Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help finishing setting up squid guard

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c9870
      last edited by

      so i got SG most of the way setup only have a few things i need help with a few things.

      what i have:

      i need to block youtube and other data hogs during a certain times of the day, while allowing it during other times.  (have the time set to block in the pic below).

      What i need help with:
      1.  actually having it not block during the specified time i tell it not to block. 
          1a.  it blocks good during the period i set for it to block, but continues to block during the other time.

      2. Blocking https://www.youtube.com
          2a.  if people go to secure youtube, or use a bookmark that has the https, or embeded youtube videos (normally ads) the videos still load.

      is there any settings i can change / update to fix these issues.

      Thanks in advance

      from Log > Proxy Config

      This file is automatically generated by pfSense

      Do not edit manually !

      http_port 192.168.1.1:3128
      http_port 127.0.0.1:3128 intercept
      icp_port 7
      dns_v4_first off
      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/pbi/squid-i386/etc/squid/icons
      visible_hostname localhost
      cache_mgr admin@localhost
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      sslcrtd_children 0
      logfile_rotate 5
      shutdown_lifetime 3 seconds

      Allow local network(s) on interface(s)

      acl localnet src  192.168.1.0/24
      uri_whitespace strip

      Break HTTP standard for flash videos. Keep them in cache even if asked not to.

      refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

      Let the clients favorite video site through with full caching

      acl youtube dstdomain .youtube.com
      cache allow youtube

      Windows Update refresh_pattern

      range_offset_limit -1
      refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
      refresh_pattern -i windowsupdate.com/.
      .(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
      refresh_pattern -i my.windowsupdate.website.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
      cache_mem 1024 MB
      maximum_object_size_in_memory 1024 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      cache_dir ufs /var/squid/cache 28000 32 256
      minimum_object_size 0 KB
      maximum_object_size 30000 KB
      offline_mode oncache_swap_low 90
      cache_swap_high 95

      Add any of your own refresh_pattern entries above these.

      refresh_pattern ^ftp:    1440  20%  10080
      refresh_pattern ^gopher:  1440  0%  1440
      refresh_pattern -i (/cgi-bin/|?) 0  0%  0
      refresh_pattern .    0  20%  4320

      No redirector configured

      #Remote proxies

      Setup some default acls

      acl allsrc src all
      acl localhost src 127.0.0.1/32
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
      acl sslports port 443 563 
      acl manager proto cache_object
      acl purge method PURGE
      acl connect method CONNECT

      Define protocols used for redirects

      acl HTTP proto HTTP
      acl HTTPS proto HTTPS

      acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
      http_access allow manager localhost
       
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports

      Always allow localhost connections

      http_access allow localhost

      quick_abort_min 0 KB
      quick_abort_max 0 KB
      request_body_max_size 0 KB
      reply_body_max_size 4100000 KB allsrc
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100

      Throttle extensions matched in the url

      acl throttle_exts urlpath_regex -i '/var/squid/acl/throttle_exts.acl'
      delay_access 1 allow throttle_exts
      delay_access 1 deny allsrc

      Reverse Proxy settings

      Package Integration

      redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
      redirector_bypass off
      url_rewrite_children 5

      Custom options

      Block access to blacklist domains

      http_access deny blacklist

      Setup allowed acls

      Allow local network(s) on interface(s)

      http_access allow localnet

      Default block all to be sure

      http_access deny allsrc

      FROM LOG > Filter Config

      ============================================================

      SquidGuard configuration file

      This file generated automaticly with SquidGuard configurator

      (C)2006 Serg Dvoriancev

      email: dv_serg@mail.ru

      ============================================================

      logdir /var/squidGuard/log
      dbhome /var/db/squidGuard

      enables SG durring the metered time

      time blockmetered {
      weekly * 00:00-03:00
      weekly * 08:00-23:59
      }

