Squid + Squidguard with WPAD. Filter doesn't work.

JonathanLee

You may also just want to use transparent mode for URL blocking.

KOM

Why are you configuring WPAD and then making Squid transparent?? Typically you either use transparent mode, or configure proxy autodetect. IME transparent mode gives me weird problems that I don't see when using squid in explicit mode.

JonathanLee

@KOM It is for use with both Transparent mode and SSL mode for devices like XBOX and Nintendo Switch Iphones etc. You must have them for Transparent on the Applications, plus you can have the certificates for the web browser. That way it works both ways. Spice and non-splice.

Xbox will not work unless transparent mode is enabled as an example plus you need WPAD and DHCP option 252 to be enabled for it to function correctly with the firewall. However, my other devices on the LAN use the SSL intercept. With or without the proxy used it functions this way. Some with SSL intercept get better cache rates and HTTPS Clam AV use.

You can get both working plus the Clam AV HTTPS use for your desktops that can have certificates installed

Best of both worlds, transparent use for URL blockers on the XBOX/Nintendo web browsers + the high security and caching for other devices that do not require transparent mode.

WhiteTiger-IT

@JonathanLee
@KOM

I didn't understand the suggestions.
I compared the sgerror.php file in the answer, but it is exactly the same as the one in pfsense.
Furthermore, the string in your redirect Info is unclear. What should I redirect it towards?

The error message is not the one you showed. Mine is a generic "URL not found" message.
Reading online it would seem that this is the norm when you want to filter HTTPS URLs, but today all sites are HTTPS.

Finally, Transparent Mode is only for HTTP.
For HTTPS I need to enable HTTPS/SSL Interception.
What should I do?

KOM

@JonathanLee I would just exempt my consoles from the proxy and let them go direct.

JonathanLee

@WhiteTiger-IT

I used that file to generate a custom useable redirect.

my example shows a line that says redirect info . . .

This line is where I have it set as the ext URL move (enter URL)

It is the same thing it is on PfSense however I made the custom file.

My URL for example is
https://192.168.1.1:8080/sgerror.php?url=403%20Blocked%20by%20Mom%20and%20Dad&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

Reading that file this is basically access the sgerror.php script and use url=403 : forbidden
My message Blocked by Mom and Dad
a=client address
n=client name
i=client user
s=client group

It is just using that php file with the firewall port I have set. Mine is 8080

JonathanLee

@KOM I would however I need to block some URLs from being accessed still with Squidguard

JonathanLee

WhiteTiger-IT

I continue to have problems and every change I make new ones arise even where there weren't any.

If I enable "SSL filtering" in "HTTPS/SSL Interception" I no longer connect to any website, even if it is not in the blacklist.
If I disable "Transparent" everything goes through, including the websites in the blacklist.

Instead, with Transparent and SSL Filtering, if I go to a porn site, the URL is changed to
https://192.168.1.1/sgerror.php?url=403%20My%20Message&a=192.168.1.100&n=touch-pc.DOMAIN.TLD&i=&s=default&t=blk_blacklist_adult&u=http://PORNSITE.TLD
So, the redirect works, but I see that the user name is missing (how can I pass it without forcing people to log in?) and the group is "default".
However, no message appears because there is a Timed Out error.

Instead, DNS always works.
At least that doesn't seem to be a cause.

In my opinion there is some misconfiguration in Squid+Squidguard, but which one?
Is it possible that there is no definitive guide? Nowadays almost all websites are HTTPS.

Even the certificates, after creation it is unthinkable to go around uploading them to all the PCs.
I haven't done it even in this testing phase because I won't be able to do it when fully operational.

==== Update
If I change the proxy settings in Firefox, inserting the days instead of taking them from the system, things change a little.

First the usual message appears

Some software is preventing Firefox from securely connecting to this site
192.168.1.1 is probably a trustworthy site, but a secure connection could not be established. This problem is caused by internal-ca, a software installed on your computer or network.

Then, accepting the risk and moving forward, this message appears:

ERROR

The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: https://192.168.1.1/*
    Connection to 192.168.1.1 failed.
The system returned: (61) Connection refused
The remote host or network may be down. Please try the request again.
Your cache administrator is admin@localhost.

