I thought that having the Transparent Proxy option unchecked put me in explicit mode?

That is correct.

How do I block off ports 80/443 from the LAN?

By adding a block rule above the Allow All rule.

old topic but curious how about Cache Dynamic Content?

I noticed that too.

I installed Cron and edited the daily schedule for Squid, removing the rotate command.

Before:

/usr/pbi/squid-amd64/sbin/squid -k rotate -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

Now:

/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

–--

I'm sure someone will jump here and say no change was made to Squid or Sarg that affects this... right...

I got the same Problem here :-/

This errormessage is spamming my log with far over 30 lines per second :-(

i have no IPv6 configured in my Network…

Edit:
I think i found the Bug

I have had the WAN Device set up to IPv6 DHCP, but i didn't got some IPv6 address.
After setting it to IPv6 none and restarting squid, the spamming stoppped.

Try This !!!

ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.2 /usr/lib/libldap-2.4.so.2
ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.8 /usr/lib/libldap-2.4.so.8
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-5.3.so.0 /usr/lib/libdb-5.3.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-4.6.so.0 /usr/lib/libdb-4.6.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb41.so.1 /usr/lib/libdb41.so.1

have nice day :3

Hi Trumee,

Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.

Other options are:
2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)

If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..

Regards,
PiBa-NL

good to know, I'll make some changes.

thanks a lot.. thats wht i want to know : )

Update:

Not more than a minute after I posted this I found the solution.  Under the Group ACL tab and then under Target Rules is the following message:

ACCESS: 'whitelist' - always pass; 'deny' - block; 'allow' - pass, if not blocked.

Simply changing my target category to whitelist corrected the problem.

checked ,
Group 1 (192.168.0.230-192.168.0.254)

with Movies and other allowed

Group 2 192.168.0.2 -192.168.0.229

with movies blocked ,

now when there is two groups with first group in allow all  , squid guard filtering is not doing even thought squidguard is showing its running but its not blocking any sites

It all depends on your needs you have! If you don´t need Squid as a proxy you don´t need to
install squid for sure. It is like all other services, functions and features or options, if you don´t
need them really you don´t should install or activate them then.

It can be useful if there are children in a household and/or the family size is really big likes
5 till 10 persons in total. So you would be able to install Squid & SquidGuard with a user
authentication and then all things can be logged down the road what the whole family
was doing and it could also be regulated what they are all can do.

Hi,
Thank you for the reply,

Well..lets say I give that user access to 443 yes the Emails will come though but now he can navigate to https sites with no issue.

I was wondering if theres a way to force everything using NAT to redirect to squid ports

So after that all the programs would have to use port 3128

That being said bitdefender uses port 80 it works when i have transparent proxy and Yes if it comes to that I have gravity point and could just do it on the console with the proxy updates.

But I just dont like the fact blocking port 80/443 seems pretty radical

Sorry once again I failed to provide the version numbers…

pfsense 2.2.6-RELEASE (amd64)
SG 1.9.18
squid3 0.4.7

The integrations field contains the following:

url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

I am not knowledgeable enough with squid to know what this does, so if you spot anything shady, please let me know!  At least, there is some references to squidguard..

I hope transparent proxy with squid works with 2.2.X otherwise whats the point of having the option to do so?  Plus it worked (somehow and not stable) in older versions of pfsense.

Regarding the antivirus, pfsense runs on a dual core CPU at 3.2GHz with 12GB RAM… So far it doesnt seem to be hindering bandwidth but I'll try to disable it to see if its faster.

Typically after you make changes and click save at the bottom of the associated page you are on (Common ACL if you changed target categories), go back to the General Settings page, and click Apply, once, no more, and it should reload the rules and work after a few moments.

Everything except HTTP, and if you have properly setup Squid to also handle HTTPS, will just pass through the firewall instead of squid… Squid is not meant for anything except traffic that goes over 80 and 443 in a typical environment.

Any idea?

Ok, figured I would update this post…  Had hoped someone would have chimed in by now though :(

I have HTTPS filtering working fully, I didn't realize that SquidGuard couldn't really intercept the connection, but will instead just break the tunnel, hence why I do not get the error page.

As for not accessing this forum, apparently when setting up my targets, I had accidently selected Forum instead of Fortune Telling... LOL

The only thing I have had trouble with since has been sgerror.php, since I followed that guide, and use HTTPS for webgui management, it seems I can't get the proper error page.  I attempted to copy the sgerror.php file over to the directory that is serving things, (I can serve an html file just fine!) but the browser just downloads the php file instead of generating a proper page with the block rule and such.

So, does anyone have any tips, or hints on how to get sgerror.php to work after having followed that guide?

Indeed:

from Squid perspective, relying on AD is nothing more than implementing LDAP support (although AD, as an LDAP server has some specific aspects) if you don't want to be prompted for authentication, Kerberos (especially in Microsoft domain environment) is the right solution. But this doesn't come out of the box because all browsers are not yet ready to support Kerberos.

This means you need Squid to support Kerberos (available since 2.6) and also your browser to be able to use such mechanism, which is not that obvious.