Help finishing setting up squid guard



  • so i got SG most of the way setup only have a few things i need help with a few things.

    what i have:

    i need to block youtube and other data hogs during a certain times of the day, while allowing it during other times.  (have the time set to block in the pic below).

    What i need help with:
    1.  actually having it not block during the specified time i tell it not to block. 
        1a.  it blocks good during the period i set for it to block, but continues to block during the other time.

    2. Blocking https://www.youtube.com
        2a.  if people go to secure youtube, or use a bookmark that has the https, or embeded youtube videos (normally ads) the videos still load.

    is there any settings i can change / update to fix these issues.

    Thanks in advance

    from Log > Proxy Config

    This file is automatically generated by pfSense

    Do not edit manually !

    http_port 192.168.1.1:3128
    http_port 127.0.0.1:3128 intercept
    icp_port 7
    dns_v4_first off
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/pbi/squid-i386/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    sslcrtd_children 0
    logfile_rotate 5
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  192.168.1.0/24
    uri_whitespace strip

    Break HTTP standard for flash videos. Keep them in cache even if asked not to.

    refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

    Let the clients favorite video site through with full caching

    acl youtube dstdomain .youtube.com
    cache allow youtube

    Windows Update refresh_pattern

    range_offset_limit -1
    refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    refresh_pattern -i windowsupdate.com/.
    .(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    refresh_pattern -i my.windowsupdate.website.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    cache_mem 1024 MB
    maximum_object_size_in_memory 1024 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 28000 32 256
    minimum_object_size 0 KB
    maximum_object_size 30000 KB
    offline_mode oncache_swap_low 90
    cache_swap_high 95

    Add any of your own refresh_pattern entries above these.

    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    refresh_pattern .    0  20%  4320

    No redirector configured

    #Remote proxies

    Setup some default acls

    acl allsrc src all
    acl localhost src 127.0.0.1/32
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
    acl sslports port 443 563 
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT

    Define protocols used for redirects

    acl HTTP proto HTTP
    acl HTTPS proto HTTPS

    acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
    http_access allow manager localhost
     
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    quick_abort_min 0 KB
    quick_abort_max 0 KB
    request_body_max_size 0 KB
    reply_body_max_size 4100000 KB allsrc
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100

    Throttle extensions matched in the url

    acl throttle_exts urlpath_regex -i '/var/squid/acl/throttle_exts.acl'
    delay_access 1 allow throttle_exts
    delay_access 1 deny allsrc

    Reverse Proxy settings

    Package Integration

    redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    redirector_bypass off
    url_rewrite_children 5

    Custom options

    Block access to blacklist domains

    http_access deny blacklist

    Setup allowed acls

    Allow local network(s) on interface(s)

    http_access allow localnet

    Default block all to be sure

    http_access deny allsrc

    FROM LOG > Filter Config

    ============================================================

    SquidGuard configuration file

    This file generated automaticly with SquidGuard configurator

    (C)2006 Serg Dvoriancev

    email: dv_serg@mail.ru

    ============================================================

    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard

    enables SG durring the metered time

    time blockmetered {
    weekly * 00:00-03:00
    weekly * 08:00-23:59
    }

    time unmetered {
    weekly * 03:00-07:59
    }

    blocks durring metered time

    src blockACLall {
    ip    192.168.1.104
    log block.log
    }

    dest blk_blacklists_ads {
    domainlist blk_blacklists_ads/domains
    urllist blk_blacklists_ads/urls
    log block.log
    }

    dest blk_blacklists_aggressive {
    domainlist blk_blacklists_aggressive/domains
    urllist blk_blacklists_aggressive/urls
    log block.log
    }

    dest blk_blacklists_audio-video {
    domainlist blk_blacklists_audio-video/domains
    urllist blk_blacklists_audio-video/urls
    log block.log
    }

    dest blk_blacklists_drugs {
    domainlist blk_blacklists_drugs/domains
    urllist blk_blacklists_drugs/urls
    log block.log
    }

    dest blk_blacklists_gambling {
    domainlist blk_blacklists_gambling/domains
    urllist blk_blacklists_gambling/urls
    log block.log
    }

    dest blk_blacklists_hacking {
    domainlist blk_blacklists_hacking/domains
    urllist blk_blacklists_hacking/urls
    log block.log
    }

    dest blk_blacklists_mail {
    domainlist blk_blacklists_mail/domains
    log block.log
    }

    dest blk_blacklists_porn {
    domainlist blk_blacklists_porn/domains
    urllist blk_blacklists_porn/urls
    log block.log
    }

    dest blk_blacklists_proxy {
    domainlist blk_blacklists_proxy/domains
    urllist blk_blacklists_proxy/urls
    log block.log
    }

    dest blk_blacklists_redirector {
    domainlist blk_blacklists_redirector/domains
    urllist blk_blacklists_redirector/urls
    log block.log
    }

    dest blk_blacklists_spyware {
    domainlist blk_blacklists_spyware/domains
    urllist blk_blacklists_spyware/urls
    log block.log
    }

    dest blk_blacklists_suspect {
    domainlist blk_blacklists_suspect/domains
    urllist blk_blacklists_suspect/urls
    log block.log
    }

    dest blk_blacklists_violence {
    domainlist blk_blacklists_violence/domains
    urllist blk_blacklists_violence/urls
    log block.log
    }

    dest blk_blacklists_warez {
    domainlist blk_blacklists_warez/domains
    urllist blk_blacklists_warez/urls
    log block.log
    }

    blocks youtube and redirects to the exede data notice page

    dest youtubeblock {
    domainlist youtubeblock/domains
    redirect http://notice.exede.net/dap-redirect.php
    log block.log
    }

    Blocks a range of Domains associated to Windows Update

    dest windowsupdateblk {
    domainlist windowsupdateblk/domains
    redirect http://notice.exede.net/dap-redirect.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    log block.log
    }

    rew safesearch {
    s@(google../search?.q=.)@&safe=active@i
    s@(google..
    /images.q=.)@&safe=active@i
    s@(google../groups.q=.)@&safe=active@i
    s@(google..
    /news.q=.)@&safe=active@i
    s@(yandex../yandsearch?.text=.)@&fyandex=1@i
    s@(search.yahoo..
    /search.p=.)@&vm=r&v=1@i
    s@(search.live../.q=.)@&adlt=strict@i
    s@(search.msn..
    /.q=.)@&adlt=strict@i
    s@(.bing..*/.q=.)@&adlt=strict@i
    log block.log
    }

    acl  {

    blocks durring metered time

    blockACLall  within blockmetered {
    pass blk_blacklists_mail !youtubeblock !windowsupdateblk !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez all
    redirect http://notice.exede.net/dap-redirect.php
    log block.log
    } else {
    pass youtubeblock windowsupdateblk blk_blacklists_mail all
    redirect http://notice.exede.net/dap-redirect.php
    log block.log
    }

    default  {
    pass blk_blacklists_mail all
    redirect http://notice.exede.net/dap-redirect.php
    log block.log
    }
    }




  • I'm also new to pfsense, I believe you can do this via firewall rules and schedules.