Squid 3.3.4 package for pfsense with ssl filtering

marcelloc · Oct 21, 2013, 4:53 PM

Is there a way to copy the missing libs directly to the pfsense without fetching?

Unfortunately no. I've asked core team to copy these libs to official repo but I had no luck with that.

These are missing so libs for gssapi. Other packages(freeradius2, postfix) need this libs too.

ipis · Oct 22, 2013, 4:41 AM

I hope all missing libs are included soon. I really wan't to block certain secured sites on my work. And I think this version is amazing.

Does anyone has a workaround in fetching libs?

Nachtfalke · Oct 22, 2013, 7:24 AM

@ipis:

I hope all missing libs are included soon. I really wan't to block certain secured sites on my work. And I think this version is amazing.

Does anyone has a workaround in fetching libs?

Just try with this command:

cd /usr/local/lib

and in this folder:


fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10

Perhaps you have to check the file permissions after you copied the files.

Or download the libs via your webbrowser and copy these files to pfsense using the GUI:
DIAGNOSTICS –> Command Prompt

ipis · Oct 22, 2013, 12:09 PM

Thanks Nachtfalke

How stupid i'am. I a'm using the word "ALL" instead of "All" plus. I erase all my config to squid, I uncheked everything before re-fetching. Thanks again :)

ipis · Oct 22, 2013, 4:49 PM

Hi. Its already working fine but I've noticed that the other browser like google chrome. I've noticed that it wont trust the certificate when entering into secured sites. It says the Certificate is not trusted and theres no option for the user to continue and accept it. Unlike to other browser theres an optio to get the certificate and continue to the website. Or to trust the cerficate.. Is this normal, or theres a way to overcome this? Thanks

marcelloc · Oct 22, 2013, 9:23 PM

@ipis:

Is this normal, or theres a way to overcome this? Thanks

Yes, to avoid these erros, play with squid cert options and include pfsense CA as a trusted CA on each browsers. This way you will not get any ssl error for https sites.

Services that use same ssl port(tor, ultrasurf) will always fail.

ipis · Oct 23, 2013, 3:25 AM

Thanks marcelloc. I've fixed the certificated error. also I re-enabled the transparent ssl and it helps :)

ipis · Oct 23, 2013, 8:32 AM

Hi, I have a question. I just visited a government agency website, its an organization that handles employers contribution. or employees contribution. Ive noticed that after accepting the certificate and continuing to website. The website did not respond and it says webpage not avalable. According to other forums ubuntu to be exact, theres a site that sometimes block this kind of interception, i mean we will not be availbe to continue that's why they added some code.

Can we adopt their code to our pfsense? I think their added it in squid.conf

marcelloc · Oct 23, 2013, 12:12 PM

@ipis:

Can we adopt their code to our pfsense? I think their added it in squid.conf

If you find what code is it, I can add to squid.conf.

ipis · Oct 24, 2013, 5:08 AM

Hi marcerlloc, check this pic that ive uploaded

ipis · Oct 24, 2013, 2:44 PM

Hi, marcelloc i successfully entered that website. But this website www.sss.gov.ph
prevents my network

marcelloc · Oct 24, 2013, 9:30 PM

These pics shows stardard ssl squid configuration.

ipis · Oct 25, 2013, 1:40 AM

You mean it doesn't have something to do with the website? Maybe I mis configured. On the other hand, I've noticed something when connecting to facebook. It seems like the page is broken, I couldn't see the pictures and other posts. I've tried to disable my squid guard and let the squid3-dev handle the internet, but the outcome is the same. But when i tried not to proxy the internet, only using the direct firewall rules on lan, the page seems fixed. Is there a workaround on this?

marcelloc · Oct 25, 2013, 2:07 AM

Can you test on firefox with firebug extension enabled on network tab?

ipis · Oct 25, 2013, 2:31 AM

I don't have that firebug option in my firefox. By the way I also tried this on my other browser but still no luck

ipis · Oct 25, 2013, 2:34 AM

Also when I put the source ip, it bypassess the squidguard, and the website seems fixed also..

ipis · Oct 25, 2013, 4:35 AM

I'm thinking of Using Version 3.3.4, maybe I won't have that kind of issue on fb, is that possible?

marcelloc · Oct 25, 2013, 11:10 AM

@ipis:

I don't have that firebug option in my firefox.

It's a firefox extension/plugin. Just install it and enable.

ipis · Oct 26, 2013, 7:46 AM

Hi i just install the plugin but it doesn't fixed the issue, but i think the issue is came from ssl filtering, because when I disable the ssl filtering, and restart the pfsense. It returned to normal, and when I get back on using ssl filtering the site is broken again. Did I did something wrong? I set my ssl listening port to 3129, while my squid port is in 3128, both are set to LAN interface. Also i set my safe ports to 80, 443 and acl ports to 443 only.

Can you give me other config options? How can i used port 3128 on both squid port and ssl port man in the middle. can we do the tunneling?

marcelloc · Oct 28, 2013, 4:10 PM

@ipis:

Hi i just install the plugin but it doesn't fixed the issue.

This plugin is usefull to debug the problem, not to fix ssl issues.

Enable it, select net tab and access the site with ssl enabled.

This way you will see all connections and check what is going fine and whats is failing.