Guide to configure squid, squidguard, https?
-
Did you search? Let me rephrase that.. ;) did you happen to see this guide on configuring dans with squid?
https://forum.pfsense.org/index.php?topic=47856.0
-
Since a lot of sites have gone HTTPS, you will need to configure Squid to process HTTPS. Are you doing that or only doing HTTP?
-
I have yet to see a guide for configuring Squid to process HTTPS. I know it involves creating a root CA on your box, have done that for OpenVPN in the past but it doesn't work well as you need to add the certificate to the end clients (I may be incorrect here). I just don't want to do that for my end clients. If it were like transparent mode it would had been way more simpler to deploy
-
If it were like transparent mode it would had been way more simpler to deploy
It's kind of the opposite, actually. In transparent mode, you have to worry about certs on the client side to stop MitM warnings. I ended up switching our config from transparent to standard, configured WPAD and blocked ports 80/443 on LAN. Now all my clients use the proxy without any problems and I don't have to screw around with certificates on every client. HTTPS just works.
-
Did you search? Let me rephrase that.. ;) did you happen to see this guide on configuring dans with squid?
https://forum.pfsense.org/index.php?topic=47856.0
Yes, I tried this guide without success.. I could not get Dan's to filter anything.
-
@KOM:
Since a lot of sites have gone HTTPS, you will need to configure Squid to process HTTPS. Are you doing that or only doing HTTP?
I will need to do HTTPS as Google images shows too much..
-
@KOM:
If it were like transparent mode it would had been way more simpler to deploy
It's kind of the opposite, actually. In transparent mode, you have to worry about certs on the client side to stop MitM warnings. I ended up switching our config from transparent to standard, configured WPAD and blocked ports 80/443 on LAN. Now all my clients use the proxy without any problems and I don't have to screw around with certificates on every client. HTTPS just works.
And you have manually setup the proxy on each machine? I would prefer not to go this route..
-
WPAD is the way to go.. There are ways around it but its the easiest to block pages HTTP/HTTPS without setting up MILM and dealing with certs.
-
WPAD is the way to go..
Yes, and it's simple. The only thing you have to do on each client is ensure the browser is set to automatic proxy detection, which is already the default on all browsers these days as far as I know. If you have a Windows AD structure then you can push down that setting through group policy if you wish. Configure WPAD, block 80/443 on LAN and then troubleshoot any stray users who suddenly have no web access.
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
-
What about non- PC and non-Mac based clients? Like Smart TV, Blu-ray player etc. I use video caching.
-
If their network config supports a proxy then you're set. Otherwise, here is what I would do. I already would have blocks on LAN for ports 80 and 443 to force everyone to use the proxy by denying direct access. For the devices that don't support a proxy, I would add a rule just above the block rules allowing those IP addresses to talk directly on ports 80 and 443. So the devices go straight out, all other LAN clients get blocked and the only way they can talk is via the proxy.
-
WPAD is the way to go.. There are ways around it but its the easiest to block pages HTTP/HTTPS without setting up MILM and dealing with certs.
+1
-
Thanks for all the suggestions… I will look around for a good guide for WPAD configuration.
:)
-
I gave you the link for one in my previous post ;D
-
@KOM:
I gave you the link for one in my previous post ;D
Thanks, I did see that however I am not an expert like yourself ;), I was looking for a comprehensive guide from A to Z to configure WPAD..
Is this guide correct? :
http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration
Thanks
-
The guide I linked to was much easier for me to understand (I just did this whole exercise two weeks ago!) than the one you provided. Really, it's a lot easier than you think:
1. Login to pfSense via SSH and go to /usr/local/www
2. Create wpad.dat and stuff it with:function FindProxyForURL(url,host)
{
return "PROXY Your.Proxy.IP.Address:3128";
}3. Copy wpad.dat to wpad.da and proxy.pac to support other auto-discovery methods
4. Create a DNS entry for wpad and point it to your pfSense LAN IP
5. Create a DHCP Option 252 entry and point it to your pfSense WPAD URL: http://Your_pfSense_LAN_IP:Port/wpad.dat
6. Add LAN rules that block port 80 and port 43Done.
-
Only problem with that setup, pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore. I've had look results adding v-host and dropping the wpad files into that folder for hosting.
-
pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore
And yet it works. It probably listens on both but only serves on the specified port.
-
@KOM:
pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore
And yet it works. It probably listens on both but only serves on the specified port.
Port 80 is closed when I enabled https and is free for another process to use.
-
Actually, I'm a moron. While my test 2.2 box is HTTPS, my 2.1.5 box is HTTP. Yes, if you have WebGUI set for HTTPS then you will need another web server to host the WPAD files.