@Abhishek:

i find after disabled Snort on lan interface…

I'll be very glad if you could explain purpose of Snort listening on internal interface. There is something I don't understand here  ???

look at this…
but remember to move away from transparent proxy first  ;)  otherwise this will obviously not work  :P

Beyond the conclusion reached on the other thread (your settings are messed up), nothing else I could advise here. Read the FAQ, flush broken settings, flush the Squid dirs if the "Keep Settings/Data" feature doesn't work for you, reconfigure from scratch.

You also need Maximum Object Size set accordingly. No further assistance from me, this is dead end as noted above.

Sure it does  ;)

As you have now explicit proxy with (soon) authentication and profiling, wouldn't captive portal do the trick ?
Users will have to authenticate first at captive portal level and this will grant them for access through local FW.

@n3by:

@PikkonMG

Did you test it to see if it is real working or just pretend ?

Because on my config all services are working ( and av updated ) but download test fail - no alert triggered.

https://secure.eicar.org/eicar.com.txt

https://rtcamp.com/tutorials/mail/server/testing/antivirus/

@dok
A test button on interface will be more than welcome.

Yes it all works. If I go to eicar and try to grab any of the test files it stops it.

As you operating system supporting proxy.pac file is Windows, you will have to create such symbolic links using mklink command and create as many logical links as needed.

e.g.

will create a new (logical) file wpad.dat linked to proxy.pac
If you modify proxy.pac content, it will modify wpad.dat too.

PiBA, yes, I totally boneheaded it and put bce instead of bge..I have several servers, some with bce and some with bge and I just confused it. After making the change and rebooting it seems to be working better. I am slowly ramping up the users but so far so good at 2500+. The stats I posted below were from Apache Bench so I need real world clients to really test it out.

Thanks for reminding me to post back to the group.

Have you tried with haproxy ? You will find it on package manager.

ok. I finally got it working. Here's what I had to do:

DansGuardian:
General -> Highlight (turn on) both forwardedfor & usexforwardedfor

Squid (Proxy):
Custom Options
acl other_proxy srcdomain My.Proxy; log_uses_indirect_client on; follow_x_forwarded_for allow localhost; follow_x_forwarded_for allow other_proxy; acl_uses_indirect_client on; delay_pool_uses_indirect_client on

Use the name of your pfsense box in place of My.Proxy

I also used "tail /var/squid/logs/access.log" & "tail /var/log/dansguardian/access.log" throughout troubleshooting this to find out what exactly was being captured in the logs.

Sources for this:
http://www.linuxquestions.org/questions/linux-security-4/dansguardian-and-squid-480571/
http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ (to understand follow_x_forwarded_for)

Yeah. Now, don't forget to check the Keep Settings/Data box again. :)

@trinidadrancheria:

Anyone?

I'm not yet even sure if i have it working. I can just see udp data going forth and back.
After what feels like an age my "master" now also shows an "ON" status. Last time I checked the other node did NOT show "ON", it just showed nthing.
One thing I have different is the select method (carp) and icp options (multicast-responder)

I've NOT set passwords.

I think the carp setting is questionable since I am using it with a loadbalancer / virtual server distributing the traffic to both proxies.
But considering how underdocumented + bug ridden this is, we're just testing our luck and this seems to be lucky.
(yes bug ridden, I'm not even getting logs after I set them to be stored outside /var because /var is a ramdisk. I feel noone tests anything)

Did the trick for me to….. this has been driving me mad!!!!

Thanks.

@chidgear:

Hi!
I did this:
After downloading a blacklist from shallalist.de , create a target Category (call it as you want) add a least one domain and start Squidguard with the apply button (if it hasn't started yet) According to certain posts regarding to the Squidguar manual, this is a necesary condition to use blacklists and another configurations. In my particular case, I've created a target category called "White_list" on which I've added the sites contained in the default blacklist but that I wish to access anytime (for example, wikipedia.org, wikimedia.org and pfsense.org).

after doing this, I can reboot the server, an the SquidGuard service boots automatically after one minute.

Try it and, if it works for you, come back and tell us!

AFAIK only Lollipop 5.1.1 AOSP supports specifying an explicit PAC file per WiFi SSID. My CM 12.1 works beautifully like this. There are apps that let you use a PAC file, but they are cumbersome. Search the App Store.

Something that worked for me is

Basically you have to set it on and then exclude sending the inner IPs out:

Enter something like this under Squid3: Proxy Server/General Settings Tab/Custom ACLS (Before Auth)

#header_replace X-Forwarded-For
forwarded_for on

acl mxln src 10.0.0.0/24 # RFC1918 possible internal network
acl mxlno src 10.0.1.0/24 # RFC1918 possible internal network
acl mxlnr src 10.0.2.0/24 # RFC1918 possible internal network

reply_header_access X-Cache-Lookup deny !mxln
reply_header_access X-Cache-Lookup deny !mxlno
reply_header_access X-Cache-Lookup deny !mxlnr
reply_header_access X-Squid-Error deny !mxln
reply_header_access X-Squid-Error deny !mxlno
reply_header_access X-Squid-Error deny !mxlnr
reply_header_access X-Cache deny !mxln
reply_header_access X-Cache deny !mxlno
reply_header_access X-Cache deny !mxlnr
reply_header_access Via deny !mxln
reply_header_access Via deny !mxlno
reply_header_access Via deny !mxlnr

Perhaps because upgrade from some superbroken 2.1.x Squid versions just won't work? (Same goes for doing a fresh install and importing the package configuration.)

On that note, the good thing about 0.3.8+ is that - if you at least manage to install it and uninstall it straight away with enabling the "Keep Settings" thing, it should give you a Squid-free config.xml without any manual messing and leftovers from god knows how many old Squid variants and versions.