SQUID proxy authentication

BlazeStar · Jan 22, 2015, 2:19 PM

Hi guys,

Using 2.1.5-RELEASE with squid3 3.1.20 pkg 2.1.2

I was trying to activate authentication.

I've been running squid3 for a good while in transparent mode and all was working perfectly.

Here's what I did :

Set up my users in Services > Proxy > Users
Disable Transparent HTTP proxy in Services > Proxy > General
Select LOCAL Authentication method in Services > Proxy > Authentication
Saved everything, rebooted pfSense server

Then: nothing happens!

It behaves just like it did when it was in transparent mode.

Any idea why?

My configuration is really almost factory default.

The only configurations I modified in the SQUID proxy settings are the ones described above, and also I added the DNS-servers from my ISP in the "Use alternate DNS-servers for the proxy-server" otherwise I'd get terrible DNS delays.

BlazeStar · Jan 23, 2015, 12:22 AM

So I've been messing around and can't find anything wrong :'(

Any help would be awesomely appreciated

KOM · Jan 23, 2015, 1:59 AM

If you disable Transparent mode, how do your clients know to go to the proxy?

mendilli · Jan 23, 2015, 7:48 PM

@KOM:

If you disable Transparent mode, how do your clients know to go to the proxy?

KOM is right, in this case you have to set your proxy settings in each of your client's browsers or you should deploy your proxy information with wpad/pac with dhcp/dns

BlazeStar · Jan 23, 2015, 9:19 PM

Hello,

I was going to set up a WPAD host with DHCP option 252 for that.

But what puzzles me is that even if I disabled transparent mode, then everyone still have access to the internet.

Maybe there's a step I missed to make to force all HTTP and HTTPS trafic from the LAN to go through the proxy??

Should I block ports 80 and 443 in the NAT and FIREWALL (block outgoing trafic from LAN) ?

I'm new with pfSense the previous gateway appliance I was using would do all this automatically when I would disable transparent mode and set up a proxy server.

KOM · Jan 23, 2015, 9:21 PM

Of course they still have access. Squid in Transparent mode just redirects the traffic from port 80 to 3128. It doesn't block port 80, so anyone not using the proxy has full, direct access. That's why it's usually a good idea to block ports 80/443 on LAN. Then nobody get around the proxy.

BlazeStar · Jan 23, 2015, 10:20 PM

Yup that was stupid indeed.

I still can't make the WPAD to work.

But after blocking the port I tried manually configuring the proxy address in firefox.

It does ask for authentification right away!

But when I enter the credentials of a user I put in

Service > Proxy Server > Users

It will not work.

The proxy log shows TCP DENIED/407

Any idea?

marcelloc · Jan 23, 2015, 10:37 PM

Try to use squid3-dev on pfsense 2.1. Squid3 package is still on old 3.1.

And then check firewall rules on lan to deny direct access to 80,443,etc http ports.

And on client browers, check if detect proxy settings are checked.

BlazeStar · Jan 24, 2015, 12:42 AM

Okay I thought squid3-dev was beta or something.

Will try and report back, thanks !

BlazeStar · Feb 7, 2015, 1:58 AM

Now using squid3-dev / 3.3.10 pkg 2.2.8

Same problem :(

To sum it up:

I've been using SQUID proxy for a while now in transparent mode and it works fine.

My goal is to make it to non transparent mode.

Then toggle authentification.

Then install SquidGuard.

So first step to non transparent mode :

Services > Proxy Server
I uncheck the Transparent HTTP proxy checkbox.
Firewall > Rules > LAN
I block HTTP port (80) for TCP
To make auto-configuration I followed this:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

After creating the files I added additional DHCP options like so:
http://cl.ly/image/430u022O3N3T

I also added a DNS host override like so:
http://cl.ly/image/3k382b461r3N

Then I fire up a browser (I used Firefox and Safari)
None will work.

If I input the WPAD file manually in Firefox, it WILL work perfectly !
(In the network settings, specify the auto-config address, I add: http://10.0.1.1/wpad.dat)

If I leave it to "auto-detect proxy settings" it will NOT work.

So proxy in non transparent mode WORKS.

Auto detection does NOT work.

Again, I followed each single steps in this document:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Any idea how to make it work please?

I've been stuck on this for so long I'm about to cry ;)

PS: Before you ask, I did reboot pfSense after all changes have been made.

marcelloc · Feb 7, 2015, 2:04 AM

Do you have a firewall rule allowing traffic to squid port on lan?

Try a tcpdump or a package capture to see what packages you get from your client to firewall.

BlazeStar · Feb 7, 2015, 2:15 AM

@marcelloc:

Do you have a firewall rule allowing traffic to squid port on lan?

Try a tcpdump or a package capture to see what packages you get from your client to firewall.

Like I said: squid WILL work in non transparent mode.

When I input manually the WPAD.DAT file address, Firefox will find it and connect to the proxy on port 3128, and will be able to access the Web.

So proxy is reachable on LAN.

The problem is browser auto-config.

I absolutely need this to work because we have road warrior laptops that come in and out of the network so I just want to tick "auto-detect proxy settings" and then all works well.

marcelloc · Feb 7, 2015, 2:31 AM

Google for: check dhcp received options

This way you will find if the problem is with dhcp config/options or Windows client.

BlazeStar · Feb 7, 2015, 2:42 AM

Thanks for the recommendation!

But I'm even more confused now!

ipconfig getpacket en0
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 186469971
secs = 1
ciaddr = 0.0.0.0
yiaddr = 10.0.1.10
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = 10:9a:dd:50:62:63
sname = 
file = 
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.0.1.1
lease_time (uint32): 0x15180
subnet_mask (ip): 255.255.0.0
router (ip_mult): {10.0.1.1}
domain_name_server (ip_mult): {10.0.1.1}
proxy_auto_discovery_url (string): http://10.0.1.1/proxy.pac
end (none):

So it DOES see it :S

What's up with that ?

BlazeStar · Feb 7, 2015, 2:58 AM

Did some more testing…

It appears that only Firefox does not work.

Safari and Chrome do auto-discover proxy settings :S

My computer is OS X 10.10.2 and both Safari and Chrome use the network settings in the system preferences.

I just set it to auto-discovery and both work fine.

Both Firefox will not work when on auto-detect.

marcelloc · Feb 7, 2015, 6:25 PM

So, SO and pfsense config are fine. Did you captured traffic while using firefox?

Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

BlazeStar · Feb 10, 2015, 1:18 AM

@marcelloc:

So, SO and pfsense config are fine. Did you captured traffic while using firefox?

Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

To test, I rebooted the whole computer, so Firefox was restarted by design ;)

What do you mean by "capture traffic while using firefox" ?

How can I do that?

For now, on the desktops that are using firefox, I made the input manually for the WPAD file in the settings.

But I'd really like to make the auto-detect work.

Upon searching on the Google, I found out some old articles stating that Firefox does not support the DHCP way to get the WPAD file, it only supports the DNS way.

But following this article:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

I did add a DNS host override like so:
http://cl.ly/image/3k382b461r3N

So it "works" but not like I wanted it to be.. that is, only setting needed on any computer is to make it auto-detect proxy settings.

I tested with IE, Safari and Chrome : all work.

Only Firefox is whimsical