NP :)

Hi,

I already set the blacklist, but the thing with the dummy entry was new to me.

That did it!

Thank you very much!!!

Ok, clear and understood.  8)

Resolved with the new version!

Thank you doktornotor.

Hi Guys,

i do not understand the behaviour of dansguardian wit NO ssl-interception.

Fact is, that dansguardian has decided, that the required URl is inappropreiate. This must be a decission on behalf of URL, IP or something else OUTSIDE the SSL connection.

So why should dansguardian not be able to redirect the request?

This seems a bug in dansguardian for me.

Greetings

I've also been getting a setup similar to yours up and running on my home network and have also run into similar issues with ssl and the app store/dropbox.  I have seen it reported that dropbox is using ssl pinning which is probably why the dynamic certs being created are being rejected.  To get around this and caching, I've been playing with these settings in the Custom ACLS (Before Auth) under advanced features for squid:

acl nobump dstdomain .dropbox.com .apple.com ssl_bump none nobump acl alwaysdirect dstdomain .apple.com always_direct allow alwaysdirect cache deny alwaysdirect

The first 2 are to avoid ssl bumping on those matching labels.  This has let the app store on iOS and the dropbox client to connect without error.  I believe that by enabling this you will loose the ability to do any path matching in squidguard on secure urls, but since you are direct connecting in your wpad config this is probably fine.
The last 3 lines are to avoid having any results cached.  I'm getting mixed results with those, need to read more into the current documentation to make sure they are doing what I would expect.

Currently still the best way is to setup a real syslog server and send logs over udp to it.. The usage of chroot prevents that haproxy still uses that syslog 'file' once it started up..

@dsefcik:

Can you describe what it does? You seem to think we should not need to add this.

http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_auth.html

-R        do not follow referrals

Read this: LDAP Referrals, mainly:

An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller.

Either you are querying wrong DCs or there's something wrong with your setup really.

@doktornotor:

Stick this in there:

--- a/usr/local/pkg/squid.inc      2015-10-12 20:05:23.939006529 +0200 +++ b/usr/local/pkg/squid.inc    2015-10-14 10:22:42.955506820 +0200 @@ -953,7 +967,7 @@         if (!empty($post['quick_abort_min'])) {                 $value = trim($post['quick_abort_min']); -              if ((!is_numericint($value)) && ($value !== -1)) { +              if ((!is_numericint($value)) && ($value != "-1")) {                         $input_errors[] = "'Finish when remaining KB' must contain a positive integer or '-1'.";                 }         }

Leave everything at defaults and use the fine "Test" feature in there if unsure.

thank you so much.

@doktornotor:

I have already told you 3 times that it's a leftover from Squid3 before 0.3.6. Remove it and move on.

I always did. Thanks.

thanks for this tweak.

it's ok when a make a search directly from www.bing.com.

but i have a problem when i make a search with the integrate search bar in star menu in windows 8 or 10.
it 's redirect to www.google.fr but with bing.com and some URL parameters.

so i have and ssl certificat error that say me URL is not the same as URL in certificat.
and finaly i have "404. That’s an error."  message from google that's say me page not found with this parameters :-(

Hi!

You can use Shellcmd package to do it.

Not really sure what "burn out" are you talking about. These days, the SSDs will handle hundreds of TiB of writes. If you want the thing managed by the package, simply mount things under /var/squid. You can still change it to whatever, just don't expect those dirs it to be maintained by the package (you'll get self-explanatory log warnings about that.) One accident with recursively changing permissions on / has been just enough.

I actually managed to get it going by deleting all of the advanced feature .conf

Stop&Start antivirus service and everything's fine. I must admit I didn't further investigate the issue but it's worth a try.
By the way, great job doktornotor, seriously.
Bye

Well… was about to suggest that. LOL. :)

IT IS DONE  ;D

The old TMG is now replaced with a PFsense box.

Two things i miss from TMG though

The External computer set. Makes creating firewall rules so much easier. Just do an allow anything to external and you got unrestricted internet access but no access to other networks on the "inside" like opt The grouping functionality. In tmg you can create a group and then collect rules in the group. For example i can place all rules for my webservers in one group and have the mail servers in another. Makes troubleshooting much faster since i know i only have to look in the mail group when troubleshooting mail

Some questions:
-Do you want all 4 site's to be reachable using https? (if its only required for 1 site there is no need for SNI or any other extra stuff..(
-Are you testing access to website2 from 'outside' a client or 3/4g phone on the internet? As when testing from the LAN you might actually be accessing the pfSense webgui.?. Though that would still not explain the redirect to website1..
-Is it possible to visit website2 over https on the current IIS configuration? (ignoring the certificate error.?.)

1- VMs seem like a rather big solution to a small problem (+licences)..
2- Haproxy would allow you to configure 4 different certificates one for each domain / ip.
You could even host all 4 sites on 1 external ip, in which case SNI is required to send the right server-certificate back to the client.
3- upgrade IIS of course technically possible, but might require a new windows version (+licence).
4- With the 'old' IIS version i think it might just be easiest to configure the webserver with 4 lan-ip's and change the portforwards to direct traffic to each of those ip's. Then also configure the 4 websites in IIS to bind to those lan-ip's. (you could also try with assigning different ports instead of 443 to the other https sites 1443 2443 3443, and forward traffic there, that would evade the multiple lan-ip requirement, but might lead the site to generate wrong url's containing the port.. something you would need to test.)

I would probably prefer option 4 with multiple lan-ip's or ports, if that isn't possible option 2 or even the combination of both :).

ok, found this:https://forum.pfsense.org/index.php?topic=88309.msg487607#msg487607