Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guide to configure squid, squidguard, https?

    Scheduled Pinned Locked Moved pfSense Packages
    38 Posts 10 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thecableguy
      last edited by

      @Asterix:

      Did you search? Let me rephrase that..  ;)  did you happen to see this guide on configuring dans with squid?

      https://forum.pfsense.org/index.php?topic=47856.0

      Yes, I tried this guide without success.. I could not get Dan's to filter anything.

      1 Reply Last reply Reply Quote 0
      • T
        thecableguy
        last edited by

        @KOM:

        Since a lot of sites have gone HTTPS, you will need to configure Squid to process HTTPS.  Are you doing that or only doing HTTP?

        I will need to do HTTPS as Google images shows too much..

        1 Reply Last reply Reply Quote 0
        • T
          thecableguy
          last edited by

          @KOM:

          If it were like transparent mode it would had been way more simpler to deploy

          It's kind of the opposite, actually.  In transparent mode, you have to worry about certs on the client side to stop MitM warnings.  I ended up switching our config from transparent to standard, configured WPAD and blocked ports 80/443 on LAN.  Now all my clients use the proxy without any problems and I don't have to screw around with certificates on every client.  HTTPS just works.

          And you have manually setup the proxy on each machine? I would prefer not to go this route..

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            WPAD is the way to go..  There are ways around it but its the easiest to block pages HTTP/HTTPS without setting up MILM and dealing with certs.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              WPAD is the way to go..

              Yes, and it's simple.  The only thing you have to do on each client is ensure the browser is set to automatic proxy detection, which is already the default on all browsers these days as far as I know.  If you have a Windows AD structure then you can push down that setting through group policy if you wish.  Configure WPAD, block 80/443 on LAN and then troubleshoot any stray users who suddenly have no web access.

              https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

              1 Reply Last reply Reply Quote 0
              • A
                asterix
                last edited by

                What about non- PC and non-Mac based clients? Like Smart TV, Blu-ray player etc. I use video caching.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  If their network config supports a proxy then you're set.  Otherwise, here is what I would do.  I already would have blocks on LAN for ports 80 and 443 to force everyone to use the proxy by denying direct access.  For the devices that don't support a proxy, I would add a rule just above the block rules allowing those IP addresses to talk directly on ports 80 and 443.  So the devices go straight out, all other LAN clients get blocked and the only way they can talk is via the proxy.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    @Cino:

                    WPAD is the way to go..  There are ways around it but its the easiest to block pages HTTP/HTTPS without setting up MILM and dealing with certs.

                    +1

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • T
                      thecableguy
                      last edited by

                      Thanks for all the suggestions… I will look around for a good guide for WPAD configuration.

                      :)

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        I gave you the link for one in my previous post  ;D

                        1 Reply Last reply Reply Quote 0
                        • T
                          thecableguy
                          last edited by

                          @KOM:

                          I gave you the link for one in my previous post  ;D

                          Thanks, I did see that however I am not an expert like yourself  ;), I was looking for a comprehensive guide from A to Z to configure WPAD..

                          Is this guide correct? :

                          http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration

                          Thanks

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM
                            last edited by

                            The guide I linked to was much easier for me to understand (I just did this whole exercise two weeks ago!) than the one you provided.  Really, it's a lot easier than you think:

                            1.  Login to pfSense via SSH and go to /usr/local/www
                            2.  Create wpad.dat and stuff it with:

                            function FindProxyForURL(url,host)
                            {
                            return "PROXY Your.Proxy.IP.Address:3128";
                            }

                            3.  Copy wpad.dat to wpad.da and proxy.pac to support other auto-discovery methods
                            4.  Create a DNS entry for wpad and point it to your pfSense LAN IP
                            5.  Create a DHCP Option 252 entry and point it to your pfSense WPAD URL: http://Your_pfSense_LAN_IP:Port/wpad.dat
                            6.  Add LAN rules that block port 80 and port 43

                            Done.

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cino
                              last edited by

                              Only problem with that setup, pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore.  I've had look results adding v-host and dropping the wpad files into that folder for hosting.

                              1 Reply Last reply Reply Quote 0
                              • KOMK
                                KOM
                                last edited by

                                pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore

                                And yet it works.  It probably listens on both but only serves on the specified port.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Cino
                                  last edited by

                                  @KOM:

                                  pfSense should be using port 443 for the WebGUI which means port 80 isn't listening anymore

                                  And yet it works.  It probably listens on both but only serves on the specified port.

                                  Port 80 is closed when I enabled https and is free for another process to use.

                                  1 Reply Last reply Reply Quote 0
                                  • KOMK
                                    KOM
                                    last edited by

                                    Actually, I'm a moron.  While my test 2.2 box is HTTPS, my 2.1.5 box is HTTP.  Yes, if you have WebGUI set for HTTPS then you will need another web server to host the WPAD files.

                                    1 Reply Last reply Reply Quote 0
                                    • cwagzC
                                      cwagz
                                      last edited by

                                      Couple of questions:

                                      So if I put the wpad.dat files on a virtual webserver on my network I could leave pfsense GUI on 443?

                                      and

                                      If Squid is used in normal mode does it filter HTTPS without having to do the man in the middle thing?  I am trying to decide how to protect my kids as well…

                                      Thanks
                                      Chad

                                      Netgate 6100 MAX

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        Chad,  if wpad stays out of pfsense box(or at least out of default web server)  you can leave it 443.

                                        While using active proxy,  you can filter https sites but not https urls without ssl interception.

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • cwagzC
                                          cwagz
                                          last edited by

                                          Thanks marcelloc,

                                          I have gotten my setup working with wpad and was pretty happy but then found that minecraft would not use the proxy and failed to launch. I then setup a transparent proxy and everything works good but of course the kids can bypass the filter by going https. I then got https filtering working in transparent mode only to find that Minecraft won't buy my CA and therefore won't download it's package from Amazon.

                                          Is there a way to have traffic out to a specic website not go through the ssl interception?
                                          Anyone have a good solution?

                                          Chad

                                          Netgate 6100 MAX

                                          1 Reply Last reply Reply Quote 0
                                          • KOMK
                                            KOM
                                            last edited by

                                            When you have your proxy in standard mode (non-transparent), you typically use firewall rules to block access from LAN to ports 80 and 443.  In your case, you want to add a rule above the block rule that specifically allows your Minecraft box to talk on 80/443 or whatever Minecraft uses for its updates.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.