Help!!! SquidGuard barring Installs



  • Guys, I have a simple question, but I have to solve it:

    I use squid + squid guard with authenticated proxy. In my Squidguard I have a group where the users are directors of the company, and they have full access to any site when they authenticate, perfect, I just added them to the acl user groups and I checked allow in default access. The problem is that when these users will install some program like firefox, chrome, or some other that download and install at the same time, squid blocks because in the installation process the user is not recognized by the application, I think.

    These users access all sites right away, but the installs are barred. Does anyone know how to solve this?

    sry about my english, im a br lover guy



  • @Marco:

    ….. squid blocks because in the installation process the user is not recognized by the application, I think.

    The installation program runs on their PC, right ?
    So how can "squid + squid guard" (running on pfSEnse) interfere with a process not running on the same device ?

    If you use a proxy setup on each PC and the installer process (you can't control what it does) doesn't use proxy settings on that device (PC), well … I can imagine it will get blocked.

    Or, more basic : users haven't the "Administrator" rights to install whatever on their PC - and thus the problem isn't even pfSense related.



  • @Gertjan:

    @Marco:

    ….. squid blocks because in the installation process the user is not recognized by the application, I think.

    The installation program runs on their PC, right ?
    So how can "squid + squid guard" (running on pfSEnse) interfere with a process not running on the same device ?

    If you use a proxy setup on each PC and the installer process (you can't control what it does) doesn't use proxy settings on that device (PC), well … I can imagine it will get blocked.

    Or, more basic : users haven't the "Administrator" rights to install whatever on their PC - and thus the problem isn't even pfSense related.

    but if I monitor the real time of squid, the address is seen blocked. Remember that these are programs that use an internet for installation.



  • Do you also have these users in other ACLs that are blocked?



  • @KOM:

    Do you also have these users in other ACLs that are blocked?

    No, my users are all in a single group that has default allow



  • What is the exact error they're getting?



  • @KOM:

    What is the exact error they're getting?

    When I try to install, the application is loading, or depending on the program a connection error. And when I look in the real time log appears: DENIED for the user "-"



  • And the reason for the denial?



  • @KOM:

    And the reason for the denial?

    When i try install google chrome…




  • That's an authentication problem, TCP_DENIED 407.  I've read some other people lately with squid problems related to the ssl handshake.



  • @KOM:

    That's an authentication problem, TCP_DENIED 407.  I've read some other people lately with squid problems related to the ssl handshake.

    but how squid will identify in which user is a skype.exe installing? It is possible?



  • Squid either knows the IP address, or IP address and user/pass depending on whether or not you have any user auth.



  • @KOM:

    Squid either knows the IP address, or IP address and user/pass depending on whether or not you have any user auth.

    Interesting. The total permission I gave to users was not by ip, but by users. But if squid can make this association, can you tell me how to solve it?

    ps: I would not like to have to allow ip



  • What version of pfSense are you running?  This might be helpful:

    http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-407-with-SSL-Sites-but-the-site-is-accessible-td2340748.html

    I can't be more specific since I don't have user auth for my squid and I've never seen this problem before.


Log in to reply