sorry Linux guy here … corrected above  8).

actually i do.  like for example, normal group type and deny by ip.

if im going to read deny by ip, its only deny by ip but does it include normal url filtering? it doesnt say but your option is to try while if it says deny by ip + normal filtering that would be faster and easier to decide and chose.

another thing, if i select the icap amd av options, would that enable antivirus and where would i see that.  unlike squid, there is tickbox to enable so that would be more meaningful  but  i guess i can complain since  i am mere user.

but i think you dont get it, if your description would be more descriptive and informative there not much to ask.

but i ask since this is pfsense forum and i have no knowledge aside from the docs. but still if there is a book, there would still be questions.

Squidguard requires squid to be installed first, I believe, since it modifies squid's configuration.  It's also not really a service.  It's a helper application that gets spawned by squid in realtime for every URL being processed.

@ravegen:

@marcelloc:

@ravegen:

I see the Deny IP- Deny Access to any ip based url.  But if I choose this, I cannot use the Normal Group (default) type where I also need to use that to filter base on ACLS.

Just select the option I'm telling you and test. This is for sure the option you are looking for.

If I select this option, I can still filter base on ACLS ?

You are applying a group based setting… If you want other users to have access via IP then throw them into another group after setting up some way of authenticating the users. Simplest is IP.

@ravegen:

susamlicubuk,

I do not know what ip are used by dropbox application or yahoo messenger application or our 3rd party application.  So I also asked where will I find those since in the realtime tab, I do not see those client user blocked.

It's not blocked, per say. Like I mentioned in the other thread, it's due to the programs not trusting  the certificate from E2 Guardian… Don't enable MITM until you understand networking enough to run packet captures and make exceptions..

@ravegen:

pfsensation,

so theres no need to specify subdomains ?

For this particular case, and in my testing. There wasn't a need, as Dropbox only seemed to care about its main domain. Dropbox.com.

@ravegen:

so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?

Pretty much, yes. Although if you completely want to block them, use banned list and don't rely on the SSL pinning to block it as the developers of the platform can change things.

Squid can use captive portal authentication. this will help lightsquid get complete http/https report.

This is exactly the setup I would like to configure as well.

Effectively it looks like we would need to be able to set IPSEC as the applicable interface within squid, but that doesn't seem to be an option. Has anyone else been able to get this working effectively?

Hi,

I had the same problem on SG-3100. I have checked logs and got info:
2018-05-16 19:59:52: (mod_auth.c.525) password doesn't match for / username: admin, IP:

so for test I renamed user from admin to testadmin and works.

It seems that webGUI is not changing password for default user admin :-(

Best regrads,
Andcza

yes squid is enabled and started as seen on pfsense gui

Thanks very much for explaining this to me! Very much appreciated! :)

cool, thanks! will look onto it

but if you put me where I should do those configurations I'd appreciate it.

That depends on your OS.  For Windows, in the proxy definition dialog there is a 'Bypass for local addresses' checkbox or something similar.

Hi, in my opinion you need to create a new list in Target categories called Denied sites, writte youtube.com (Domain List) and youtube.com/ (URL List), then you need Denied the list in Groups ACL. APPLY in General Settings.

I don't think so.  Here is what you have to work with when using a squidguard ACL:

Enter client's IP address or domain or "username" here. To separate them use space.

Example:
IP: 192.168.0.1 - Subnet: 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - IP-Range: 192.168.1.1-192.168.1.10
Domain: foo.bar matches foo.bar or *.foo.bar
Username: 'user1'
Ldap search (Ldap filter must be enabled in General Settings): ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))

I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:

acl vpn_clients src 192.168.1.0/24 tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients

You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:

#!/bin/sh # Variables VPN_IFACE=ovpnc1 SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf # Get current IP address of VPN interface VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if VPN interface is up and exit if it isn't if [ -z "$VPN_IFACE_IP" ] then         exit 0; fi # Check current IP for VPN interface in squid.conf file VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if the config file matches the current VPN interface IP, and if so exit script if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ] then         exit 0; fi # Replace the previous IP address in the squid.conf file with the current VPN interface address sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE # Force reload of the new squid.conf file /usr/local/sbin/squid -k reconfigure