Squid 3.3.4 package for pfsense with ssl filtering
-
Hello
Can you help on a big issue.
I have (in a lab):
Exchange 2013
Remote Desktop GatewayThe external FQDN is: toto.com
I have multiple web servers and mapping working correctly
The exchange server is working correctly
The SSL cert is self signed:
imported in pfsense
on exchange
on TS GatewayI'm unable to connect to the gateway … sort of timedout.
If the gateway is directly redirected (80/443 nat to the correct IP) ... IT WORKS
If the gateway is accessed through reverse proxy ... DON'T WORKSAny idea ?
It's driving me madThanks
-
I found the SOLUTION
Create a web servers
IP of the TSG
https
named rdc_443mapping
group name rdc_443
group description (url of the gateway)
peers rdc_443
URIs (this is the tricky part)
^https://yoururlgateway/rpcwithcert/rpcproxy.dll.$
^https://yoururlgateway/rpc/rpcproxy.dll.$DONE
-
I think you and I discussed this Terminal Services Gateway Issue before since I wanted that to work as well.
Are you saying it works now with the Squid 3.3.8-Dev package? (Using your additional instructions)?
Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?
-Keyser
-
Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?
Do not forget to check -dev dependences before upgrading.
Most options are the same but I suggest you to check all tabs after upgrading it.
-
Marcelloc
How do i do the upgrade? i can't seem to find a way to click upgrade in the package manager, and the new one only offers to install (will that automatically upgrade the old one?)
-
uninstall squid3 and then install squid3-dev
-
Nice work, it's a great addition to pfsense and works very well. Is this going to be implemented on the squid3 "normal" package too?
-
squid3-dev will be squid3 when finished.
-
Hi everyone. I am using Squid3-dev (3.3.8 ) and squidGuard-squid3. Everything is ok in transparent mode on http and https (Thanks to Marcelloc ;) ).
But you said it was possible to use both transparent and authentication with squid3-dev:Is it possible to run squid as explicit on one interface (like loopback or LAN) and also run it as transparent on a different interface like a guest net at the same time?
On squid3-dev yes ;D
Remember to do not use loopback on any configuration while using transparent mode.
I have tried and it does not work for me: I use 2 interfaces on the same LAN with a different IP address for each one (192.168.1.254 and 192.168.1.253). I have selected the both for "Proxy interface(s)" in "Squid General Settings".
In 'Transparent Proxy Settings" and "SSL man in the middle Filtering", just the 192.168.1.254 is selected. When I use this interface for the web navigation, it is ok, the transparent mode is working.
But if I explicitly use the 192.168.1.253 (not selected in transparent mode), the proxy doesn't ask me for authentication.These are the squid.conf first lines:
http_port 192.168.1.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
http_port 192.168.1.253:3128
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
I don't know why the IP is 127.0.0.1 for the "intercept" and not juste the 192.168.1.254, even if I suppose it is normal. Have I to edit manually the squid.conf? Is there someone using both transparent and anthentication on 2 different interfaces? Could someone help me please?
-
Hope it will be soon release. But last time I roll back from -dev version of Squid. To much problem for the first time using of pfSense.
-
There is another issue, I am not able to auth through captive portal and provide different acl to various groups. May be I doing something wrong, please post the right procedure to do it.
Thanks in advance
-
There is another issue, I am not able to auth through captive portal
Did you applied captive portal patch on squid config?
and provide different acl to various groups.
Are you doing it with custom options?
-
I feel it is sorted now, yes captive portal is set as auth medium in squid, I have now added groups and username in the squidguard group acl, seems to be working.
Another issue is i am not able to configure antivirus with squid3-dev and neither with havp package.
-
How to check pf operational after squid-dev removal? I also had patches for it and HAVP. I don't see any garbage in webgui, but I see some trash from old package in configs. Now I have one headache - ipcad doesn't report to access.log. If client goes on proxy-port 3128 it's traced in logs. Direct connections - not.
-
Hi Marcelloc
I just installed a test machine with pFsense 2.1 Release, squid3-dev and squidGuard-squid3.
I can't start squidguard service, but can't find why.In logs, here is my error message:
pfSense php: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy'
Any Idea ?
-
Hi,
I have read this thread and several topics/tutorials on the web but I still cant figure out whether Squid3 and especially 3.3.8-dev is able to cach dynamic content.
I understand that 3.3.8-dev has solved an issue on squid3 stable where enabling dynamic content wouldn't let anything to cache: I have enabled dynamic content on 3.3.8 and static content (pictures, etc) is caching correctly.
However, enabling dynamic content doesnt seem to serve its purpose: cache any URL that includes a ? (it returns a TCP_MISS/200)
This is my squid.conf. My main goal is to cache iOS updates and ibooks since I am a school IT Manager and there are 50+ identical ibook downloads per day through the iTunesU platform. The iBook URLS are like:
http://.phobos.apple.com///*/example.ibooks?downloadKey=12345678
# This file is automatically generated by pfSense # Do not edit manually ! http_port 10.0.10.2:3128 http_port 127.0.0.1:3128 intercept icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language el icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none logfile_rotate 30 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.0.0.0/16 httpd_suppress_version_string on uri_whitespace strip # Windows Update refresh_pattern range_offset_limit -1 refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i ([^.]+.|)(appldnld|update).(apple.|)com/.* 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate refresh_pattern -i ([^.]+.|)(phobos).(apple.|)com/.*\.(zip|ibooks|ipa) 10080 100% 10080 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate cache_mem 1600 MB maximum_object_size_in_memory 4096 KB memory_replacement_policy lru cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 30000 16 256 minimum_object_size 0 KB maximum_object_size 2048000 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 80 443 acl sslports port 443 563 443 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 10.0.5.1/24 10.0.10.2/24 http_access allow manager localhost # Allow external cache managers acl ext_manager src 10.0.10.2 http_access allow manager ext_manager http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost quick_abort_min -1 KB quick_abort_max 0 KB quick_abort_pct 20 request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Custom options # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrcDo you have any suggestion? Would it be wise to uninstall 3.3.8-dev and then install Squid 2.7 and manually add the refresh_patterns found in older tutorials?
Thanks in advance,
Panos
-
Is there is any way to run havp with squid-dev package, squid is working ok, but without antivirus, it is bit incomplete, please suggest.
-
IMHO, havp is old and obsolete but if you are not using ssl filtering, you may configure the same way you do on squid2
I'm working to get antivirus tab working for this -dev version.
-
Any alternate antivirus working with ssl filtering.
-
