Squidguard-squid3 systempatch for use with squid3-dev

webstor

under custom acls please remove the forwarded_for transparent and replace it with

always_direct allow all
ssl_bump server-first all

aGeekhere

always_direct allow all
ssl_bump server-first all

That was the missing link, now there is no more warnings (with the exception of pfsense admin page, which is fine).

Thank you very much

[UPDATE]

Now windows update can't connect with error 80072F8F.
Also Adobe creative cloud can not connect with error 201.
[Update]Add GoogleUpdate.exe to the list as well.

Looking at this post https://forum.pfsense.org/index.php?topic=77394.0

Does this fix work? How is this added in the GUI?

[Update]
This is my Custom ACLS (Before_Auth)
acl broken_sites dstdomain .update.microsoft.com
ssl_bump none broken_sites
always_direct allow all
ssl_bump server-first all

However windows updates still do not work.

webstor

Hi,

Of course you cannot decrypt every Site. Itunes is also not decryptable.
BTW: is squidguard and antivirus working?
As exakte is the Eicar Testvirus getting blocked?

aGeekhere

How do I add the exclusions?

Yes squidguard and the antivirus are working and it does block the exakte file.

[UPDATE] Also Do you have to manually find each service to exclude?
e.g.
windows update
Adobe creative cloud
Google update
Antivirus update
other updater

Or can we just create a general rule that will allow all service updates, because finding all these service updates would hard and take a while and if someone comes onto the network and has some other software package that need an exclusion in order to update that would be hard to maintain.

webstor

Hm, my squidguard isn't still working.

Are you using HAVP as antivirus?

Did you add more then one nat rule for ssl decryption?

Thanx.

aGeekhere

Are you using HAVP as antivirus?

I left the squid Antivirus (clamav) as default (do not know if it is using HAVP or not, can't
even find a setting for it in squid)

Did you add more then one nat rule for ssl decryption?

I did not set any nat rules for ssl decryption in the Firewall, but rather in System: Advanced: Firewall and NAT and set NAT Reflection mode for port forwards to enable(pure nat).Also enabled Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection.

Hope this helps

Also any ideas on my above post about windows updates and other update servers?

webstor

Strange, is your squidguard configured as parent for squid?

Could you maybe post your squid.conf please?

Thanx.

aGeekhere

in squidgard set Blacklist proxy as the ip of pfsense

webstor

That is not working correctly, squidguard won't start if I enter the ip of pfsense in the blacklist proxy.

aGeekhere

Same, I have to cut every thing out of integrations then start squidgaurd then renter it back in

webstor

And after that it was working, I mean ssl bump and squidguard filtering?

aGeekhere

both, sometimes a restart is needed and then cut everying out from integrations, start squidgaurd and then paste it back into squid.

webstor

Nope, won't help. I don't get it.

aGeekhere

Hi all, still stuck on getting windows update working, any advice?.

webstor

When I got it working with squidguard, I will attend to that problem.

aGeekhere

I am a bit stumped on why Squidguard is not working for you (as I am new to this) list your squid, Squidguard and System: Advanced: Firewall and NAT settings.

webstor

Transparent Proxy.

Integrations Settings:
cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange default;url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom Acls:
always_direct allow all
ssl_bump server-first all

Only one nat rue for redirecting https traffic to squid.

aGeekhere

do you put amd64 instead of i386 by mistake or are you running amd64?

webstor

I'm running a 64bit pfsense.

aGeekhere

is the squidGuard service able to run? or is it erroring? Also try using proxy port 3128 in Proxy port under Squid General Settings.

Also here is my Custom ACLS (Before_Auth) in squid (Trying to get windows updates working)

acl WindowsUpdate dstdomain windowsupdate.microsoft.com
acl WindowsUpdate dstdomain update.microsoft.com
acl WindowsUpdate dstdomain activex.microsoft.com
acl WindowsUpdate dstdomain download.windowsupdate.com
acl WindowsUpdate dstdomain codecs.microsoft.com
acl WindowsUpdate dstdomain stats.updates.microsoft.com
acl WindowsUpdate dstdomain c.microsoft.com
no_cache deny WindowsUpdate
http_access allow WindowsUpdate
always_direct allow all
ssl_bump server-first all

This does not work