Thank you.

@Willo:

@chris4916, I'm wondering if the authentication couldn't be "transparent" by authenticating to either a local user database or AD?  So when they browse, it silently authenticates in the background?

This wording is quite confusing especially when topic is proxy. Avoid "transparent authentication" wording, IMHO  ;)

This said, technically, yes you can enable SSO (single sign on) at browser level and configure Squid (and your browser) to support Kerberos (because SSO is Kerberos based) but be aware that:

1 - this is an extra level of complexity. Perhaps not the one to start with
2 - Behaviour differs depending on browsers
3 - This works with Squid / Squidguard but I don't know if pfSense packages allows such configuration
4 - last but not least, this means to have Kerberos domain configured (and used). This is often achieved with Windows domain.

I would suggest that you not try to achieve everything from scratch in one shot.

Start with authentication and filter then once this works, you can think about changing your authentication mechanism and move to SSO

Your method doesn't work for me. I have already follow your instructions and still nothing. Please help!

Thank  you so much It was something with the acl i fixed see picture, Yea its version 1.5 Haproxy im still using pfSense 2.2.4

Thank you

Clipboarder.2016.10.01.png
Clipboarder.2016.10.01.png_thumb

Just cause it is a stupid mistake on my part…..

you have to ADD port 7445 to the squid proxy server's ACL SSLPorts list...

I resolved, the problem was that he had in squidguard configuration about default !all
thanks.

@KOM:

You have something very weird going on.  I couldn't even begin to guess at what it might be.  Please report back if you get to the bottom of it.

Yes, I agree it is very strange. Thank you for trying to help.

@robertfranz:

Was this broken all the way through 2.2.6 then?

On older versions of squid it failed silently – It would accept a longer password but only check the first 8 chars. The newer version properly rejected that as a mismatch until the method was changed to used a password hash that allowed longer than 8 char passwords.

So before it was even more insecure, but it was not obviously insecure.

This going to sounds odd - but on the Squid Local Cache tab, at the bottom of the pager is a section labelled Dynamic and Update Content.

In that section is a text box "Custom refresh_patterns"

Apparently, there are a lot of options that can be passed here - I know I've passed log directives to change to combined and pipe it through syslog_ng.

Quite possible that your code could be passed here, and it does survive reboots and (so far) upgrades.

I've also had a system where DNS resolving in LightSquid on pfSense 2.3.2 wasn't working correctly. Static leases and some (!) dynamic ones would display as host names, but all other hosts would display as IP adresses. Also, the same hosts that would display as IP adresses couldn't be resolved from the pfSense shell (!).

The solution was, coming from mostly default settings, to set "System Domain Local Zone Type" to "Static" and "DNS Query Forwarding" to "Enabled" in the DNS Resolver general settings, and to Click the "Refresh Full" button on the LightSquid settings page. To be frank, I'm not quite sure what these settings do "behind the curtains" - I've researched the meaning of these settings some time ago, but can't remember exactly what they do (yes, I'm old (; ). Could be that setting "System Domain Local Zone Type" to "Static" is sufficient to make it work.

Interestingly, clicking "Refresh Full" changed IP adresses to host names only in the "current day" report pages, not in the older reports (contrary to what the pfSense GUI says). I've been trying to get LightSquid to rebuild older reports by running "lightparser.pl" manually in the pfSense shell, but could't get LightSquid to rebuild older reports. I don't have the time to look deeper into this, maybe someone else could test and report back. I suspect there's a bug either in the way pfSense calls "lightparser.pl", or in the Perl script itself.

Also, there seems to be a flaw in the way LightSquid is called in pfSense. I've set the "report generation interval" to 1h, and the last report of every day always has a time of "23:00" (hours). I think this means that, for every given day, the report is missing all data from 23:00 - 23:59 hours, as the next run is logically "the next day" (= after 24:00 or 0:00 hours, even if only a few seconds). I'm not 100 % positive on that, though.

EDIT: I did some more digging, and it seems the "days before today"-stuff is connected to Squid log rotation. The GUI says "Defines how many days of logfiles will be kept. Rotation is disabled if left empty.". I assumed this means that the logs would rotate after the number of days I put in that field, but that assumption isn't correct. In fact, when entering any number in this field, the logs will be rotated every day, and logs with a higher "rotation sequence number" (appended to the log file name, like "access.log.x") will be deleted during log rotation. The number put into the GUI field is the number of logs that will be kept, not the number of days per se (it's only the number of days because pfSense "silently" rotates every 24 h). I think there should be two fields: "number of logfiles to keep" and "number of days to rotate the logfile after". The second field would have to change the "log rotate" cron entry in pfSense.

Sorry for getting a little off topic. I'll watch this thread for any replies, and maybe open a new thread with all that "rotating stuff" if there's any interest in the matter.

Hi,

There are a few ways to do that..

https://gist.github.com/PiBa-NL/d826e0d6b35bbe4a5fc3#file-haproxy-sending-the-source-ip-to-the-webserver

Options 1 and 3 are available in the webgui as a 'checkbox'.
Option 2 can be set as textual in advanced option.

Ill add that to my wiki shortly..

Regards,
PiBa-NL

Edit:
Added to wiki: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

I face the same problem.

If I configure Firefox to use proxy, the web filtering works fine. but the transparent proxy doesn't work alone (without proxy setup in Firefox)