Pfsense and squid proxy filter not block extension after update
-
Hi,
I have updated to latest version of pfsense, but on reboot, squid proxy filter not present.
I have reinstall and reboot and present again, but not block working on block extension file.I have on target categories -> regular expression this:
(./..(ade|adp|app|bas|bat|cab|cmd|com|cpl|dll|exe|gz|inf|ini|msi|prg|scf|scr|vbe|vbs|vb|bz2|cdr|cue|dmg|hqx|sea|sit|smi|avi|midi|mov|mp3|mp4|mpeg|mpg|ogg|qt|rar|wav|wma|wmf|wmv|zip|7z))
But not filter after update.
Anything i do wrong?
Thank you for help
-
Anyone for my problem?
thank you -
@ricain59 Have you looked in squidguard's log?
-
@kom Yes but not appear block extension :(
-
@ricain59 Is it blocking anything? Is squidguard working at all?
The pfSense docs show a different string. Yours has a forward slash and periods that I don't understand. Netgate uses:
(.*\/.*\.(asf|wm|wma|wmv|zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3|wm.|vpu))Configuring the SquidGuard Package
Edit: I just tried it myself and while it blocks domains in my blacklist category, it doesn't block the download of an .exe file when I use the Netgate string.
-
Yes this is block domain but not download files. In the log not appear anything about block.
Anyway to resolve this? -
@ricain59 said in Pfsense and squid proxy filter not block extension after update:
Yes this is block domain but not download files. In the log not appear anything about block.
Anyway to resolve this?Could you show the generated
/usr/local/etc/squid/squid.conffile? -
@viktor_g said in Pfsense and squid proxy filter not block extension after update:
/usr/local/etc/squid/squid.conf
Of course, the file:
# This file is automatically generated by pfSense # Do not edit manually ! http_port x.x.x.x:8080 http_port 127.0.0.1:8080 tcp_outgoing_address x.x.x.x icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language pt icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr help-desk@fafedis.pt access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src x.x.x.0/24 127.0.0.0/8 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 512 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 3000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 80 8080 3129 1025-65535 acl sslports port 443 563 80 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src x.x.x.0/24 acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" acl sslwhitelist ssl::server_name_regex -i "/var/squid/acl/whitelist.acl" acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth # Always allow access to whitelist domains http_access allow whitelist # Block access to blacklist domains http_access deny blacklist # Set YouTube safesearch restriction acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com request_header_access YouTube-Restrict deny all request_header_add YouTube-Restrict none youtubedst auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd auth_param basic children 5 auth_param basic realm Please enter your credentials to access the proxy auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED authenticate_ip_ttl 5 minute # Custom options after auth http_access allow password localnet http_access allow password allowed_subnets # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all -
Anyone for help?
Thank you
