Thanks for the responses, checked the reports again today and another ip is pulling down over 4GB from windows update

@aGeekHere:

Have you increased Maximum Object Size to an insane value like 1000MB for big updates ?

Yea I have it set to 1GB but still no luck. will try the refresh patterns posted.

Regards

That is exactly my set up

not to forum jump this but not really sure why so many misses

Like I said earlier, if you have a large cache structure that is mostly full on a slower hard disk then you will have elevated Cache Miss times.  The longer it takes to search the cache before declaring a MISS, the worse your numbers will be.

See if this helps:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html

There appears to be a setting you can adjust related to how AnyConnect treats a proxy connections, however it appears that if your configuration is the 'Always On' or you are IPv6 in your home, I believe Cisco AnyConnect doesn't support and your out of luck.

As far as Netflix I would try excluding it from sites to proxy.

I've solved the problem :
1. enter this configuration on lighty-proxy-wpad.conf

# # lighttpd configuration file # # configured for WPAD/PAC serving # ## set static document-root server.document-root        = "/usr/local/www/wpad/" server.modules                  = ( "mod_access", "mod_fastcgi", "mod_cgi" ) ## where to send error-messages to server.errorlog =      "/var/log/lighty-proxy-wpad.log" # mimetype mapping mimetype.assign            = (         ".dat"          =>      "application/x-ns-proxy-autoconfig",         ".da"          =>      "application/x-ns-proxy-autoconfig",         ".pac"          =>      "application/x-ns-proxy-autoconfig" ) ## bind to proxy address and port server.bind  = "10.170.60.40" server.port  = 80 fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) cgi.assign                      = ( ".cgi" => "" ) ## unqiue pid to other lightppd instance server.pid-file            = "/var/run/lighty-proxy-wpad.pid"

and copy the /usr/local/www/sgerror.php in /usr/local/www/wpad/

Now all working.  ;)

It seems that I misconfigured the proxy server. I've adjusted the value of "SSL Certificate Deamon Children" before as far as I can remember I set it to "50". And I can't remember why I did that.  :D

Nevertheless, after I changed it back to default value which is "5" and restarted the pfsense box, all of a sudden the squidguard returned to its normal logging behavior.

m.png
m.png_thumb

Hi Michael,

Ok, thanks for your followup :) i suppose it would be possible to use those config options to make it listen for outside requests, while still using other options for the storage.?. I'm not very handy with docker so far, i don't think i can give good advises there anytime soon..

Regards,
PiBa-NL

Ok, after other tests, now i can answer myself:

pfsense in bridge mode + squid  in trasnparent cannot work (from webgui, because I assume that a very experienced guy operating also via CLI probably will succeed)

pfsense in bridge mode + squid NOT in transparent works!!

ThankU all

url_rewrite_bypass off;

how can i remove this code from squid permanently when rebooted pfsense my settings cleaning.

I haven't find any solution without add the NAT rules.

Someone can confirm me  that is the corrrect way to working with transparent proxy ? ( but I don't understand the check boc "transparent proxy" )

Thanks in advance.

Sorry, I cannot help, but have the same issue. (fresh install pfSense 2.3.1)

In the Log (Package/SquidGuard/Logs > FilterLog) I see the same "starting, db update done, stopping" behaviour as you described.

I checked from the console to verify whether a separate install of the Squid package via the webGUI is needed. But thats a "no". - When the squidGuard package is installed via the webGUI then it automatically installs also squid 3. (But the webGUI still shows the squid package as not installed. which is simply due to the fact the the squid package in the webGUI is a bundle of several packaged, not squid 3 alone.)
However, I have read that SG somehow looks for squid2, so perhaps that is related to the problem. I will keep looking in the logs for more infos.

EDIT: I am not sure yet as I don't know how to verify it, but it seems that SG is running even thogh its show as stopped. I just had a certain site being the access rejected, and after removing the SG package it worked again. (Direct correlation not verified, but I had the impression.)

Anyone an idea how I can get more reliable infos on the real state of SG?

1. To mitigate port problems - simply bind squid to high port on localhost interface, and NAT from WAN to it.
2. Make sure 100% what you are really made cert available to Squid and it works. For example - publish simple web server on IIS and try to reverse to it. If it works - you're ok.
3. For Exchange I found default options available in Reverse Proxy configuration non usable for me. I found this one works:
add to "Services -> Squid Proxy Server" (not in reverse proxy configuration!) to "Custom ACLS (Before Auth)" section:

cache_peer %IP_OF_YOUR_EXCHANGE% parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs cache_peer %IP_OF_YOUR_EXCHANGE% parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/owa.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchange.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/public.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchweb.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/ecp.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/OAB.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/Microsoft-Server-ActiveSync.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpc/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpcwithcert/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/EWS.*$ acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/pub.*$ acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/pub.*$ acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^http://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_443_1_pfs deny allsrc cache_peer_access OWA_HOST_80_1_pfs deny allsrc never_direct allow OWA_URI_pfs http_access allow OWA_URI_pfs

Hi,

probably you have to modify this in /usr/local/pkg/squid.inc or some other squid(guard) related .inc file.
These files together with the XML files create the squid.conf

Hate to say but not in pfSense version :( In pfSense SSL filtering settings are managed by PfSense's Squid GUI. In Linux version there are two modes - bump all or filter targeted. And it is also possible to bump by categories - i.e. never bump banks

That was it! Thank you.

same problem here.
pfSense 2.2.6
squid3 package 0.4.7

was this ever fixed for squid ?

can you clarify how you used HAproxy?
did you put HAproxy in front of reverse squid?
or directly in front of Exchange?

Yes, and cleared cache on browser just to be sure.

Edit: I clicked 'Save' again and 'Apply' and now it's working.  I'm sure I did it before (multiple times), but whatever, it's working now.  Thanks!

I'm not a squid expert.  Your GUI options won't make a difference in general.  If you have content that doesn't cache then you need to enable dynamic caching and then modify your refresh patterns to compensate for the content that doesn't cache.  Test, fix, repeat until working.