Splice
-
Any help on this? please
-
Found the problem. it was squidguard, with splice enabled and squidguard disabled everything works fine, question is how to filter without squidguard then?
-
I got the same problem, even without squidguard (facebook, google store etc do not work: timeout connection error)
pfsense 2.3.4 fresh install
squid package 0.4.36_3Chrismallia can you share your conf? (ssl part only)
here it's mineSSL/MITM Mode: Splice All .
SSL Intercept Interface(s): LAN
**SSL Proxy Port:**3129
SSL Proxy Compatibility Mode: Intermediate
DHParams Key Size: 2048 (default)
CA: CA_TEST
**SSL Certificate Deamon Children:**5
Remote Cert Checks: Accept remote server certificate with errors
Certificate Adapt: Sets the "Not Before" (setValidBefore) -
Problem came back squidguard is not the problem sorry for that, here is my config, same as yours
SSL/MITM Mode: Splice All .
SSL Intercept Interface(s): LAN
SSL Proxy Port:3129
SSL Proxy Compatibility Mode: Intermediate
DHParams Key Size: 2048 (default)
CA: CA_Splice
SSL Certificate Deamon Children:5
Remote Cert Checks: Accept remote server certificate with errors
Certificate Adapt: Sets the "Not Before" (setValidBefore) -
Finally I managed Squid + squidguard in "splice all" mode work…
It'was just a DNS problem.
I set client DNS IP to my pfSense router's IP (DNS resolver was already up and running). Before that I set it to my Windows DNS Server.
I guessed that from here: https://forum.pfsense.org/index.php?topic=112335.0Now Filtering works fine, (except for deny message: it says "Unable to connect" because the SSL protocol).
-
My devices use the Pfsense as DNS but I still have this problem
-
I have found that most of my issues with Splice All can actually be resolved in the "Headers Handling, Language and Other Customizations" section. It seems a lot of sites are pretty picky. Also, if you have squidguard set to not allow IP addresses that leads to a lot of problems with things like the Apple store and Netflix.
Oddly, when I used nested pfsense boxes, one for the gateway and one for squid and squidguard it seemed to work flawlessly (and VERY fast). Now that I moved the same VM to be the gateway that was doing proxy… my web browsing seems to stink on all clients except the ones that bypass squid.
-
My devices use the Pfsense as DNS but I still have this problem
Oddly Now mine works flawlessly even with my win DNS set on clients… No idea... :S
This is my "Headers Handling, Language and Other Customizations" conf
X-Forwarded Header Mode: on
Disable VIA Header: uncheked
(other options seem to me not relevat)For MrWinig: can you clear/explain better which option to set?
-
Strange. I can never get it to work right with the fbook app and google store even with squidguard disabled. thanks all for posting your feedback
-
UPDATE
Since Two days ago I had started to tested the conf on 2 client computer: mine (test) and a user's one (production)
Everything worked fine on both (http+https)
This morning, the production pc has stopped to work in https and slowed down on http, mine test pc has had no issue!After a a while, without changing nothing, production pc has stared to work flawlessly again.
:S -
UPDATE 2
I missed to notice I had "Server proxy" option set on windows "Lan settings" of test PC.
Server proxy settings is the following
<squid_ip>3128 (all service http+https+ftp)Now I cannot understand why this works (https port is 3129 in my conf)
BTW i tested the same conf on the production client and it works flawlessly (squidguard also)</squid_ip> -
Thank you for always keeping us up to date. So if I understand right you had proxy settings set? you should't have had anything in transparent mode. What did you change exactly to solve it?
-
So if I understand right you had proxy settings set?
Yes
you should't have had anything in transparent mode. What did you change exactly to solve it?
In Squid I did NOT change anything (see my conf above), transparent mode is on.
-
I do not know if we are miss understanding each other, but if you have squid in transparent mode, you shouldn't have set anything on your PC
-
No missunderstanding, It's like that, and that is the concearn…
Indeed this kind of conf is described here...https://forum.pfsense.org/index.php?topic=112335.0
I'm trying to understand why and how it works!If someone kindly could explain to me.... :)
-
Dude. in that guide he is showing you both ways transparent and non transparent, If you choose transparent in squid you do nothing at all to the client, If you want a manual proxy then you set the proxy setting on client