Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Erro ao abrir site usando o Pfsense 2.4.3 + Squid + Squidguard

    Scheduled Pinned Locked Moved Portuguese
    squid squidguar
    15 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex Barbosa Ferreira
      last edited by

      Boa tarde!

      recentemente fiz a instalação do Pfsense versão 2.4.3 e em conjunto o Squid + Squidguard usando o tutorial (https://www.nanoshots.com.br/2015/09/configurando-proxy-transparente-com.html). Até aí tudo bem, porém quando tento abrir páginas via browser (Firefox, Chrome, IE, etc) utilizando apenas www.sitequequeroabrir.com.br uma página de erro é gerada dizendo que "Minha conexão não é particular". Nessa página quando clico em ir para site não seguro ele é redirecionado à regras do Squidguard e bloqueia o acesso.
      Fiz um teste colocando o site na ACL Whitelist e mesmo assim não é liberado.
      Fui ao Squidguard, deixei todas as regras marcadas como Allow, salvei e reiniciei os serviços e mesmo assim o erro permanece, sendo liberado apenas quando coloco o ip da máquina no Bypass Proxy for These Source IPs.0_1532546351285_Erro pfsense squid.jpg

      1 Reply Last reply Reply Quote 0
      • A
        andre.junior 0
        last edited by

        Alex boa noite, post suas configurações do squid+squidGuard para que possamos ver se tem algum erro nas configurações. E outra coisa é proxy transparente que você está usando?

        Abraço.

        1 Reply Last reply Reply Quote 0
        • A
          Alex Barbosa Ferreira
          last edited by

          Bom dia!
          sim, é proxy transparente.

          1 Reply Last reply Reply Quote 0
          • A
            Alex Barbosa Ferreira
            last edited by Alex Barbosa Ferreira

            http_port 10.1.1.1:8080
            http_port 127.0.0.1:8080 intercept
            icp_port 0
            digest_generation off
            dns_v4_first off
            pid_filename /var/run/squid/squid.pid
            cache_effective_user squid
            cache_effective_group proxy
            error_default_language af
            icon_directory /usr/local/etc/squid/icons
            visible_hostname pfshcosmeticos
            cache_mgr admin@localhost
            access_log /var/squid/log/access.log
            cache_log /var/squid/log/cache.log
            cache_store_log none
            netdb_filename /var/squid/log/netdb.state
            pinger_enable on
            pinger_program /usr/local/libexec/squid/pinger

            logfile_rotate 30
            debug_options rotate=30
            shutdown_lifetime 3 seconds

            acl localnet src 10.1.1.0/24
            forwarded_for on
            uri_whitespace strip

            acl dynamic urlpath_regex cgi-bin ?
            cache deny dynamic

            cache_mem 1024 MB
            maximum_object_size_in_memory 32 KB
            memory_replacement_policy heap GDSF
            cache_replacement_policy heap LFUDA
            minimum_object_size 0 KB
            maximum_object_size 4 MB
            cache_dir ufs /var/squid/cache 3000 16 256
            offline_mode off
            cache_swap_low 90
            cache_swap_high 95
            acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
            cache deny donotcache
            cache allow all

            refresh_pattern ^ftp: 1440 20% 10080
            refresh_pattern ^gopher: 1440 0% 1440
            refresh_pattern -i (/cgi-bin/|?) 0 0% 0
            refresh_pattern . 0 20% 4320

            acl allsrc src all
            acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3129 1025-65535
            acl sslports port 443 563

            acl purge method PURGE
            acl connect method CONNECT

            acl HTTP proto HTTP
            acl HTTPS proto HTTPS
            acl allowed_subnets src 10.1.1.0/24
            acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
            acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
            http_access allow manager localhost

            http_access deny manager
            http_access allow purge localhost
            http_access deny purge
            http_access deny !safeports
            http_access deny CONNECT !sslports

            http_access allow localhost

            request_body_max_size 0 KB
            delay_pools 1
            delay_class 1 2
            delay_parameters 1 -1/-1 -1/-1
            delay_initial_bucket_level 100
            delay_access 1 allow allsrc

            url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
            url_rewrite_bypass off
            url_rewrite_children 16 startup=8 idle=4 concurrency=0

            http_access allow whitelist

            http_access deny blacklist

            http_access allow allowed_subnets
            http_access allow localnet

            http_access deny allsrc

            1 Reply Last reply Reply Quote 0
            • A
              Alex Barbosa Ferreira
              last edited by

              logdir /var/squidGuard/log
              dbhome /var/db/squidGuard

              dest blk_BL_adv {
              domainlist blk_BL_adv/domains
              urllist blk_BL_adv/urls
              log block.log
              }

