Google for 'wpad.dat example' and you will get responses that show you how to edit you wpad.dat file to handle local requests.  Your OS should already handle it if you have it set to bypass the proxy for local addresses.

If there are only 2 GB of memory in, why not even hug up the entire amount of memory to 4 GB or 8 GB
and forget this "problem" forever? But not slowing down the entire proxy and having some more free
space for other actions to offer to your firewall? I really don´t know what you have to pay for a 2 GB
or 4 GB RAM module in your area, but this is not a real big deal today, or?

I was able to get the reports running using the following procedure.

1. Start a console/terminal session as root. (I used the shell selection from the serial port.)

2. rm -Rf /usr/pbi/sarg-amd64/local/sarg-reports/

3. Edit: /usr/local/www/sarg_frame.php

3a. Find: $dir="/usr/local/sarg-reports"

3b. Change to:  $dir="/usr/pbi/sarg-amd64/local/sarg-reports"

4. From the web interface, go to Status, sarg Reports, Schedule tab, a report, and click on Force Update Now. After this, I am able to see all of the report information. (It would be a nice option to state whether the access on the report were accepted of denied.)

*  *  *

It appears that the 64-bit version of sarg has some of it's directories mixed up with the 32-bit version. Here are two places where the 64-bit installation appears to be referencing 32-bit directories.

1. /usr/pbi/sarg-amd64/local/etc/sarg/sarg.conf has "output_dir" set to "/usr/local/sarg-reports/" while the reports are actually generated to /usr/pbi/sarg-amd64/local/sarg-reports/. Changing the output_dir does not appear to have an effect. If it is changed, it appears to be reset if you change configuration information from the web interface.

2. The /usr/local/www/sarg_frame.php has the html reports directory hard coded incorrectly as $dir="/usr/local/sarg-reports"

*  *  *

I don't think this has anything to do with the report problems, but I have squid set with the Custom Option "cache deny all" from the web interface Services, Proxy Server, General tab. The test system has only the squid and sarg optional packages installed.

*  *  *

Can anyone tell me whether these issues should be directed to pfSense or the Sarg sourceforge page?

Dale W.

Hello, i have the same problem.

I made configuration in pfsense, the option BlackList, I download the package and install, but if you restart o reboot the pfsense, this lost the package and Squid as squidguard can't work correctly.

I have to download manually always the package.

How we can save the package shallalist.tar.gz in disk local for pfsense?

01.jpg
01.jpg_thumb
02.jpg
02.jpg_thumb

My Cpu usage was going quite high 28%

That's not what I would call high, or at least it doesn't appear to be enough to slow down the WebGUI.

can I server wpad file from a windows 7 machine or we need a webserver to do so.

You need some sort of HTTP (not HTTPS) server to serve the wpad.dat/proxy.pac files.  Which OS it lives on is irrelevant.I use pfSense itself for this.  I don't have it running in HTTPS mode (you can't access it at all via WAN) and I just dropped my files in /usr/local/www.

I did a full install from a usb stick (apu1d4 does not have a cd drive ) using "Live CD with installer (on usb memstick)".

Hi

as you could see in the build options of the actual available version of squid3 for pfsense it should support snmp.

Squid Cache: Version 3.4.10 configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience

I don't do VLANS either, but Squid will only add your first local network to the list of allowed subnets.  All others must be added manually.  Check Services - Proxy Server - ACLs - Squid Access Control Lists.  Are both your VLAN subnets in Allowed subnets?

Regarding Windows Update , please read Thread https://forum.pfsense.org/index.php?topic=77394.0

Could you post which informations containing the certificate that is generate from your internal ca ?

Maybe your pfsense / squid generated a certificate not the for cn "us.linkedin.com", instead it created on for the ip from us.linkedin.com.

Thanks KOM,

I did it that way, and create to Group ACL, one Restrictive for everyone and the other is Permisive for some users and it works.

@PiBa:

Hi IB,

Yes that should work to, it does make the connection go through haproxy kinda like it is with my #2 workaround. Only that dns can still point to the correct destination server ip, so in that regard it the workaround of Rubic works even better.

Thanks for reporting it back :D.

Regards,
PiBa-NL

I have two DNS - internal with dmz-address for lan-users and external with external address for internet-users.

@KOM:

The solution is to stop using transparent mode.  Worst thing in the world.  It won't handle any HTTPS sites without MitM warnings, and you really don't want to screw around with having to install certificates on every client that will use the proxy.  Put squid in explicit mode (uncheck Transparent mode) and then implement WPAD to enable auto-detection of the proxy.

But in non transparent proxy mode, the Lightsquid doesn't work :(

ok, only fqdn function with:

1. create my redirect.acl file in "/usr/pbi/squid-i386/local/etc/squid/redirect.acl" an write lines/domains in the file:
.webradio.com
radio.domain.net

2. Services, proxy server, general, custom settings, Integrations:
acl MyRedirects dstdomain "/usr/pbi/squid-i386/local/etc/squid/redirect.acl";
deny_info http://mywebdomain.net all;
http_reply_access deny MyRedirects all;

i looking for a simple regex-url variant

This has been confirmed on 2.2.2 embedded and as a virtual machine.

Reverse proxy enabled listening on 127.0.0.1:8443
NAT rule 443->127.0.0.1:443

can log in and session is fully active for as long as the "monitor" on the RDS Gateway has not received more than 165-193KB of information. Screen information is sent  (aka you can still see task manager running in the background) but the RDP session will crash on the remote computer within 30s of hitting the limit.

There are some locked topics about this case. They said that is not necessary to have squid listening on VIP because is not possible to sync master/slave to have full stateful proxy service.

Consideration:

Consideration:

I was looking for the solution for this case, because I have two boxes in HA with CARP. Although for proxy service HA is not completely stateful, as posted in some topics, I've thinking that in some cases is necessary that squid listen on VIP. For example, my two boxes are firewall for more than 24 networks. These networks has as gateway other equipments, not the PFSense firewall. So traffic goes through the firewall when has to go to Internet. The proxy server runs on PFSense (that has a VIP to receive the traffic that goes to Internet). And, finally, I have a CNAME proxy.mydomain on internal DNS that points to one IP (configured on all browsers)! This IP should be the CARP VIP.

If the master stop, even if some sessions are lost (because on this moment squid on slave becomes the operational proxy), the slave becomes the firewall and network continues to work. Losing a few sessions is better than losing navigation.

One way to get this is configuring "custom options" on proxy service. I put on "Custom ACLs (before auth)" section something like:

http_port <carp vip="">:3128

Seems to work.</carp>

+1 does not work on fresh install

No, sorry i haven't been able to find any solution as of yet.

Tnx for answer, but the same problems on squid3 …