@ravegen:

pfsensation,

so theres no need to specify subdomains ?

For this particular case, and in my testing. There wasn't a need, as Dropbox only seemed to care about its main domain. Dropbox.com.

@ravegen:

so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?

Pretty much, yes. Although if you completely want to block them, use banned list and don't rely on the SSL pinning to block it as the developers of the platform can change things.

Squid can use captive portal authentication. this will help lightsquid get complete http/https report.

This is exactly the setup I would like to configure as well.

Effectively it looks like we would need to be able to set IPSEC as the applicable interface within squid, but that doesn't seem to be an option. Has anyone else been able to get this working effectively?

Hi,

I had the same problem on SG-3100. I have checked logs and got info:
2018-05-16 19:59:52: (mod_auth.c.525) password doesn't match for / username: admin, IP:

so for test I renamed user from admin to testadmin and works.

It seems that webGUI is not changing password for default user admin :-(

Best regrads,
Andcza

yes squid is enabled and started as seen on pfsense gui

Thanks very much for explaining this to me! Very much appreciated! :)

cool, thanks! will look onto it

but if you put me where I should do those configurations I'd appreciate it.

That depends on your OS.  For Windows, in the proxy definition dialog there is a 'Bypass for local addresses' checkbox or something similar.

Hi, in my opinion you need to create a new list in Target categories called Denied sites, writte youtube.com (Domain List) and youtube.com/ (URL List), then you need Denied the list in Groups ACL. APPLY in General Settings.

I don't think so.  Here is what you have to work with when using a squidguard ACL:

Enter client's IP address or domain or "username" here. To separate them use space.

Example:
IP: 192.168.0.1 - Subnet: 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - IP-Range: 192.168.1.1-192.168.1.10
Domain: foo.bar matches foo.bar or *.foo.bar
Username: 'user1'
Ldap search (Ldap filter must be enabled in General Settings): ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))

I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:

acl vpn_clients src 192.168.1.0/24 tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients

You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:

#!/bin/sh # Variables VPN_IFACE=ovpnc1 SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf # Get current IP address of VPN interface VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if VPN interface is up and exit if it isn't if [ -z "$VPN_IFACE_IP" ] then         exit 0; fi # Check current IP for VPN interface in squid.conf file VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if the config file matches the current VPN interface IP, and if so exit script if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ] then         exit 0; fi # Replace the previous IP address in the squid.conf file with the current VPN interface address sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE # Force reload of the new squid.conf file /usr/local/sbin/squid -k reconfigure

You my friend are officially on my Christmas card list. Thank You !!
If you like Siberian Husky puppys, there will be a live stream of them in June.
If you have a donation button somewhere point me to it.

The 1935 in the firewall rules was a shot in the dark to fix why it may not be working.

The web site itself is http, This is what I am using "https://helpx.adobe.com/adobe-media-server/dev/stream-on-demand-media-http.html"

I dont see the "http-request auth" in there?

I use squid and it works fine for me.  Maybe you have a config issue with transparent mode and certificates, peek & splice settings etc.