              dest blk_BL_aggressive {
              domainlist blk_BL_aggressive/domains
              urllist blk_BL_aggressive/urls
              log block.log
              }

              dest blk_BL_alcohol {
              domainlist blk_BL_alcohol/domains
              urllist blk_BL_alcohol/urls
              log block.log
              }

              dest blk_BL_anonvpn {
              domainlist blk_BL_anonvpn/domains
              urllist blk_BL_anonvpn/urls
              log block.log
              }

              dest blk_BL_automobile_bikes {
              domainlist blk_BL_automobile_bikes/domains
              urllist blk_BL_automobile_bikes/urls
              log block.log
              }

              dest blk_BL_automobile_boats {
              domainlist blk_BL_automobile_boats/domains
              urllist blk_BL_automobile_boats/urls
              log block.log
              }

              dest blk_BL_automobile_cars {
              domainlist blk_BL_automobile_cars/domains
              urllist blk_BL_automobile_cars/urls
              log block.log
              }

              dest blk_BL_automobile_planes {
              domainlist blk_BL_automobile_planes/domains
              urllist blk_BL_automobile_planes/urls
              log block.log
              }

              dest blk_BL_chat {
              domainlist blk_BL_chat/domains
              urllist blk_BL_chat/urls
              log block.log
              }

              dest blk_BL_costtraps {
              domainlist blk_BL_costtraps/domains
              urllist blk_BL_costtraps/urls
              log block.log
              }

              dest blk_BL_dating {
              domainlist blk_BL_dating/domains
              urllist blk_BL_dating/urls
              log block.log
              }

              dest blk_BL_downloads {
              domainlist blk_BL_downloads/domains
              urllist blk_BL_downloads/urls
              log block.log
              }

              dest blk_BL_drugs {
              domainlist blk_BL_drugs/domains
              urllist blk_BL_drugs/urls
              log block.log
              }

              dest blk_BL_dynamic {
              domainlist blk_BL_dynamic/domains
              urllist blk_BL_dynamic/urls
              log block.log
              }

              dest blk_BL_education_schools {
              domainlist blk_BL_education_schools/domains
              urllist blk_BL_education_schools/urls
              log block.log
              }

              dest blk_BL_finance_banking {
              domainlist blk_BL_finance_banking/domains
              urllist blk_BL_finance_banking/urls
              log block.log
              }

              dest blk_BL_finance_insurance {
              domainlist blk_BL_finance_insurance/domains
              urllist blk_BL_finance_insurance/urls
              log block.log
              }

              dest blk_BL_finance_moneylending {
              domainlist blk_BL_finance_moneylending/domains
              urllist blk_BL_finance_moneylending/urls
              log block.log
              }

              dest blk_BL_finance_other {
              domainlist blk_BL_finance_other/domains
              urllist blk_BL_finance_other/urls
              log block.log
              }

              dest blk_BL_finance_realestate {
              domainlist blk_BL_finance_realestate/domains
              urllist blk_BL_finance_realestate/urls
              log block.log
              }

              dest blk_BL_finance_trading {
              domainlist blk_BL_finance_trading/domains
              urllist blk_BL_finance_trading/urls
              log block.log
              }

              dest blk_BL_fortunetelling {
              domainlist blk_BL_fortunetelling/domains
              urllist blk_BL_fortunetelling/urls
              log block.log
              }

              dest blk_BL_forum {
              domainlist blk_BL_forum/domains
              urllist blk_BL_forum/urls
              log block.log
              }

              dest blk_BL_gamble {
              domainlist blk_BL_gamble/domains
              urllist blk_BL_gamble/urls
              log block.log
              }

              dest blk_BL_government {
              domainlist blk_BL_government/domains
              urllist blk_BL_government/urls
              log block.log
              }

              dest blk_BL_hacking {
              domainlist blk_BL_hacking/domains
              urllist blk_BL_hacking/urls
              log block.log
              }

              dest blk_BL_hobby_cooking {
              domainlist blk_BL_hobby_cooking/domains
              urllist blk_BL_hobby_cooking/urls
              log block.log
              }

              dest blk_BL_hobby_games-misc {
              domainlist blk_BL_hobby_games-misc/domains
              urllist blk_BL_hobby_games-misc/urls
              log block.log
              }

              dest blk_BL_hobby_games-online {
              domainlist blk_BL_hobby_games-online/domains
              urllist blk_BL_hobby_games-online/urls
              log block.log
              }