      time unmetered {
      weekly * 03:00-07:59
      }

      blocks durring metered time

      src blockACLall {
      ip    192.168.1.104
      log block.log
      }

      dest blk_blacklists_ads {
      domainlist blk_blacklists_ads/domains
      urllist blk_blacklists_ads/urls
      log block.log
      }

      dest blk_blacklists_aggressive {
      domainlist blk_blacklists_aggressive/domains
      urllist blk_blacklists_aggressive/urls
      log block.log
      }

      dest blk_blacklists_audio-video {
      domainlist blk_blacklists_audio-video/domains
      urllist blk_blacklists_audio-video/urls
      log block.log
      }

      dest blk_blacklists_drugs {
      domainlist blk_blacklists_drugs/domains
      urllist blk_blacklists_drugs/urls
      log block.log
      }

      dest blk_blacklists_gambling {
      domainlist blk_blacklists_gambling/domains
      urllist blk_blacklists_gambling/urls
      log block.log
      }

      dest blk_blacklists_hacking {
      domainlist blk_blacklists_hacking/domains
      urllist blk_blacklists_hacking/urls
      log block.log
      }

      dest blk_blacklists_mail {
      domainlist blk_blacklists_mail/domains
      log block.log
      }

      dest blk_blacklists_porn {
      domainlist blk_blacklists_porn/domains
      urllist blk_blacklists_porn/urls
      log block.log
      }

      dest blk_blacklists_proxy {
      domainlist blk_blacklists_proxy/domains
      urllist blk_blacklists_proxy/urls
      log block.log
      }

      dest blk_blacklists_redirector {
      domainlist blk_blacklists_redirector/domains
      urllist blk_blacklists_redirector/urls
      log block.log
      }

      dest blk_blacklists_spyware {
      domainlist blk_blacklists_spyware/domains
      urllist blk_blacklists_spyware/urls
      log block.log
      }

      dest blk_blacklists_suspect {
      domainlist blk_blacklists_suspect/domains
      urllist blk_blacklists_suspect/urls
      log block.log
      }

      dest blk_blacklists_violence {
      domainlist blk_blacklists_violence/domains
      urllist blk_blacklists_violence/urls
      log block.log
      }

      dest blk_blacklists_warez {
      domainlist blk_blacklists_warez/domains
      urllist blk_blacklists_warez/urls
      log block.log
      }

      blocks youtube and redirects to the exede data notice page

      dest youtubeblock {
      domainlist youtubeblock/domains
      redirect http://notice.exede.net/dap-redirect.php
      log block.log
      }

      Blocks a range of Domains associated to Windows Update

      dest windowsupdateblk {
      domainlist windowsupdateblk/domains
      redirect http://notice.exede.net/dap-redirect.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
      log block.log
      }

      rew safesearch {
      s@(google../search?.q=.)@&safe=active@i
      s@(google..
      /images.q=.)@&safe=active@i
      s@(google../groups.q=.)@&safe=active@i
      s@(google..
      /news.q=.)@&safe=active@i
      s@(yandex../yandsearch?.text=.)@&fyandex=1@i
      s@(search.yahoo..
      /search.p=.)@&vm=r&v=1@i
      s@(search.live../.q=.)@&adlt=strict@i
      s@(search.msn..
      /.q=.)@&adlt=strict@i
      s@(.bing..*/.q=.)@&adlt=strict@i
      log block.log
      }

      acl  {

      blocks durring metered time

      blockACLall  within blockmetered {
      pass blk_blacklists_mail !youtubeblock !windowsupdateblk !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez all
      redirect http://notice.exede.net/dap-redirect.php
      log block.log
      } else {
      pass youtubeblock windowsupdateblk blk_blacklists_mail all
      redirect http://notice.exede.net/dap-redirect.php
      log block.log
      }

      default  {
      pass blk_blacklists_mail all
      redirect http://notice.exede.net/dap-redirect.php
      log block.log
      }
      }

      Untitled.jpg
      Untitled.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • A
        ast
        last edited by

        I'm also new to pfsense, I believe you can do this via firewall rules and schedules.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.