Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SQUID proxy authentication

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 14.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      Of course they still have access.  Squid in Transparent mode just redirects the traffic from port 80 to 3128.  It doesn't block port 80, so anyone not using the proxy has full, direct access.  That's why it's usually a good idea to block ports 80/443 on LAN.  Then nobody get around the proxy.

      1 Reply Last reply Reply Quote 0
      • B
        BlazeStar
        last edited by

        Yup that was stupid indeed.

        I still can't make the WPAD to work.

        But after blocking the port I tried manually configuring the proxy address in firefox.

        It does ask for authentification right away!

        But when I enter the credentials of a user I put in

        Service > Proxy Server > Users

        It will not work.

        The proxy log shows TCP DENIED/407

        Any idea?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Try to use squid3-dev on pfsense 2.1. Squid3 package is still on old 3.1.

          And then check firewall rules on lan to deny direct access to 80,443,etc http ports.

          And on client browers, check if detect proxy settings are checked.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • B
            BlazeStar
            last edited by

            Okay I thought squid3-dev was beta or something.

            Will try and report back, thanks !

            1 Reply Last reply Reply Quote 0
            • B
              BlazeStar
              last edited by

              Now using squid3-dev / 3.3.10 pkg 2.2.8

              Same problem :(

              To sum it up:

              I've been using SQUID proxy for a while now in transparent mode and it works fine.

              My goal is to make it to non transparent mode.

              Then toggle authentification.

              Then install SquidGuard.

              So first step to non transparent mode :

              1. Services > Proxy Server
                I uncheck the Transparent HTTP proxy checkbox.

              2. Firewall > Rules > LAN
                I block HTTP port (80) for TCP

              3. To make auto-configuration I followed this:
                https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

              After creating the files I added additional DHCP options like so:
              http://cl.ly/image/430u022O3N3T

              I also added a DNS host override like so:
              http://cl.ly/image/3k382b461r3N

              Then I fire up a browser (I used Firefox and Safari)
              None will work.

              If I input the WPAD file manually in Firefox, it WILL work perfectly !
              (In the network settings, specify the auto-config address, I add: http://10.0.1.1/wpad.dat)

              If I leave it to "auto-detect proxy settings" it will NOT work.

              So proxy in non transparent mode WORKS.

              Auto detection does NOT work.

              Again, I followed each single steps in this document:
              https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

              Any idea how to make it work please?

              I've been stuck on this for so long I'm about to cry ;)

              PS: Before you ask, I did reboot pfSense after all changes have been made.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Do you have a firewall rule allowing traffic to squid port on lan?

                Try a tcpdump or a package capture to see what packages you get from your client to firewall.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • B
                  BlazeStar
                  last edited by

                  @marcelloc:

                  Do you have a firewall rule allowing traffic to squid port on lan?

                  Try a tcpdump or a package capture to see what packages you get from your client to firewall.

                  Like I said: squid WILL work in non transparent mode.

                  When I input manually the WPAD.DAT file address, Firefox will find it and connect to the proxy on port 3128, and will be able to access the Web.

                  So proxy is reachable on LAN.

                  The problem is browser auto-config.

                  I absolutely need this to work because we have road warrior laptops that come in and out of the network so I just want to tick "auto-detect proxy settings" and then all works well.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Google for: check dhcp received options

                    This way you will find if the problem is with dhcp config/options or Windows client.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • B
                      BlazeStar
                      last edited by

                      Thanks for the recommendation!

                      But I'm even more confused now!

                      ipconfig getpacket en0
                      op = BOOTREPLY
                      htype = 1
                      flags = 0
                      hlen = 6
                      hops = 0
                      xid = 186469971
                      secs = 1
                      ciaddr = 0.0.0.0
                      yiaddr = 10.0.1.10
                      siaddr = 0.0.0.0
                      giaddr = 0.0.0.0
                      chaddr = 10:9a:dd:50:62:63
                      sname = 
                      file = 
                      options:
                      Options count is 9
                      dhcp_message_type (uint8): ACK 0x5
                      server_identifier (ip): 10.0.1.1
                      lease_time (uint32): 0x15180
                      subnet_mask (ip): 255.255.0.0
                      router (ip_mult): {10.0.1.1}
                      domain_name_server (ip_mult): {10.0.1.1}
                      proxy_auto_discovery_url (string): http://10.0.1.1/proxy.pac
                      end (none): 
                      
                      

                      So it DOES see it :S

                      What's up with that ?

                      1 Reply Last reply Reply Quote 0
                      • B
                        BlazeStar
                        last edited by

                        Did some more testing…

                        It appears that only Firefox does not work.

                        Safari and Chrome do auto-discover proxy settings :S

                        My computer is OS X 10.10.2 and both Safari and Chrome use the network settings in the system preferences.

                        I just set it to auto-discovery and both work fine.

                        Both Firefox will not work when on auto-detect.

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          So, SO and pfsense config are fine. Did you captured traffic while using firefox?

                          Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • B
                            BlazeStar
                            last edited by

                            @marcelloc:

                            So, SO and pfsense config are fine. Did you captured traffic while using firefox?

                            Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

                            To test, I rebooted the whole computer, so Firefox was restarted by design ;)

                            What do you mean by "capture traffic while using firefox" ?

                            How can I do that?

                            For now, on the desktops that are using firefox, I made the input manually for the WPAD file in the settings.

                            But I'd really like to make the auto-detect work.

                            Upon searching on the Google, I found out some old articles stating that Firefox does not support the DHCP way to get the WPAD file, it only supports the DNS way.

                            But following this article:
                            https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                            I did add a DNS host override like so:
                            http://cl.ly/image/3k382b461r3N

                            So it "works" but not like I wanted it to be.. that is, only setting needed on any computer is to make it auto-detect proxy settings.

                            I tested with IE, Safari and Chrome : all work.

                            Only Firefox is whimsical

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.