SQUID proxy authentication
-
Hi guys,
Using 2.1.5-RELEASE with squid3 3.1.20 pkg 2.1.2
I was trying to activate authentication.
I've been running squid3 for a good while in transparent mode and all was working perfectly.
Here's what I did :
-
Set up my users in Services > Proxy > Users
-
Disable Transparent HTTP proxy in Services > Proxy > General
-
Select LOCAL Authentication method in Services > Proxy > Authentication
-
Saved everything, rebooted pfSense server
Then: nothing happens!
It behaves just like it did when it was in transparent mode.
Any idea why?
My configuration is really almost factory default.
The only configurations I modified in the SQUID proxy settings are the ones described above, and also I added the DNS-servers from my ISP in the "Use alternate DNS-servers for the proxy-server" otherwise I'd get terrible DNS delays.
-
-
So I've been messing around and can't find anything wrong :'(
Any help would be awesomely appreciated
-
If you disable Transparent mode, how do your clients know to go to the proxy?
-
@KOM:
If you disable Transparent mode, how do your clients know to go to the proxy?
KOM is right, in this case you have to set your proxy settings in each of your client's browsers or you should deploy your proxy information with wpad/pac with dhcp/dns
-
Hello,
I was going to set up a WPAD host with DHCP option 252 for that.
But what puzzles me is that even if I disabled transparent mode, then everyone still have access to the internet.
Maybe there's a step I missed to make to force all HTTP and HTTPS trafic from the LAN to go through the proxy??
Should I block ports 80 and 443 in the NAT and FIREWALL (block outgoing trafic from LAN) ?
I'm new with pfSense the previous gateway appliance I was using would do all this automatically when I would disable transparent mode and set up a proxy server.
-
Of course they still have access. Squid in Transparent mode just redirects the traffic from port 80 to 3128. It doesn't block port 80, so anyone not using the proxy has full, direct access. That's why it's usually a good idea to block ports 80/443 on LAN. Then nobody get around the proxy.
-
Yup that was stupid indeed.
I still can't make the WPAD to work.
But after blocking the port I tried manually configuring the proxy address in firefox.
It does ask for authentification right away!
But when I enter the credentials of a user I put in
Service > Proxy Server > Users
It will not work.
The proxy log shows TCP DENIED/407
Any idea?
-
Try to use squid3-dev on pfsense 2.1. Squid3 package is still on old 3.1.
And then check firewall rules on lan to deny direct access to 80,443,etc http ports.
And on client browers, check if detect proxy settings are checked.
-
Okay I thought squid3-dev was beta or something.
Will try and report back, thanks !
-
Now using squid3-dev / 3.3.10 pkg 2.2.8
Same problem :(
To sum it up:
I've been using SQUID proxy for a while now in transparent mode and it works fine.
My goal is to make it to non transparent mode.
Then toggle authentification.
Then install SquidGuard.
So first step to non transparent mode :
-
Services > Proxy Server
I uncheck the Transparent HTTP proxy checkbox. -
Firewall > Rules > LAN
I block HTTP port (80) for TCP -
To make auto-configuration I followed this:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
After creating the files I added additional DHCP options like so:
http://cl.ly/image/430u022O3N3TI also added a DNS host override like so:
http://cl.ly/image/3k382b461r3NThen I fire up a browser (I used Firefox and Safari)
None will work.If I input the WPAD file manually in Firefox, it WILL work perfectly !
(In the network settings, specify the auto-config address, I add: http://10.0.1.1/wpad.dat)If I leave it to "auto-detect proxy settings" it will NOT work.
So proxy in non transparent mode WORKS.
Auto detection does NOT work.
Again, I followed each single steps in this document:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_SquidAny idea how to make it work please?
I've been stuck on this for so long I'm about to cry ;)
PS: Before you ask, I did reboot pfSense after all changes have been made.
-
-
Do you have a firewall rule allowing traffic to squid port on lan?
Try a tcpdump or a package capture to see what packages you get from your client to firewall.
-
Do you have a firewall rule allowing traffic to squid port on lan?
Try a tcpdump or a package capture to see what packages you get from your client to firewall.
Like I said: squid WILL work in non transparent mode.
When I input manually the WPAD.DAT file address, Firefox will find it and connect to the proxy on port 3128, and will be able to access the Web.
So proxy is reachable on LAN.
The problem is browser auto-config.
I absolutely need this to work because we have road warrior laptops that come in and out of the network so I just want to tick "auto-detect proxy settings" and then all works well.
-
Google for: check dhcp received options
This way you will find if the problem is with dhcp config/options or Windows client.
-
Thanks for the recommendation!
But I'm even more confused now!
ipconfig getpacket en0 op = BOOTREPLY htype = 1 flags = 0 hlen = 6 hops = 0 xid = 186469971 secs = 1 ciaddr = 0.0.0.0 yiaddr = 10.0.1.10 siaddr = 0.0.0.0 giaddr = 0.0.0.0 chaddr = 10:9a:dd:50:62:63 sname = file = options: Options count is 9 dhcp_message_type (uint8): ACK 0x5 server_identifier (ip): 10.0.1.1 lease_time (uint32): 0x15180 subnet_mask (ip): 255.255.0.0 router (ip_mult): {10.0.1.1} domain_name_server (ip_mult): {10.0.1.1} proxy_auto_discovery_url (string): http://10.0.1.1/proxy.pac end (none):So it DOES see it :S
What's up with that ?
-
Did some more testing…
It appears that only Firefox does not work.
Safari and Chrome do auto-discover proxy settings :S
My computer is OS X 10.10.2 and both Safari and Chrome use the network settings in the system preferences.
I just set it to auto-discovery and both work fine.
Both Firefox will not work when on auto-detect.
-
So, SO and pfsense config are fine. Did you captured traffic while using firefox?
Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.
-
So, SO and pfsense config are fine. Did you captured traffic while using firefox?
Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.
To test, I rebooted the whole computer, so Firefox was restarted by design ;)
What do you mean by "capture traffic while using firefox" ?
How can I do that?
For now, on the desktops that are using firefox, I made the input manually for the WPAD file in the settings.
But I'd really like to make the auto-detect work.
Upon searching on the Google, I found out some old articles stating that Firefox does not support the DHCP way to get the WPAD file, it only supports the DNS way.
But following this article:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_SquidI did add a DNS host override like so:
http://cl.ly/image/3k382b461r3NSo it "works" but not like I wanted it to be.. that is, only setting needed on any computer is to make it auto-detect proxy settings.
I tested with IE, Safari and Chrome : all work.
Only Firefox is whimsical
