Squidguard-squid3 systempatch for use with squid3-dev
-
Saludos señores pfsense
Tengo un problema con el pfsense2.1+squid3-dev+squidguard-squid3, el problema del squid3-dev solucionado me sirvio algo que publicaron en otro foro el problema es con el squiguard-squid3 no me inicia hice lo de este foro me funciono al primer reinicio pero despues del segundo ya no sale "detenido service" volvi aplicar nuevamente los pasos del foro pero ya no inicia ,antes de que sucediera que no inicie, trate de arrancar el servicio "Clamav Antivirus" y el "Icap inteface for squid and clamav integration" pero no arrancaron de ahi reinicie y ya no arranco squidguard-squid3 :'( :-X :-\ alguna ayuda porfavor esta montado sobre vmware 10
All I can say about this subject is the following:
Het Squid package is recent aangepast. De clamav functionaliteiten werken pas zeer recent en alleen in de i386 versie. Een beetje zoeken in op het forum kan geen kwaad.
Je vraag gaat totaal niet over mijn onderwerp en zal je in het forum onderwerp https://forum.pfsense.org/index.php?topic=73426.msg402098#msg402098 van Marcello terug moeten vinden en wellicht dat je daar je vraag over ipcap en clamav beter daar kan stellen.As you can read above English is not my original language and I do my best to post on this international forum in English so that others may understand also.
Please try and accept that the English language is more internationally accepted than your own… -
Thank you for your answers, sorry for the Spanish language, English is not my native language, and sorry for the mistakes of translation to English in this message, well the squidguard-squid3 this solved error was a mistake of my understanding in this forum because as I said English is not my native language and I was applying the patch wrong, besides coming well translated to be translated into the Spanish does not alwaysgood for my version I had applied the patch that public tikimotel and was applying the de bellera, but matter well arranged, now the problem I have is that having active squidguard-squid 3 I get this error "Unable to determine the IP address from the http host name" when browsing internet, according to achievement understand not working dns translation when is active the squidguard-squid3 agredeceria your supports to fix it since I am just entering the world of pfsense come migrate from smoothwall 8) 8) 8) ;D ;D
-
Worked perfectly…
sorry,
i had do same instruction but my firewall is not filtering https.pls help.
-
Squid doesn't handle https by default.
My best guess is, if it isn't passed through the proxy it won't be passed on to the active redirector.I don't have ssl proxy set up, so I can't tell you if the proxy will also pass https urls through the SquidGuard redirector.
-
Hi all (new to pfsense)
Trying to get HTTPS filtering working.
I have followed the above steps.I have Installed:
- squid3-dev
- squidGuard-squid3
- System Patches
The issue I am having is squidGuard wont start with error message
php: /pkg_edit.php: The command '/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was '2014/10/08 13:41:19| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl" squid: ERROR: No running copy'Any ideas on why squidGuard wont start?
[Solved] Had to restart
[Solved] To filter https do use Enable SSL filtering? and have to give every computer a CA? is there another way?
Ok got Transparent HTTPS proxy filtering with squidGuard-squid3 and squid3-dev working :)
-
Hi mehere,
could you please post your config.
When I enable SSL filtering, squidguard is not working correctly. The service is running but it looks like squidguard is getting bypassed. -
webstor Try restarting a few times (For some strange reason it worked after a few boots). If not then make sure that:
-Network Address Translation is enabled
-Proxy interface(s) is set to lan
-Transparent Proxy interface(s) is set to lanLet me know if that fixes it.
UPDATE: If the squid service does not want to start Cut all the content from Integrations then save then paste it back in it again.
However the issue i am having now is EVERY https site shows the warning screen or This Connection is Untrusted screen (For chrome its Your connection is not private).
This is the part that I am having trouble with "To create a CA on pfsense, go to system -> Cert Manager
Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection."I have created a CAs in System: Certificate Authority Manager then tried both the Internal and intermediate Certificate.
Tried both Certificate s in CA in SSL man in the middle Filtering.
I tried installing them in both the recommended location and also in the trusted root location, Even manually imported into chrome . This still does not fix this issue.
Any help would be great
UPDATE: I get NET::ERR_CERT_COMMON_NAME_INVALID, is pfsense creating the Certificate with the Wrong COMMON_NAME
-
Hi mehere,
squid is running fine and bumping as it should, the problem is that squidguard is bypassed because of the server side first feature which is necessary to not run into cert errors.
-
Hi webstor
Where is this "server side first feature"? as I am running into https Certificate errors. -
You have to add this to Custom ACLS (Before_Auth).
In which cert error are you running?
Have you imported the CA Cert already?Thanx.
-
If I put (Before_Auth) in Custom ACLS then I cant connect to any https website, without it I can connect however I get the warning.
I followed this to create the Certificate http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
So my problem is the https filtering is working however the Certificate is not
And yours is bypassing squidgard, hmm
-
Mine is working as it should, the problem is the redirect.
Could you please post the certificate error you get when you as example go to www.facebook.com
(please post a picture with the error).
-
And the proxy server config page?
Thanx.
-
Check attachments, the error i get is that it does not like the self signed certificate that pfsense creates. Some sites do not ever let you proceed. So SSL filtering is working, however self signed certificate is not working. Any ideas?
-
under custom acls please remove the forwarded_for transparent and replace it with
always_direct allow all
ssl_bump server-first all -
always_direct allow all
ssl_bump server-first allThat was the missing link, now there is no more warnings (with the exception of pfsense admin page, which is fine).
Thank you very much
[UPDATE]
Now windows update can't connect with error 80072F8F.
Also Adobe creative cloud can not connect with error 201.
[Update]Add GoogleUpdate.exe to the list as well.Looking at this post https://forum.pfsense.org/index.php?topic=77394.0
Does this fix work? How is this added in the GUI?
[Update]
This is my Custom ACLS (Before_Auth)
acl broken_sites dstdomain .update.microsoft.com
ssl_bump none broken_sites
always_direct allow all
ssl_bump server-first allHowever windows updates still do not work.
-
Hi,
Of course you cannot decrypt every Site. Itunes is also not decryptable.
BTW: is squidguard and antivirus working?
As exakte is the Eicar Testvirus getting blocked? -
How do I add the exclusions?
Yes squidguard and the antivirus are working and it does block the exakte file.
[UPDATE] Also Do you have to manually find each service to exclude?
e.g.
windows update
Adobe creative cloud
Google update
Antivirus update
other updaterOr can we just create a general rule that will allow all service updates, because finding all these service updates would hard and take a while and if someone comes onto the network and has some other software package that need an exclusion in order to update that would be hard to maintain.
-
Hm, my squidguard isn't still working.
Are you using HAVP as antivirus?
Did you add more then one nat rule for ssl decryption?
Thanx.
-
Are you using HAVP as antivirus?
I left the squid Antivirus (clamav) as default (do not know if it is using HAVP or not, can't
even find a setting for it in squid)Did you add more then one nat rule for ssl decryption?
I did not set any nat rules for ssl decryption in the Firewall, but rather in System: Advanced: Firewall and NAT and set NAT Reflection mode for port forwards to enable(pure nat).Also enabled Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection.
Hope this helps
Also any ideas on my above post about windows updates and other update servers?