Ok doktornotor, if ClamAV is a toy the only thing left is blocking.

And here i see sometimes sites don't work if something (Ads) are blocked.
So Adblock Plus is the better solution?
But what about Ads on TVs, consoles or in-game Ads (Android, Windows Phones)?

It's not that i don't have a Adblocker on Android but i want to check the possibilities.
I saw somewhere it's possible to use the EasyLists in SquidGuard?

If blocking Ads is better on the clients then there is from the Shalla's Blacklists left:
Spyware (Trojans, phishing sites) and Tracker

At the moment i pay for squidblacklist.org and want to get rid of it.
I use from them:
Malicious (Virus, botnet, malware, adware, apt, drive by, infectious) and Proxies (Http proxies users may attempt to use to bypass your filters)

I guess it would make sense to block:
Virus, Botnet, Malware, Adware, APT, Drive-By Download, Infectious, Espionage, hosts that perform IP tracking for media companies and associations like RIAA/MPAA, Http proxies users may attempt to use to bypass your filters

If all this is not really usefull the only thing left is caching with Squid and i ask myself if all the hassle with getting wpad to work is worthwhile for a normal household?

You're very welcome

Thanks KOM for the info, we had to put the Project on ice for a time, other things :( but Will be starting up again soon. We will be looking for sending Proxy settings automatically or maybe have to set up Website on the Proxy to Redirect.
We just have a WiFi and LAN that we want to provide Internet using a Login with mulitple (2) Internet connections. that was our purpose in choosing pfsense.
Thanks again and any suggestions are appreciated.

The biggest room in the world is the room for improvement.

And IE?  What URL specifically?

Cache size has already been experimented with, as has the RAM allocation.
No difference either way with memory usage.

There's no MD5, there's DES. See crypt() docs It silently truncates passwords to 8 chars - read e.g. here: http://www.certpal.com/blogs/2010/05/crypt-des-and-8-character-truncated-passwords/

I cannot see how the patch here adding some MD5 salt nonsense to DES would work for anyone, just doesn't make sense. Perhaps if your replaced crypt() with md5(), it'd actually do something meaningful?!

Thank you very much doktornotor!

It worked perfectly.

His work is very important for the adoption of the platform.
A big hug.

You'll really need to dig into the C-ICAP docs. If you figure out some working configuration, it can be put to the package, but I certainly don't have time to play with radios streaming ATM.

NP :)

Hi,

I already set the blacklist, but the thing with the dummy entry was new to me.

That did it!

Thank you very much!!!

Ok, clear and understood.  8)

Resolved with the new version!

Thank you doktornotor.

Hi Guys,

i do not understand the behaviour of dansguardian wit NO ssl-interception.

Fact is, that dansguardian has decided, that the required URl is inappropreiate. This must be a decission on behalf of URL, IP or something else OUTSIDE the SSL connection.

So why should dansguardian not be able to redirect the request?

This seems a bug in dansguardian for me.

Greetings

I've also been getting a setup similar to yours up and running on my home network and have also run into similar issues with ssl and the app store/dropbox.  I have seen it reported that dropbox is using ssl pinning which is probably why the dynamic certs being created are being rejected.  To get around this and caching, I've been playing with these settings in the Custom ACLS (Before Auth) under advanced features for squid:

acl nobump dstdomain .dropbox.com .apple.com ssl_bump none nobump acl alwaysdirect dstdomain .apple.com always_direct allow alwaysdirect cache deny alwaysdirect

The first 2 are to avoid ssl bumping on those matching labels.  This has let the app store on iOS and the dropbox client to connect without error.  I believe that by enabling this you will loose the ability to do any path matching in squidguard on secure urls, but since you are direct connecting in your wpad config this is probably fine.
The last 3 lines are to avoid having any results cached.  I'm getting mixed results with those, need to read more into the current documentation to make sure they are doing what I would expect.

Currently still the best way is to setup a real syslog server and send logs over udp to it.. The usage of chroot prevents that haproxy still uses that syslog 'file' once it started up..

@dsefcik:

Can you describe what it does? You seem to think we should not need to add this.

http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_auth.html

-R        do not follow referrals

Read this: LDAP Referrals, mainly:

An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller.

Either you are querying wrong DCs or there's something wrong with your setup really.

@doktornotor:

Stick this in there:

--- a/usr/local/pkg/squid.inc      2015-10-12 20:05:23.939006529 +0200 +++ b/usr/local/pkg/squid.inc    2015-10-14 10:22:42.955506820 +0200 @@ -953,7 +967,7 @@         if (!empty($post['quick_abort_min'])) {                 $value = trim($post['quick_abort_min']); -              if ((!is_numericint($value)) && ($value !== -1)) { +              if ((!is_numericint($value)) && ($value != "-1")) {                         $input_errors[] = "'Finish when remaining KB' must contain a positive integer or '-1'.";                 }         }

Leave everything at defaults and use the fine "Test" feature in there if unsure.

thank you so much.