Configure squid & squidguard/dansguardian with SSL $60
-
I am trying to get this to work as well. I don't have the time to spear-head this, but I am willing to compare notes and beta-test with anyone who is.
I don't need the $60 (or any part thereof), so if anyone is interested in heading this up, please don't use that as a reason not to.
-
You can follow this thread https://forum.pfsense.org/index.php?topic=73640.0
Summery
Install
squid3-dev
squidGuard-squid3
System PatchesGo System: Patches
Then add new patch
Description - give a name
URL/Commit ID - leave blank
Patch Contents--- squidguard_configurator.inc.orig +++ squidguard_configurator.inc @@ -94,3 +94,3 @@ -define('REDIRECTOR_OPTIONS_REM', '# squidGuard options'); -define('REDIRECTOR_PROGRAM_OPT', 'redirect_program'); -define('REDIRECT_BYPASS_OPT', 'redirector_bypass'); +define('REDIRECTOR_OPTIONS_REM', '# squidGuard options'); +define('REDIRECTOR_PROGRAM_OPT', 'url_rewrite_program'); +define('REDIRECT_BYPASS_OPT', 'url_rewrite_bypass'); @@ -98,1 +98,1 @@ -define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started +define('REDIRECTOR_PROCESS_COUNT', '16 startup=8 idle=4 concurrency=0'); # redirector processes count will started
Path Strip Count: leave as default
Base Directory - /usr/local/pkg
Ignore Whitespace tic
Auto Apply no
save
Click test
then applyin Proxy server
Proxy interface(s) - lan
Proxy port - default
ICP port - default
Allow users on interface - tic
Patch captive portal - default
Resolv dns v4 first - tic
Disable ICMP - default
Use alternate DNS-servers for the proxy-server - default
Transparent HTTP proxy - tic
Transparent Proxy interface(s) - lan
Bypass proxy for Private Address destination - default
Bypass proxy for these source IPs - default
Bypass proxy for these destination IPs - default
HTTPS/SSL interception - tic
SSL Intercept interface(s) - lan
SSL Proxy port - default
CA We will come back to this
sslcrtd children - default
Remote Cert checks - Click accept remote server certificate errors
Certificate adapt - none (unselect is ctrl click)
Logging Settings - all defaultIntegrations
for i386redirect_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5
for amd64
url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0
Custom ACLS (Before_Auth)
always_direct allow all ssl_bump server-first all
save
Local cache can be set up later, same with antivirus
Proxy filter SquidGuard: General settings
enable
add a black listnow create a Certificate
Follow this guide
http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
Put it on all computersthen
Proxy server: General settings
CA = your certificate
Save–--------------------------------------------------------
[Issue to fix] Windows updates and other updates like adobe can not connectHope this helps
-
Many thanks, I'll give it a try tomorrow.
-
How did you go?
-
aGeekHere i know this post is old but im curious about the certificate. In your post it says install it on all the computers but what about on the phones? Would I still get that certificate error? I haven't tried this just because I would need to install certificate on all the computers. Or did i understand wrong?
Thank you
-
Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.
-
Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.
but if i put it on the bypass list https wont get blocked on phones or am i wrong? I was considering to do wpad but currently pfBlockerNG does get the job done besides youtube. :-[ And only shows cannot find page which kinda sucks compared to website blocked notification though squidguard
off topic completely for exograpix: any news when e2guardian is coming out for pfSense 2.2.2?
-
Hi, yes you need to put it in the phone and tablets and ANY/ALL other devices, old post but most of the steps still are still correct.
You can skip System Patches part.
-
but it seems like for pfSense 2.2.2 theres issues with squid3
-
Lots of issues, don't waste on latest version, it is very unstable
-
I am moving (trying to workout how to set it up now) from using a Transparent proxy to using a WPAD.
-
Do send the process if you are successful.
-
any update on fixing squid3 for 2.2.2? :)
-
any update on fixing squid3 for 2.2.2? :)
squid3 works fine with 2.2.2 for Transparent HTTP proxy (have not tried https).
Or are you referring to setting up a WPAD with squid3 for pfsense 2.2.2, if that is the case, i am working on it (getting somewhere).
-
well.. if i reboot i need to stop squid3 and squidGuard and start it again weird..but it works. I just gave up on https so I use pfblockerNG for all the https sites (facebook,twitter,whatsapp) Funny thing I cant get youtube to block though IP. :-[
But in theory 90 percent of people when they go to youtube or facebook they usually type on the url facebook.com that always comes at http. But if you search in google facebook it will come as https (thats where pfBlockerNG comes in)
I have been also following your post for WPAD pretty impressive stuff best of luck ;) But one thing i cant understand is how WPAD works with squid or squidGuard
-
if i reboot i need to stop squid3 and squidGuard and start it again weird
I have to reinstall the blocklist.
I have been also following your post for WPAD pretty impressive stuff best of luck
If I work it out i'll post a how to;
-
I have to reinstall the blocklist.
thats the worst hopefully fix soon :)
If I work it out i'll post a how to
Thanks ;)
-
Just to post an update I have got the wpad working with http and https filtering working without using a transparent proxy.
see link https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254Hope this helps some people
-
Squid3 works just fine for me in explicit mode.