@karimhaydar31 said in connection is not private when using Chrome:

X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

The certificate is valid, but not co-signed by one of the major players, like Verisign etc. see here for a list.

The thing is, your browser only accepts (and stays silent) certificates if they were co or toot signed by one of the authorities that are on 'the list' (in your device).
You could actually empty this list, and your browser would not even trust https://www.micirostf.com any more.

So, the easiest thing to do, is : export the certificate that is being used by the Webconfigurator, and import it into you browser / OS.
Now, your browser / OS it trust it, and no more errors. That's all it takes !

You could also get your hands on a certificate that is trusted out of the box.
A trusted certificate is free.
Example : if these are your general settings :

5f251b0a-5c89-4ab6-aec6-556829c21c72-image.png

and you actually own, or rent the some-domain.tld domain name, you could obtain certificate for *.some-domain.tld for free.
The pfSense package "acme" is all about that functionality.
Again : the certificate will be free, the domain name will cost some money.

@ma0f97 Has no one an idea?

Coloca ele no Bypass Proxy for These Destination, e libera porta.

@anderson-soprana valeu aqui deu certo.

@lucasll había puesto el IP y puerto del kerio en Advanced - Miscellaneus del pfsense pero ya encontré la solución. Mi DNS superior no resolvía las direcciones fuera de la VPN. Utilicé un repositorio alternativo que el DNS era capaz de resolver.

@norcarde A transparent proxy would solve your application problems, but they are a hassle to setup and can introduce their own problems.

@santi buen día. Ya revisé el log. Dónde obtuve la ip a la cual de está conectado, la agregue a la lista blanca, además, del puerto. Pero sigue sin funcionar .

@mhmz

does it make any sense sitting on proxy server with deactivated aes-ni ?

Take a good look at what's getting blocked in your log files, it's easy to break google products because of their spyware/tracking integration.

@aGeekhere said in squid blocking things I want to access (access denied for inter-LAN devices):

you can get the refresh patten here https://github.com/mmd123/squid-cache-dynamic_refresh-list/pulls

I know, I'm the one that made that repo xD

No, the problem is I forgot it needs to be run in custom MITM mode to actually work with caching things properly, and by the time I realized that last night it was like 2am, so I went to sleep, I'll be back to work on it later today @aGeekhere

As soon as you have access to the full, decrypted data stream it's most probably possible to cache everything.

But :
The, for example, ccs style sheet file, can have a unique name - and won't be re used ever again, so it will get reloaded anyway.
The file creation date can be set to 'now' so the browser will request a fresh copy, even if the content didn't change at all.
etc etc .

@High_Voltage said in Web gui, ssl/https connectivity, squid, and wpad:

just took me a bit to realize I was having a moment of brain dead, THANK YOU ALL! - THX 😉

BTW:
if you want to perform a serious Squid + Squid Guard installation.
I have an acquaintance here on the forum and I can bring you together with him...☺

@rafamello

Como pensávamos, o problema é com *.GOV + cert.

Solved in https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/14

@werter

непрозрачный, с авторизацией по ip и учетным записям. на время настройки авторизация отключена

En caso de que alguien aun no logro resolver el inconveniente aquí dejo el enlace con la información facebook suministra para permitir el filtro por proxy

https://developers.facebook.com/docs/whatsapp/guides/network-requirements/?locale=es_ES

Thanks for the info. Astounding is what this is. :-)

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.

I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894

@obmor said in Repositorio não oficial não aparece:

@baguncassp siga este tutorial, comigo deu certo no pfsense 2.4.4

https://forum.netgate.com/topic/136730/aplicar-patch-para-usar-e2guardian-5-em-pfsense-2-4-4/2?fbclid=IwAR1WmexowP8hxVx5gQD_t-aXzcFCt3vpsfz-spQnGfqChwk_-iUX_DuyHyM

Muito obrigado @obmor deu certinho.

Durante o monitoramento percebi que o Squid precisava ser reiniciado mais de uma vez ao dia, acrescentei mais dois horários e também alterei o path do cron para utilizar a rotina padrão do Squid.

00 10 * * * root /usr/local/etc/rc.d/squid.sh restart
00 13 * * * root /usr/local/etc/rc.d/squid.sh restart
00 16 * * * root /usr/local/etc/rc.d/squid.sh restart

O reinício é rápido e até o momento ninguém reclamou de queda, pelo que tenho percebido afeta somente o acesso a sites, a conferência que era a minha maior preocupação continua funcionando normalmente durante a execução da rotina.

O que acho mais estranho é que temos uns 200 dispositivos conectados em nossa rede ( Ethernet e Wi-Fi ) e já ouvi pessoas reclamando do mesmo problema com 1200 dispositivos na rede.

All..... The script came from user Remzej. I have it on a cron job to check every 5 minutes (we are a busy proxy environment)...

*/2 * * * * root /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/monitor_memory_usage.php

#!/usr/local/bin/php-cgi -f
<?php
/*

monitor_memory_usage.php

part of pfSense (https://www.pfsense.org)

Copyright (c) 2011-2015 Rubicon Communications, LLC (Netgate)

All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.
*/
require_once('config.inc');
require_once('util.inc');
require_once('squid.inc');
global $config;

// Monitor memory usage by remzej
// Get SWAP usage funtion
function swap_usage() {
exec("/usr/sbin/swapinfo", $swap_info);
$swap_used = "";
foreach ($swap_info as $line) {
if (preg_match('/(\d+)%$/', $line, $matches)) {
$swap_used = $matches[1];
break;
}
}
return $swap_used;
}

// Get memory usage function
function mem_usage() {
$memory = "";
exec("/sbin/sysctl -n vm.stats.vm.v_page_count vm.stats.vm.v_inactive_count " .
"vm.stats.vm.v_cache_count vm.stats.vm.v_free_count", $memory);

$totalMem = $memory[0]; $availMem = $memory[1] + $memory[2] + $memory[3]; $usedMem = $totalMem - $availMem; $memUsage = round(($usedMem * 100) / $totalMem, 0); return $memUsage;

}

// Get memory and SWAP usage value
$memusage_pct = mem_usage();
$swapusage_pct = swap_usage();

// Display memory usage
echo "Memory Usage: " . $memusage_pct . "%" . PHP_EOL;
echo "SWAP Usage: " . $swapusage_pct . "%" . PHP_EOL;

// If memory usage is above 90%, stop and restart squid services.
if (($memusage_pct > 90) or ($swapusage_pct > 80)) {
squid_stop_monitor();
if (is_service_running('squid')) {
stop_service("squid");
}
squid_restart_services();
log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent, Swap Usage is $swap_usage percent, stopping and restarting services.")));
}
log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent and Swap Usage is $swapusage_pct")));
?>

There are many how to's on the youtube and interwebs. Here is one I have saved

https://www.youtube.com/watch?v=W2gy1bLHm5o

Skip the pfsense install part as it goes through the whole process from pfsense setup to squid, to squidguard, and lightsquid. Squidguard itself is not hard to setup once you have setup you squid transparent proxy which is basically enabling squid, checking transparent proxy, settings caches and that's it for squid then switch to squidguard and configure it. I have squid setup as an HAVP sine it is built into the squid package now and not a separate package before 2.3. Overall there is are many video and guides with pictures to assist in setting up or helping troubleshoot pieces of pfsense you need help with when you google for it such as in your case "pfsense squidguard setup". Don't hesitate you use your Googlefu.