Squidguard-squid3 systempatch for use with squid3-dev
-
Hi all (new to pfsense)
Trying to get HTTPS filtering working.
I have followed the above steps.I have Installed:
- squid3-dev
- squidGuard-squid3
- System Patches
The issue I am having is squidGuard wont start with error message
php: /pkg_edit.php: The command '/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was '2014/10/08 13:41:19| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl" squid: ERROR: No running copy'
Any ideas on why squidGuard wont start?
[Solved] Had to restart
[Solved] To filter https do use Enable SSL filtering? and have to give every computer a CA? is there another way?
Ok got Transparent HTTPS proxy filtering with squidGuard-squid3 and squid3-dev working :)
-
Hi mehere,
could you please post your config.
When I enable SSL filtering, squidguard is not working correctly. The service is running but it looks like squidguard is getting bypassed. -
webstor Try restarting a few times (For some strange reason it worked after a few boots). If not then make sure that:
-Network Address Translation is enabled
-Proxy interface(s) is set to lan
-Transparent Proxy interface(s) is set to lanLet me know if that fixes it.
UPDATE: If the squid service does not want to start Cut all the content from Integrations then save then paste it back in it again.
However the issue i am having now is EVERY https site shows the warning screen or This Connection is Untrusted screen (For chrome its Your connection is not private).
This is the part that I am having trouble with "To create a CA on pfsense, go to system -> Cert Manager
Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection."I have created a CAs in System: Certificate Authority Manager then tried both the Internal and intermediate Certificate.
Tried both Certificate s in CA in SSL man in the middle Filtering.
I tried installing them in both the recommended location and also in the trusted root location, Even manually imported into chrome . This still does not fix this issue.
Any help would be great
UPDATE: I get NET::ERR_CERT_COMMON_NAME_INVALID, is pfsense creating the Certificate with the Wrong COMMON_NAME
-
Hi mehere,
squid is running fine and bumping as it should, the problem is that squidguard is bypassed because of the server side first feature which is necessary to not run into cert errors.
-
Hi webstor
Where is this "server side first feature"? as I am running into https Certificate errors. -
You have to add this to Custom ACLS (Before_Auth).
In which cert error are you running?
Have you imported the CA Cert already?Thanx.
-
If I put (Before_Auth) in Custom ACLS then I cant connect to any https website, without it I can connect however I get the warning.
I followed this to create the Certificate http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
So my problem is the https filtering is working however the Certificate is not
And yours is bypassing squidgard, hmm
-
Mine is working as it should, the problem is the redirect.
Could you please post the certificate error you get when you as example go to www.facebook.com
(please post a picture with the error).
-
And the proxy server config page?
Thanx.
-
Check attachments, the error i get is that it does not like the self signed certificate that pfsense creates. Some sites do not ever let you proceed. So SSL filtering is working, however self signed certificate is not working. Any ideas?
-
under custom acls please remove the forwarded_for transparent and replace it with
always_direct allow all
ssl_bump server-first all -
always_direct allow all
ssl_bump server-first allThat was the missing link, now there is no more warnings (with the exception of pfsense admin page, which is fine).
Thank you very much
[UPDATE]
Now windows update can't connect with error 80072F8F.
Also Adobe creative cloud can not connect with error 201.
[Update]Add GoogleUpdate.exe to the list as well.Looking at this post https://forum.pfsense.org/index.php?topic=77394.0
Does this fix work? How is this added in the GUI?
[Update]
This is my Custom ACLS (Before_Auth)
acl broken_sites dstdomain .update.microsoft.com
ssl_bump none broken_sites
always_direct allow all
ssl_bump server-first allHowever windows updates still do not work.
-
Hi,
Of course you cannot decrypt every Site. Itunes is also not decryptable.
BTW: is squidguard and antivirus working?
As exakte is the Eicar Testvirus getting blocked? -
How do I add the exclusions?
Yes squidguard and the antivirus are working and it does block the exakte file.
[UPDATE] Also Do you have to manually find each service to exclude?
e.g.
windows update
Adobe creative cloud
Google update
Antivirus update
other updaterOr can we just create a general rule that will allow all service updates, because finding all these service updates would hard and take a while and if someone comes onto the network and has some other software package that need an exclusion in order to update that would be hard to maintain.
-
Hm, my squidguard isn't still working.
Are you using HAVP as antivirus?
Did you add more then one nat rule for ssl decryption?
Thanx.
-
Are you using HAVP as antivirus?
I left the squid Antivirus (clamav) as default (do not know if it is using HAVP or not, can't
even find a setting for it in squid)Did you add more then one nat rule for ssl decryption?
I did not set any nat rules for ssl decryption in the Firewall, but rather in System: Advanced: Firewall and NAT and set NAT Reflection mode for port forwards to enable(pure nat).Also enabled Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection.
Hope this helps
Also any ideas on my above post about windows updates and other update servers?
-
Strange, is your squidguard configured as parent for squid?
Could you maybe post your squid.conf please?
Thanx.
-
in squidgard set Blacklist proxy as the ip of pfsense
-
That is not working correctly, squidguard won't start if I enter the ip of pfsense in the blacklist proxy.
-
Same, I have to cut every thing out of integrations then start squidgaurd then renter it back in
-
And after that it was working, I mean ssl bump and squidguard filtering?
