Squidguard-squid3 systempatch for use with squid3-dev

webstor

I'm running a 64bit pfsense.

aGeekhere

is the squidGuard service able to run? or is it erroring? Also try using proxy port 3128 in Proxy port under Squid General Settings.

Also here is my Custom ACLS (Before_Auth) in squid (Trying to get windows updates working)

acl WindowsUpdate dstdomain windowsupdate.microsoft.com
acl WindowsUpdate dstdomain update.microsoft.com
acl WindowsUpdate dstdomain activex.microsoft.com
acl WindowsUpdate dstdomain download.windowsupdate.com
acl WindowsUpdate dstdomain codecs.microsoft.com
acl WindowsUpdate dstdomain stats.updates.microsoft.com
acl WindowsUpdate dstdomain c.microsoft.com
no_cache deny WindowsUpdate
http_access allow WindowsUpdate
always_direct allow all
ssl_bump server-first all

This does not work

webstor

Hi, squidguard is running and no error in the log files.
Port squid is 3128.

aGeekhere

But it is not filtering anything? Check Target Rules in squidGuard.
In SquidGuard: General settings
tic Check this option to enable blacklist
Blacklist proxy is your pfsense router ip

then clear your cache or try private search and try now

webstor

If I deactivate ssl bumping it works just fine.

webstor

could you post your squid.conf please?

aGeekhere

Are you using squidGuard-squid3 ? how do i find the squid.conf file

webstor

Yes, squid3-dev. The squid.conf is under Diagnostic / edit File/  browse to /usr/pbi/squid-amd64 or squid-i386 /etc / squid / squid.conf

aGeekhere

Ok here is my squid config, Any reason why I get an 80072F8F error in windows update.

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

https_port 127.0.0.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

icp_port 0
dns_v4_first on
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /dev/null
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/libexec/squid/pinger
sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 5
sslproxy_capath /usr/pbi/squid-i386/share/certs/
sslproxy_cert_error allow all
sslproxy_cert_adapt setValidBefore all

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
forwarded_for off
uri_whitespace strip

# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

# Let the clients favorite video site through with full caching
acl youtube dstdomain .youtube.com
cache allow youtube

# Windows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

# Symantec refresh_pattern
range_offset_limit -1
refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

# Avast refresh_pattern
range_offset_limit -1
refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

# Avira refresh_pattern
range_offset_limit -1
refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims

cache_mem 1000 MB
maximum_object_size_in_memory 1000000 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 15000 32 256
minimum_object_size 0 KB
maximum_object_size 10000000 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.1/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

quick_abort_min -1 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
delay_access 1 allow throttle_exts
delay_access 1 deny allsrc

# Reverse Proxy settings

always_direct allow whitelist
ssl_bump none whitelist
# Package Integration
url_rewrite_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 5

# Custom options before auth
acl WindowsUpdate dstdomain windowsupdate.microsoft.com
acl WindowsUpdate dstdomain update.microsoft.com
acl WindowsUpdate dstdomain activex.microsoft.com
acl WindowsUpdate dstdomain download.windowsupdate.com
acl WindowsUpdate dstdomain codecs.microsoft.com
acl WindowsUpdate dstdomain stats.updates.microsoft.com
acl WindowsUpdate dstdomain c.microsoft.com
no_cache deny WindowsUpdate
http_access allow WindowsUpdate

always_direct allow all
ssl_bump server-first all

# Always allow access to whitelist domains
http_access allow whitelist
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

icap_enable on
icap_send_client_ip on
icap_send_client_username on 
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all
adaptation_access service_resp allow all

aGeekhere

I have finally solved windows updates /adobe updates or any other update error :)
In Proxy server: General settings under Custom ACLS (Before_Auth)  put
Update

Need to test a few things, will post back

always_direct allow all
ssl_bump server-first all

acl broken_sites dstdomain .update.microsoft.com
acl broken_sites dstdomain .ds.download.windowsupdate.com
acl broken_sites dstdomain .swupdl.adobe.com
acl broken_sites dstdomain .ccmdl.adobe.com
ssl_bump none broken_sites

sorry, only worked because Squid crashed and i did not see it.
Still cannot connect

aGeekhere

I still have not found a fix for windows updates (thinking there is a bug in squid3-dev)

Where can we post bugs for squid3-dev? Here?

So far I have found issue with
Windows updates
Adobe updates

SSL filtering websites issues
https://dolphin-emu.org/
will add more later

webstor

Hi,

is your squidguard running as parent from squid?
If the answer is yes and you are using ssl bumping, then it is getting bypassed.

aGeekhere

Hi , not sure what you mean by "parent"  but any ideas how we can get windows updates working?

webstor

Yes, custom acl which is not getting decrypted.

aGeekhere

Yes, custom acl

I tried custom ACLs but they did not work.

which is not getting decrypted.

Is that the reason why the custom ACLs are not working?

I guess the question is:

Has anyone been able to get windows updates working using custom acls for SSL filtering?

And if so can they post an example (as I am sure other people are having the same issue with this)

agixdota

i hope  :-[

Cino

pull request to bring changes into the package
https://github.com/pfsense/pfsense-packages/pull/787

Firzze

Hi, :)
So with ssl filtering, windows update does not want to do this. There in there a manipulation to do to solve this problem.
Sorry for my bad english  ;D