JonathanLee

@WhiteTiger-IT have you installed certificates on the devices? You would require them for SSL intercept/MITM to function.

Transparent is what I think you want. No certificates and URL blocking.

You said your redirect is now...

https://192.168.1.1/sgerror.php?url=403%20My%20Message&a=192.168.1.100&n=touch-pc.DOMAIN.TLD&i=&s=default&t=blk_blacklist_adult&u=http://PORNSITE.TLD

However what is the port number your GUI uses?

https://192.168.1.1:port number here/sgerror.php?url=403%20My%20Message&a=192.168.1.100&n=touch-pc.DOMAIN.TLD&i=&s=default&t=blk_blacklist_adult&u=http://PORNSITE.TLD

Did you use redirect replace URL under every category in Squidguard? It has to be under default and all Squidguard groups. It looks like a double redirect. Have you set the proxy to bypass Squidguard redirect also?

With transparent you don't need to worry about proxy auto detect.

I suspect you have no certificates installed on devices correct?

Test that link by itself past it in a browser window.

What port do you use when you log in to PfSense?? That port is also needed to access the WWW folder and that's what contains the sgerror file.

Example 192.168.1.1:8080 is what I have configured as a custom port.

I assumed you have done that as you configured WPAD already.

WhiteTiger-IT

@JonathanLee
I didn't realize that the port used for login was needed, I can't find it described anywhere.

As I was saying, I don't find it correct that the official guide is not aligned with the current situation.
I'm reading other guides on the net, more than 50. Most are generic, the most complete are years old, some relating to old versions of pfSense.
There are a lot of unclear things.
Some say to activate also Transparent Mode, some don't.
Some create a rule to block HTTP, some also HTTPS.
Port 3129 also popped up in una guide, should this be configured too? Nobody makes it clear.

Now the error message appears and I thank you for this.
I now have to configure the rest as well.
For example, changes to sgerror.php so that attempts to access a site blocked by squidguard are reported in the log.
The documentation describes which lines to insert, but not where they should be inserted.

I also want to avoid having to install certificates on devices because I can't do it with guests and I don't have an AD domain in Windows to transfer them with a GPO rule.

For now I thank you.

JonathanLee

@WhiteTiger-IT you said "The documentation describes which lines to insert, but not where they should be inserted."

You could always use the url that I use and change it to what ever error message you want. Or just redirect to an official company webpage maybe with corporate policy on LAN use.

I agree there is not much information on this topic. I found Netgate forum is the best unofficial guide for any questions you need.

Glad you got it working.

WhiteTiger-IT

@JonathanLee said in Squid + Squidguard with WPAD. Filter doesn't work.:

@WhiteTiger-IT you said "The documentation describes which lines to insert, but not where they should be inserted."

You could always use the url that I use and change it to what ever error message you want. Or just redirect to an official company webpage maybe with corporate policy on LAN use.

We are talking about two different things.
You are referring to the error message and your suggestion was helpful to me.

I'm now talking about the modification to be made to sgerror.php so that anything blocked by squidguard is inserted into the log.
In the documentation i find the portion of code to insert, but I didn't understand where this code should be inserted in sgerror.php.

Then, I think I understood that if I want to filter HTTPS I am obliged to pass the certificate created in pfSense to everyone who browses.
This is impossible for me because not everyone wants to do it or would not be capable of doing it.

Also, if the domain has its own certificate provided by the ISP or Let's Encrypt, what should I do?
Still create a certificate in pfSense for Squid?

JonathanLee

@WhiteTiger-IT You said, "I'm now talking about the modification to be made to sgerror.php so that anything blocked by squidguard is inserted into the log. In the documentation i find the portion of code to insert, but I didn't understand where this code should be inserted in sgerror.php."

Squidguard does have the ability to log blocks in the rules area click the log radio button. This will log the blocks you have created to Squid Proxy.

/var/squidGuard/log/squidGuard.log

You also said, "Then, I think I understood that if I want to filter HTTPS I am obliged to pass the certificate created in pfSense to everyone who browses. This is impossible for me because not everyone wants to do it or would not be capable of doing it."

You are still able to splice https get requests and block in transparent mode without certificates as the HTTPS is not broken only the get requests are inspected.

