Yea its version 1.5 Haproxy im still using pfSense 2.2.4 Thank you [image: Clipboarder.2016.10.01.png] [image: Clipboarder.2016.10.01.png_thumb]
  • Cannot access Squid User Access Reports in ChromeOS (Chromebook)?

    2
    0 Votes
    2 Posts
    1k Views
    B
    Just cause it is a stupid mistake on my part….. you have to ADD port 7445 to the squid proxy server's ACL SSLPorts list...
  • No allowed http site

    2
    0 Votes
    2 Posts
    775 Views
    S
    I resolved, the problem was that he had in squidguard configuration about default !all thanks.
  • Lightsquid is nice but not good enough. I need to see DENIED Sites.

    1
    0 Votes
    1 Posts
    716 Views
    No one has replied
  • Group ACL in Squidguard behaving strangely

    9
    0 Votes
    9 Posts
    2k Views
    V
    @KOM: You have something very weird going on.  I couldn't even begin to guess at what it might be.  Please report back if you get to the bottom of it. Yes, I agree it is very strange. Thank you for trying to help.
  • Lightsquid hostname case sensitivity

    1
    0 Votes
    1 Posts
    881 Views
    No one has replied
  • Can't get Squid Authentication running

    5
    0 Votes
    5 Posts
    1k Views
    jimpJ
    @robertfranz: Was this broken all the way through 2.2.6 then? On older versions of squid it failed silently – It would accept a longer password but only check the first 8 chars. The newer version properly rejected that as a mismatch until the method was changed to used a password hash that allowed longer than 8 char passwords. So before it was even more insecure, but it was not obviously insecure.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.