Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squidguard-squid3 systempatch for use with squid3-dev

    Scheduled Pinned Locked Moved Cache/Proxy
    59 Posts 11 Posters 49.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      webstor
      last edited by

      Hi mehere,

      squid is running fine and bumping as it should, the problem is that squidguard is bypassed because of the server side first feature which is necessary to not run into cert errors.

      1 Reply Last reply Reply Quote 0
      • A
        aGeekhere
        last edited by

        Hi webstor
        Where is this "server side first feature"? as I am running into https Certificate errors.

        Never Fear, A Geek is Here!

        1 Reply Last reply Reply Quote 0
        • W
          webstor
          last edited by

          You have to add this to Custom ACLS (Before_Auth).

          In which cert error are you running?
          Have you imported the CA Cert already?

          Thanx.

          1 Reply Last reply Reply Quote 0
          • A
            aGeekhere
            last edited by

            If I put (Before_Auth) in Custom ACLS then I cant connect to any https website, without it I can connect however I get the warning.

            I followed this to create the Certificate http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/

            So my problem is the https filtering is working however the Certificate is not

            And yours is bypassing squidgard, hmm

            Never Fear, A Geek is Here!

            1 Reply Last reply Reply Quote 0
            • W
              webstor
              last edited by

              Mine is working as it should, the problem is the redirect.

              Could you please post the certificate error you get when you as example go to www.facebook.com

              (please post a picture with the error).

              1 Reply Last reply Reply Quote 0
              • W
                webstor
                last edited by

                And the proxy server config page?

                Thanx.

                1 Reply Last reply Reply Quote 0
                • A
                  aGeekhere
                  last edited by

                  Check attachments, the error i get is that it does not like the self signed certificate that pfsense creates. Some sites do not ever let you proceed. So SSL filtering is working, however self signed certificate is not working. Any ideas?

                  error.png
                  error.png_thumb
                  squid.png
                  squid.png_thumb

                  Never Fear, A Geek is Here!

                  1 Reply Last reply Reply Quote 0
                  • W
                    webstor
                    last edited by

                    under custom acls please remove the forwarded_for transparent and replace it with

                    always_direct allow all
                    ssl_bump server-first all

                    1 Reply Last reply Reply Quote 0
                    • A
                      aGeekhere
                      last edited by

                      always_direct allow all
                      ssl_bump server-first all

                      That was the missing link, now there is no more warnings (with the exception of pfsense admin page, which is fine).

                      Thank you very much

                      [UPDATE]

                      Now windows update can't connect with error 80072F8F.
                      Also Adobe creative cloud can not connect with error 201.
                      [Update]Add GoogleUpdate.exe to the list as well.

                      Looking at this post https://forum.pfsense.org/index.php?topic=77394.0

                      Does this fix work? How is this added in the GUI?

                      [Update]
                      This is my Custom ACLS (Before_Auth)
                      acl broken_sites dstdomain .update.microsoft.com
                      ssl_bump none broken_sites
                      always_direct allow all
                      ssl_bump server-first all

                      However windows updates still do not work.

                      Never Fear, A Geek is Here!

                      1 Reply Last reply Reply Quote 0
                      • W
                        webstor
                        last edited by

                        Hi,

                        Of course you cannot decrypt every Site. Itunes is also not decryptable.
                        BTW: is squidguard and antivirus working?
                        As exakte is the Eicar Testvirus getting blocked?

                        1 Reply Last reply Reply Quote 0
                        • A
                          aGeekhere
                          last edited by

                          How do I add the exclusions?

                          Yes squidguard and the antivirus are working and it does block the exakte file.

                          [UPDATE] Also Do you have to manually find each service to exclude?
                          e.g.
                          windows update
                          Adobe creative cloud
                          Google update
                          Antivirus update
                          other updater

                          Or can we just create a general rule that will allow all service updates, because finding all these service updates would hard and take a while and if someone comes onto the network and has some other software package that need an exclusion in order to update that would be hard to maintain.

                          Never Fear, A Geek is Here!

                          1 Reply Last reply Reply Quote 0
                          • W
                            webstor
                            last edited by

                            Hm, my squidguard isn't still working.

                            Are you using HAVP as antivirus?

                            Did you add more then one nat rule for ssl decryption?

                            Thanx.

                            1 Reply Last reply Reply Quote 0
                            • A
                              aGeekhere
                              last edited by

                              Are you using HAVP as antivirus?

                              I left the squid Antivirus (clamav) as default (do not know if it is using HAVP or not, can't
                              even find a setting for it in squid)

                              Did you add more then one nat rule for ssl decryption?

                              I did not set any nat rules for ssl decryption in the Firewall, but rather in System: Advanced: Firewall and NAT and set NAT Reflection mode for port forwards to enable(pure nat).Also enabled Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection.

                              Hope this helps

                              Also any ideas on my above post about windows updates and other update servers?

                              Never Fear, A Geek is Here!

                              1 Reply Last reply Reply Quote 0
                              • W
                                webstor
                                last edited by

                                Strange, is your squidguard configured as parent for squid?

                                Could you maybe post your squid.conf please?

                                Thanx.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  aGeekhere
                                  last edited by

                                  in squidgard set Blacklist proxy as the ip of pfsense

                                  Never Fear, A Geek is Here!

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    webstor
                                    last edited by

                                    That is not working correctly, squidguard won't start if I enter the ip of pfsense in the blacklist proxy.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      aGeekhere
                                      last edited by

                                      Same, I have to cut every thing out of integrations then start squidgaurd then renter it back in

                                      Never Fear, A Geek is Here!

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        webstor
                                        last edited by

                                        And after that it was working, I mean ssl bump and squidguard filtering?

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          aGeekhere
                                          last edited by

                                          both, sometimes a restart is needed and then cut everying out from integrations, start squidgaurd and then paste it back into squid.

                                          Never Fear, A Geek is Here!

                                          1 Reply Last reply Reply Quote 0
                                          • W
                                            webstor
                                            last edited by

                                            Nope, won't help. I don't get it.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.