Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Want to setup squid-proxy and squidguard but have lots of questions.

    Scheduled Pinned Locked Moved Cache/Proxy
    squid-proxysquidguardcontentfilter
    16 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee @jc1976
      last edited by JonathanLee

      @jc1976 Yes use DHCP option 252 with it point to your wpad

      "https://192.168.1.1:8080/wpad.dat"

      Screenshot 2023-12-21 at 12.00.10 PM.png

      It is the most amazing package. It is complex to configure..

      Screenshot 2023-12-21 at 12.01.19 PM.png

      Real time view with litesquid

      Screenshot 2023-12-21 at 12.03.27 PM.png

      It doesn't care about DoH or DNL over TLS.

      It is simple it looks at the get requests and blocks.

      Of course you need the splice list for office stuff outlook teams email. The URL blocker is amazing. Thank you Marcos!!!! very secure consumer side cybersecurity tool. Big Tech hates it. It's the giant spotlight of cybersecurity.

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        it's even got on the fly https/http antivirus if your system has the RAM for clamAV. It will stop a virus and show an error page.

        1698865258654-1691622380809-1686121145228-screenshot-2023-06-06-at-11.58.44-pm.png

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @jc1976
          last edited by

          @jc1976 I use SSL certs, it can't run without them, you got to own the hardware to install the certs.

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee
            last edited by JonathanLee

            If we did this feature request add on anyone could use it

            https://redmine.pfsense.org/issues/14998

            It would make the splice lists as easy as pushing a button on the proxy.

            Its not a recommended package Netgate depreciated it for a DNS based blocker.

            I dislike DNS versions..

            Make sure to upvote

            J 1 Reply Last reply Reply Quote 0
            • J
              jc1976
              last edited by

              the only problem with all this is netgate seems to be trying to phase out squid.. hence my thought of being able to splice in a linux box that could handle inline antivirus scanning as it came through the firewall, after tls termination at the wan.

              1 Reply Last reply Reply Quote 0
              • J
                jc1976 @JonathanLee
                last edited by

                @JonathanLee

                regarding your request to have the ability to "not cache" anything, unless i'm reading it wrong, it does have that ability..

                under "services -> squid proxy server -> localc cache" at the top you can 'disable caching' by checking the box, and at the bottom of the page you can specify how much ram you'd like to commit to squid caching, if you were to enable caching.. as for hard drive cache system, i have that set to 'null' and for memory cache size i have that at 2 gigs.. but again, if don't enable caching, it seems to me the packet stream would be scanned inline without being cached.

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @jc1976
                  last edited by JonathanLee

                  @jc1976 I want to cache with it. I like it. I use affordable DSL, so it helps keep everything smooth and my bill down. Yes you can disable caching completely, you can even disable ClamAV if you want and only use splice mode for a URL blocker. So you don't even need certificates like that. Again, with this version you could run it in transparent mode and never need to even set proxies, it would transparently block URLS like that and show an error page. I am doing a more complex version where some devices are https ssl intercepted to look for container virtualized bugs data marshaling network cards, "I found them however I needed Snort AppID to track them down in the end" and some devices are set to transparent mode where it looks at only the get request and nothing else.

                  It is a very amazing set of software. I am so in love with this package and the way it works. I report stuff all the time with it, track items its great. It is also protected behind a firewall set of rules so it's great for pfSense.

                  My SG-2100 will continue to use it until the appliance dies. The final version of pfSense after 4 years of config changes, code, bugs, works perfectly, I am not going to give up on it. To everyone that worked on it at Netgate and all the community members to make it finally work, Thank you. The device works how it should for what I need, sure it's super secure maybe to secure but that was what was needed for cybersecurity, to stop the ransomware all the issues stopped with something like this. This was the firewall that helped END it.

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • J
                    jdb67
                    last edited by

                    Hey. Question for you guys:

                    When squid is attempting to redirect, I get:

                    <p>The following error was encountered while trying to retrieve the URL: <a href="https://http/">https://http/</a></p>

                    on an HTML response.

                    acl {
                            default  {
                    		pass !badstuff destinations all
                    		redirect http://wpad.jvj.com/denied?url=Access+Denied&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    		log block.log
                    	}
                    }
                    

                    the redirect is behaving as a host, not a URL. what is the proper syntax? As ChatGPT says this is correct. But, cannot be.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jdb67
                      last edited by

                      Hey! Another one!

                      When I try to go to the squid 'status' on the pfsense GUI, I get a 403 error:

                      HTTP/1.1 403 Forbidden
                      Server: squid/6.6
                      Mime-Version: 1.0
                      Date: Wed, 22 May 2024 10:12:57 GMT
                      Content-Type: text/html;charset=utf-8
                      Content-Length: 3800
                      X-Squid-Error: ERR_ACCESS_DENIED 0
                      Vary: Accept-Language
                      Content-Language: en
                      Cache-Status: squid.jvj28.com
                      Via: 1.1 squid.jvj.com (squid/6.6), 1.1 squid.jvj.com (squid/6.6)
                      Cache-Status: squid.jvj28.com;detail=no-cache
                      Connection: close
                      

                      I really have looked for every ACL that I could think of. Not finding the issue.

                      JonathanLeeJ 1 Reply Last reply Reply Quote 0
                      • JonathanLeeJ
                        JonathanLee @jdb67
                        last edited by

                        @jdb67 there is an open Redmine ticket to fix the status page, Squid has a new url schema to access the status page the GUI code still needs to be updated.

                        Make sure to upvote

                        J 1 Reply Last reply Reply Quote 0
                        • J
                          jdb67 @JonathanLee
                          last edited by

                          @JonathanLee Sweet. Thanks

                          JonathanLeeJ 1 Reply Last reply Reply Quote 1
                          • JonathanLeeJ
                            JonathanLee @jdb67
                            last edited by

                            @jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users.

                            squid-users@lists.squid-cache.org

                            FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.