Hello doktornotor!

Thank you again for answering.

I created and set up new partitions using a small how-to for FreeBSD.

/cache01
/cache02
/cache03

Now I will add the lines "cache_dir" in squid.inc:

cache_dir ufs /cache01 128000 64 256
cache_dir ufs /cache02 128000 64 256
cache_dir ufs /cache03 128000 64 256

But would add the customized field if it existed. And so I would be more quiet.

Okay, I just have to be careful to keep the lines "cache_dir" in the Squid configuration.

Reading the file "/usr/local/pkg/squid.inc" found a link to http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion

Question answered.

Jairo Raiol

Dear PiBa,

Thank you very much! While I could not really figure out the cause, what  did help was to set "Stick on SourceIP" in the backend. Generally, the cluster to which HAProxy does connect has locking set up in a way that it should not matter if one request goes to one cluster member and the next request goes to another cluster member. Nevertheless, this does seem to help.

Regards,

Michael

30% off is a little bit much.

Sometimes squidproxy do thinks like speed up … ::)

What would require trusted certs in what I was thinking?

Transparent proxies will trigger your web browser's Man in the Middle warning whenever you visit an HTTPS site.

Also, would this WPAD have the Roku circumvent the firewall altogether?

WPAD is just a technique for devices to auto-locate your web proxy.  That's all.  It looks complicated, but it's really just a single DNS entry, a DHCP entry and a small file named wpad.dat with a proxy.pac symlink.

Also, would this WPAD have the Roku circumvent the firewall altogether?

No.  WPAD is just a method of auto-detecting the proxy and nothing more.

Your wpad.dat|proxy.pac files need to be on any HTTP server you can use.  I use my pfSense box but any old Apache on *nix will do.

Oh now it´s working,

I use this URL: https://blocked-by-Proxy.lan.mydomain.com/sgerror.php?url=403%20&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

And I have a certificate on my website.

Working great now  :)

Can u please give details?

Diagnostics - Backup/Restore.  Set Backup area to All.  Click the Download configuration button.

This link explains it for me, so perhaps usefull for others.

https://community.mcafee.com/docs/DOC-4816

Thanks for the help once more.

There's no squid3-dev on pfSense 2.2; install squid3. Also, messing with pkg has absolutely no effect, that's not what is used.

Hi all I am bumping up this topic again because I made a few observations.

I have determined that Squid has an issue with multi segment downloading/Multithread downloading.
Testing with downthemall for firefox and metalink for chrome downloading a test file http://mirror.internode.on.net/pub/test/
When port 80 and 443 are blocked and all traffic is going through squid the download is limited to 1 segment resulting in slow download speed.

However when not going through squid then the segments are not limited to 1, resulting in being able to download 10x faster (because now I can connect to 10 segements).

I have also found that some software update programs which use multi segment downloading/Multithread downloading become slow at downloading.

Now this is the strange part, squid does support multi segment downloading/Multithread downloading, when downloading from youtube you are able to connect to multi segments and get full bandwidth.

So I guest the big question is is this a pfsense squid package issue or a squid-cache.org issue? Where should I post this bug/issue?

Afraid I won't be much of an assistance here, beyond a couple of notes:

Don't use the default QNAP certificates, pretty much the same like having no encryption at all. Anyone can get the private key. Literally every howto that deals with running OwnCloud on QNAP suggests to move the QNAP admin webgui our of port 443.

Other than that, all QNAP boxes here are running Debian.

Hi doktornotor,

thanks for the links.

I imagine to get a logfile with Timestamp , Username or Vouchercode, URL to log the guests activities in our WiFi network.
So do you know, where the pfsense creates a logfile with Timestamp, Voucher and associated IP Adress so i can figure out,
who had which IP Adress at Date / Time XY and accessed which URL?

The User has all the rights , because if i connect to the FTP server without the proxy it connects without any problems.

There should be an exception list where you could set an entry, that then this FTP would not be any more
filtered by the Proxy thats it.

@doktornotor how could i stop proxing the FTP ?

It is the most insecure protocol in the Internet, sends in plain text!
So with S/FTP or FTP/S you would be providing more security and all would be fine for you.
Otherwise could you set up one or more VPN connections to the pfSense firewall and then
the users could get access to the really insecure FTP but also over an encrypted line or tunnel!
And this would be the best way to go these days as I see it right.

@roccor

The netflix player uses IP address to pull content, so your ACL's by domain name may not work once the player gets going.

See my reply in a similar thread about Netflix streaming and how to find the CIDR range to bypass in squid:

https://forum.pfsense.org/index.php?topic=94812.0

Make sure when you import your cert to Firefox that the "Authorities" tab selected.  It works.

@Ramosel:

Oh well, when those who are prone to pithy responses suggest that "search is your friend" at least we can link back to this!

https://forum.pfsense.org/index.php?topic=101502.msg566236#msg566236

So… yeah, use the darned search, be it Google or this forum.

Thanks for your help, you guys!

Managed to upgrade all our pfSense boxes to 2.2.4 now, thanks to the info on these here forums.

Now running the latest Squid and SG, and so far all are working as before… :)