You also said "Also, if the domain has its own certificate provided by the ISP or Let's Encrypt, what should I do?
Still create a certificate in pfSense for Squid?"

I still created a certificate in Squid and passed it to PfSense so they trust each other. Follow this guide.

Ref:
https://forum.it-monkey.net/index.php?topic=23.0

This covers a lot I think this is a great guide. It is also still relevant with 25.05

WhiteTiger-IT

@JonathanLee
I followed the guide step by step.
I even reset pfsense to factory settings.
I also removed the IPv6 settings from Windows 11 although I don't use them and there are no settings for IP6 on pfSense.
Nonetheless, I can't navigate (Timeout error) and what's worse, with these settings I lose access to the Internet even from my PC (with alias IT_Admin).
I can ping or tracert any domain, but it's not reachable.

This is done using the network settings in Windows and Firefox. Instead, if I set the proxy directly in Firefox, there are no active filters and everything passes.

Also, in monitor I still see references to the Squidguard blacklist from the previous installation. How do I clear the Squid and Squidguard log?

Finally, in this guide I don't understand the need to create the CA from SSH instead of GUI. However, I created it from SSH.

To conclude, I don't know what to do anymore, except give up HTTPS control and leave the transparent proxy.
Tomorrow I'll do a new installation by formatting the disk, but I confess that I'm very disappointed.

These the rules.

JonathanLee

You will never get SSL intercept to fully work as some applications require different things. If you are not using IPv6 have you disabled it inside the DNS forwarder? You have WPAD set up in your DNS?

Here is copy my my custom IPv6 disable, my ISP does not allow IPv6, and my WPAD set up in DNS as a host override

Here is a copy of my ACLs if you want to check it out

NAT RULES for DNS and NTP

Squid ACL
.* for my allow all domians I let Squidguard do my blocks

Squid Proxy Custom options.

Some clients I splice everything for so they are transparent anyway.

Take note of the Regular Expression file it is pointing to. . .
This is my always splice file no matter what like banks phone messages etc, that way they are never intercepted ever.

I do not use certificate checks inside the proxy

Squid's CERT is also a root authority see CA-Cert

Same here

Xforwarder mode is set to transparent for mine as I am not using anything else just the firewall and the Dmark

I have a large do not cache list

I also have a Squidguard always allow list

If you use a Blacklist proxy you also have to set it to allow as a default outside of the blocks so it does not block everything.

You also have to point clients to it that are not set as transparent

I just noticed your Rule 2 you have a any any rule this will bypass everything as clients do not need to use the proxy at all with that rule.

JonathanLee

If you are just starting out follow a guide for transparent mode and just use it as a URL blocker. I personally inspect a lot of traffic and make reports all the time on my freetime.

JonathanLee

@WhiteTiger-IT You also would need SMTP and POP for email, I would look into your ACLS more you have a ANY ANY LAN rule that is a contradiction to the proxy.

JonathanLee

You could also try pfblocking. I have always used Squid and I like the puzzles, but a lot of users like pfblock over Squidguard because of the ease of use. I have always liked Squidguard and Squid so I just use that.

WhiteTiger-IT

@JonathanLee
I have already installed some pfSense and they work without problems without HTTPS configurations.
As I said previously, I need to manage traffic without being too intrusive with users because I don't always have permission to intervene on their laptops and smartphones.
So I need ClamAV and Squidguard filters to filter their traffic, preventing or limiting access to the network and the content they request on the network.
My case is for a small company, but the best example would be a school where you have to allow students to access the network without letting them do what they want and monitor "who does what".
I'm spending days looking for a correct configuration and frankly I don't understand all these difficulties for activities that in 2023 should already be taken for granted at first installation level.
Furthermore, I also find it difficult to understand the reasons.
Squidguard handles URLs (unlike Dansguardian which handles content), so you shouldn't even need to open the packet.
It makes sense to do this for ClamAV, but that still wouldn't be a fixable security service. So, I might as well not install it.

The guide you suggested to me the other day was over 5 years ago; The world has changed and perhaps the guide should also change.
However, it didn't help me even with a new installation.

Now I'll do the tests with your latest suggestions and then if it doesn't work, I'll leave it alone because you can't spend all this time in vain.

In any case, thank you for your help. I really appreciated it, also for your patience.