-
both, sometimes a restart is needed and then cut everying out from integrations, start squidgaurd and then paste it back into squid.
-
Nope, won't help. I don't get it.
-
Hi all, still stuck on getting windows update working, any advice?.
-
When I got it working with squidguard, I will attend to that problem.
-
I am a bit stumped on why Squidguard is not working for you (as I am new to this) list your squid, Squidguard and System: Advanced: Firewall and NAT settings.
-
Transparent Proxy.
Integrations Settings:
cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange default;url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0Custom Acls:
always_direct allow all
ssl_bump server-first allOnly one nat rue for redirecting https traffic to squid.
-
do you put amd64 instead of i386 by mistake or are you running amd64?
-
I'm running a 64bit pfsense.
-
is the squidGuard service able to run? or is it erroring? Also try using proxy port 3128 in Proxy port under Squid General Settings.
Also here is my Custom ACLS (Before_Auth) in squid (Trying to get windows updates working)
acl WindowsUpdate dstdomain windowsupdate.microsoft.com
acl WindowsUpdate dstdomain update.microsoft.com
acl WindowsUpdate dstdomain activex.microsoft.com
acl WindowsUpdate dstdomain download.windowsupdate.com
acl WindowsUpdate dstdomain codecs.microsoft.com
acl WindowsUpdate dstdomain stats.updates.microsoft.com
acl WindowsUpdate dstdomain c.microsoft.com
no_cache deny WindowsUpdate
http_access allow WindowsUpdate
always_direct allow all
ssl_bump server-first allThis does not work
-
Hi, squidguard is running and no error in the log files.
Port squid is 3128. -
But it is not filtering anything? Check Target Rules in squidGuard.
In SquidGuard: General settings
tic Check this option to enable blacklist
Blacklist proxy is your pfsense router ipthen clear your cache or try private search and try now
-
If I deactivate ssl bumping it works just fine.
-
could you post your squid.conf please?
-
Are you using squidGuard-squid3 ? how do i find the squid.conf file
-
Yes, squid3-dev. The squid.conf is under Diagnostic / edit File/ browse to /usr/pbi/squid-amd64 or squid-i386 /etc / squid / squid.conf
-
Ok here is my squid config, Any reason why I get an 80072F8F error in windows update.
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ https_port 127.0.0.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ icp_port 0 dns_v4_first on pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /dev/null cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/pbi/squid-i386/libexec/squid/pinger sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/pbi/squid-i386/share/certs/ sslproxy_cert_error allow all sslproxy_cert_adapt setValidBefore all logfile_rotate 1 debug_options rotate=1 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/24 forwarded_for off uri_whitespace strip # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private # Let the clients favorite video site through with full caching acl youtube dstdomain .youtube.com cache allow youtube # Windows Update refresh_pattern range_offset_limit -1 refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims # Symantec refresh_pattern range_offset_limit -1 refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims # Avast refresh_pattern range_offset_limit -1 refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims # Avira refresh_pattern range_offset_limit -1 refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims cache_mem 1000 MB maximum_object_size_in_memory 1000000 KB memory_replacement_policy heap LFUDA cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 15000 32 256 minimum_object_size 0 KB maximum_object_size 10000000 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.1.1/24 acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost quick_abort_min -1 KB quick_abort_max 0 KB request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 # Throttle extensions matched in the url acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl" delay_access 1 allow throttle_exts delay_access 1 deny allsrc # Reverse Proxy settings always_direct allow whitelist ssl_bump none whitelist # Package Integration url_rewrite_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 5 # Custom options before auth acl WindowsUpdate dstdomain windowsupdate.microsoft.com acl WindowsUpdate dstdomain update.microsoft.com acl WindowsUpdate dstdomain activex.microsoft.com acl WindowsUpdate dstdomain download.windowsupdate.com acl WindowsUpdate dstdomain codecs.microsoft.com acl WindowsUpdate dstdomain stats.updates.microsoft.com acl WindowsUpdate dstdomain c.microsoft.com no_cache deny WindowsUpdate http_access allow WindowsUpdate always_direct allow all ssl_bump server-first all # Always allow access to whitelist domains http_access allow whitelist # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all adaptation_access service_resp allow all
-
I have finally solved windows updates /adobe updates or any other update error :)
In Proxy server: General settings under Custom ACLS (Before_Auth) put
UpdateNeed to test a few things, will post back
always_direct allow all ssl_bump server-first all acl broken_sites dstdomain .update.microsoft.com acl broken_sites dstdomain .ds.download.windowsupdate.com acl broken_sites dstdomain .swupdl.adobe.com acl broken_sites dstdomain .ccmdl.adobe.com ssl_bump none broken_sites
sorry, only worked because Squid crashed and i did not see it.
Still cannot connect -
I still have not found a fix for windows updates (thinking there is a bug in squid3-dev)
Where can we post bugs for squid3-dev? Here?
So far I have found issue with
Windows updates
Adobe updatesSSL filtering websites issues
https://dolphin-emu.org/
will add more later -
Hi,
is your squidguard running as parent from squid?
If the answer is yes and you are using ssl bumping, then it is getting bypassed.