Squid 3.3.4 package for pfsense with ssl filtering
-
I have used the standard process as pfsense 2.1 (now even in previous version ssl certificate error is popping)
I installed pfsense.
Created the internal CA.
Created the server certificate (tried client too)
Import CA certificate through certmgr.msc in trusted root
Import other certificate in personal
copied missing files for squid.
Installed squid-dev from packages.
Configured squid as before with ssl filter and certificate and boom even microsoft default certificate error.
-
It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1Need to see which system things changed with the upgrade.
Verify the "orphan" libraries for squid3-dev and what about OpenSSL?
OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes
https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes
Checked, and the orphan libraries are on the system. Countrycode is 2 letters.
Squid http filtering works fine, only the https part results in certificate errors. -
https is the problem and it is major concern now.
-
pfSense 2.1 (not upgraded to 2.1.1)
squid3-dev upgraded from 3.3.10 pkg 2.2.1 to 3.3.10 pkg 2.2.2Bug for interception
Last lines of squid.conf generated by 2.2.1
# Custom options always_direct allow all ssl_bump server-first all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrcLast lines of squid.conf generated by 2.2.2
# Custom options before auth # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrcWorkaround until next version
Put at Custom ACLS (Before_Auth) box the lines
always_direct allow all
ssl_bump server-first allCustom ACLS (After_Auth)
In addition to this, the box Custom ACLS (After_Auth) does nothing.
Rotate Cron duplicated
The upgrade also duplicates the rotate cron. You can see it if you have Cron package installed
0 0 * * * root /bin/rm /var/squid/cache/swap.state; /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf 0 0 * * * root /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.confDelete the old cron containing rm swap.state and look up the new option Proxy server: Cache management: Clear cache on log rotate
Discussion about the new option, https://forum.pfsense.org/index.php?topic=74453.msg407287#msg407287
More about squid duplicated cron, https://forum.pfsense.org/index.php?topic=74633.0
-
Thanks for all the support, worked like a charm, much relieved now, I am not blaming developer doing very good job, but this bug wasted almost two days of working time.
Again my appreciations , you are a life saver.
If you can, please explain cron thing in details.
-
Thanks for your good words!
If you can, please explain cron thing in details.
https://forum.pfsense.org/index.php?topic=74453.msg407820#msg407820
-
I just created an account to say thank you. I've wasted all my afternoon after the upgrade, trying to guess why ssl bumping stopped to work at our school, but tomorrow everything (included the filter for the students) will be able to continue as expected.
-
Thanks for your good words!
Also, at school, www.bellera.cat :) :) :) :)
-
ssl_bump acls were inside auth loop. I'm fixing it right now.
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
This is still under devel. Current feedback says that's only working on i386 version.
-
where can i set below parameter permanently.
always_direct allow all
ssl_bump server-first allThanks in advance
-
With squid-devel pf 2.1 multi-WAN loadbalancing doesn't work. Failover works because default WAN gets switched.
More specifically, the floating rule-based setup that used to work for pfsense 2.0.x doesn't work any more. Squid only sends through default WAN, whatever that is at any point.
Marcello, can you please shed light on this? Whether this is squid-side issue or any nuance of 2.1.x?
Also, will it be possible to do loadbalancing with transparent SSL proxy?
-
Another question: does delay pooling-based traffic management work with transparent SSL proxy'ing?
-
Hi everyone. I hope you all are having a good night. I'm a newbie with pfsense. For the life of me, I can't even the the squid3 dev package to work at all. It won't work in transparent mode or anything, but the non dev squid3 works like a champ. Any thoughts on where to start to looking?
I'm currently running
pfsense 2.1.2
(works)squid3 3.1.20 pkg 2.0.6 works
(doesn't seem to work at all) 3.3.10 pkg 2.2.2Thanks
-
did you followed some squid posts to get it working?
check missing libs?
ipv6 enabled?
netstat -an to see if squid port is closed or listening… -
Bug at squid3-dev 3.3.10 pkg 2.2.2
http://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762 -
Steps for SSL interception. In Spanish, please use translate.google.com
https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349 -
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
-
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
You can try old havp or test your squid in i386 pfsense version.
