Apologies all… Google Foo was not playing well this morning...

Thread with info I need is here:  https://forum.pfsense.org/index.php?topic=83236.0

The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients

You can in a way via firewall rules.  Non-blocked clients can get direct access out via port 53 to whatever DNS they choose.  Blocked clients will have their DNS requests captured and handled by pfSense.

on the backend i have added the following line to

"Backend pass thru"
reqrep ^([^\ :])\ /Automation/(.)    \1\ /\2

This seems to work is it possable to drop off the last forward slash / ?

Cheers

Rich

By default, I think squidGuard is configured to deny all so you would have to go to Target Categories, expand the list and then make sure that Default access [all] is set to Allow.

The script for cp authentication integration is updated on latest package version for pfSense 2.3.x.

I tested this using the freebsd http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/squid-devel-4.0.13.txz on pfsense 2.3.2 http and SSL filtering transparent and non transparent mode, works fine have to edit the squid.conf also. With squidguard i got short of file descriptor currently have this kern.maxfiles: 15260 with only 1 user got short of file descriptor so i move back to 3.5.19 official pfsense repo.  Same config with storeid_rewriter helper.

you cant load balance internal traffic from 127.0.0.0/8, best solution therefore is to use a parent proxy inside any of your lan and load balance that trafiic. REmember not to intercept that traffic from your parent proxy else you will be going to an infinite loop.

You also need to grant them access to "WebCfg - Package: Edit" or they can't submit info.

Little bit more.

I'd like squid to do this.

http port 80 redirect to https 443 and serve up https pages.  On the backend I want to use simple http and squid do all the encrypting.

Well… HTTP proxy can run in both explicit and transparent mode and this has nothing to do with SSL-Bump.
These are 2 different aspects and the only relationship is when you want/need to deal with HTTPS in transparent mode or if you want/need to analyse HTTPS content.

However, what needs to be understood is that from browser view point, proxy is either defined (whatever the way you define it) or not. If proxy is defined, then this is an explicit proxy. If not, this is transparent proxy. Which means that if proxy side, one can have both in parallel, client side (browser) you have only 3 choices with no overlap:

explicit proxy no proxy -> with transparent proxy intercepting no proxy... without proxy  ;D

If SSL-bump is configured (whatever proxy mode, explicit or transparent), trusting certificate generated to intercept HTTPS flow is mandatory to prevent warning messages.
This often means to deploy, client side, CA public key to be trusted.

Keep in mind we are only discussing technical aspects here, not all the legal aspects with HTTPS flow being broken and intercepted.

While designing your proxy, you have to determine whether your goal is to filter access (e.g. prevent facebook access) which doesn't require any SSL-bump, even for HTTPS, but does require explicit proxy or if you need/want to intercept HTTPS, which means SSL-Bump thus certificate.

Yeah I have no idea about that, sorry.

Exactly thats why I am posting this :). If you have a better solution then post it

nice one sir :)