Want to setup squid-proxy and squidguard but have lots of questions.
-
@jc1976 Yes use DHCP option 252 with it point to your wpad
"https://192.168.1.1:8080/wpad.dat"
It is the most amazing package. It is complex to configure..
Real time view with litesquid
It doesn't care about DoH or DNL over TLS.
It is simple it looks at the get requests and blocks.
Of course you need the splice list for office stuff outlook teams email. The URL blocker is amazing. Thank you Marcos!!!! very secure consumer side cybersecurity tool. Big Tech hates it. It's the giant spotlight of cybersecurity.
-
it's even got on the fly https/http antivirus if your system has the RAM for clamAV. It will stop a virus and show an error page.
-
@jc1976 I use SSL certs, it can't run without them, you got to own the hardware to install the certs.
-
If we did this feature request add on anyone could use it
https://redmine.pfsense.org/issues/14998
It would make the splice lists as easy as pushing a button on the proxy.
Its not a recommended package Netgate depreciated it for a DNS based blocker.
I dislike DNS versions..
-
the only problem with all this is netgate seems to be trying to phase out squid.. hence my thought of being able to splice in a linux box that could handle inline antivirus scanning as it came through the firewall, after tls termination at the wan.
-
regarding your request to have the ability to "not cache" anything, unless i'm reading it wrong, it does have that ability..
under "services -> squid proxy server -> localc cache" at the top you can 'disable caching' by checking the box, and at the bottom of the page you can specify how much ram you'd like to commit to squid caching, if you were to enable caching.. as for hard drive cache system, i have that set to 'null' and for memory cache size i have that at 2 gigs.. but again, if don't enable caching, it seems to me the packet stream would be scanned inline without being cached.
-
@jc1976 I want to cache with it. I like it. I use affordable DSL, so it helps keep everything smooth and my bill down. Yes you can disable caching completely, you can even disable ClamAV if you want and only use splice mode for a URL blocker. So you don't even need certificates like that. Again, with this version you could run it in transparent mode and never need to even set proxies, it would transparently block URLS like that and show an error page. I am doing a more complex version where some devices are https ssl intercepted to look for container virtualized bugs data marshaling network cards, "I found them however I needed Snort AppID to track them down in the end" and some devices are set to transparent mode where it looks at only the get request and nothing else.
It is a very amazing set of software. I am so in love with this package and the way it works. I report stuff all the time with it, track items its great. It is also protected behind a firewall set of rules so it's great for pfSense.
My SG-2100 will continue to use it until the appliance dies. The final version of pfSense after 4 years of config changes, code, bugs, works perfectly, I am not going to give up on it. To everyone that worked on it at Netgate and all the community members to make it finally work, Thank you. The device works how it should for what I need, sure it's super secure maybe to secure but that was what was needed for cybersecurity, to stop the ransomware all the issues stopped with something like this. This was the firewall that helped END it.
-
Hey. Question for you guys:
When squid is attempting to redirect, I get:
<p>The following error was encountered while trying to retrieve the URL: <a href="https://http/">https://http/</a></p>
on an HTML response.
acl { default { pass !badstuff destinations all redirect http://wpad.jvj.com/denied?url=Access+Denied&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } }
the redirect is behaving as a host, not a URL. what is the proper syntax? As ChatGPT says this is correct. But, cannot be.
-
Hey! Another one!
When I try to go to the squid 'status' on the pfsense GUI, I get a 403 error:
HTTP/1.1 403 Forbidden Server: squid/6.6 Mime-Version: 1.0 Date: Wed, 22 May 2024 10:12:57 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3800 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Cache-Status: squid.jvj28.com Via: 1.1 squid.jvj.com (squid/6.6), 1.1 squid.jvj.com (squid/6.6) Cache-Status: squid.jvj28.com;detail=no-cache Connection: close
I really have looked for every ACL that I could think of. Not finding the issue.
-
@jdb67 there is an open Redmine ticket to fix the status page, Squid has a new url schema to access the status page the GUI code still needs to be updated.
-
@JonathanLee Sweet. Thanks
-
@jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users.
squid-users@lists.squid-cache.org
FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.