              dest blk_BL_hobby_gardening {
              domainlist blk_BL_hobby_gardening/domains
              urllist blk_BL_hobby_gardening/urls
              log block.log
              }

              dest blk_BL_hobby_pets {
              domainlist blk_BL_hobby_pets/domains
              urllist blk_BL_hobby_pets/urls
              log block.log
              }

              dest blk_BL_homestyle {
              domainlist blk_BL_homestyle/domains
              urllist blk_BL_homestyle/urls
              log block.log
              }

              dest blk_BL_hospitals {
              domainlist blk_BL_hospitals/domains
              urllist blk_BL_hospitals/urls
              log block.log
              }

              dest blk_BL_imagehosting {
              domainlist blk_BL_imagehosting/domains
              urllist blk_BL_imagehosting/urls
              log block.log
              }

              dest blk_BL_isp {
              domainlist blk_BL_isp/domains
              urllist blk_BL_isp/urls
              log block.log
              }

              dest blk_BL_jobsearch {
              domainlist blk_BL_jobsearch/domains
              urllist blk_BL_jobsearch/urls
              log block.log
              }

              dest blk_BL_library {
              domainlist blk_BL_library/domains
              urllist blk_BL_library/urls
              log block.log
              }

              dest blk_BL_military {
              domainlist blk_BL_military/domains
              urllist blk_BL_military/urls
              log block.log
              }

              dest blk_BL_models {
              domainlist blk_BL_models/domains
              urllist blk_BL_models/urls
              log block.log
              }

              dest blk_BL_movies {
              domainlist blk_BL_movies/domains
              urllist blk_BL_movies/urls
              log block.log
              }

              dest blk_BL_music {
              domainlist blk_BL_music/domains
              urllist blk_BL_music/urls
              log block.log
              }

              dest blk_BL_news {
              domainlist blk_BL_news/domains
              urllist blk_BL_news/urls
              log block.log
              }

              dest blk_BL_podcasts {
              domainlist blk_BL_podcasts/domains
              urllist blk_BL_podcasts/urls
              log block.log
              }

              dest blk_BL_politics {
              domainlist blk_BL_politics/domains
              urllist blk_BL_politics/urls
              log block.log
              }

              dest blk_BL_porn {
              domainlist blk_BL_porn/domains
              urllist blk_BL_porn/urls
              log block.log
              }

              dest blk_BL_radiotv {
              domainlist blk_BL_radiotv/domains
              urllist blk_BL_radiotv/urls
              log block.log
              }

              dest blk_BL_recreation_humor {
              domainlist blk_BL_recreation_humor/domains
              urllist blk_BL_recreation_humor/urls
              log block.log
              }

              dest blk_BL_recreation_martialarts {
              domainlist blk_BL_recreation_martialarts/domains
              urllist blk_BL_recreation_martialarts/urls
              log block.log
              }

              dest blk_BL_recreation_restaurants {
              domainlist blk_BL_recreation_restaurants/domains
              urllist blk_BL_recreation_restaurants/urls
              log block.log
              }

              dest blk_BL_recreation_sports {
              domainlist blk_BL_recreation_sports/domains
              urllist blk_BL_recreation_sports/urls
              log block.log
              }

              dest blk_BL_recreation_travel {
              domainlist blk_BL_recreation_travel/domains
              urllist blk_BL_recreation_travel/urls
              log block.log
              }

              dest blk_BL_recreation_wellness {
              domainlist blk_BL_recreation_wellness/domains
              urllist blk_BL_recreation_wellness/urls
              log block.log
              }

              dest blk_BL_redirector {
              domainlist blk_BL_redirector/domains
              urllist blk_BL_redirector/urls
              log block.log
              }

              dest blk_BL_religion {
              domainlist blk_BL_religion/domains
              urllist blk_BL_religion/urls
              log block.log
              }

              dest blk_BL_remotecontrol {
              domainlist blk_BL_remotecontrol/domains
              urllist blk_BL_remotecontrol/urls
              log block.log
              }

              dest blk_BL_ringtones {
              domainlist blk_BL_ringtones/domains
              urllist blk_BL_ringtones/urls
              log block.log
              }

              dest blk_BL_science_astronomy {
              domainlist blk_BL_science_astronomy/domains
              urllist blk_BL_science_astronomy/urls
              log block.log
              }

              dest blk_BL_science_chemistry {
              domainlist blk_BL_science_chemistry/domains
              urllist blk_BL_science_chemistry/urls
              log block.log
              }

              dest blk_BL_searchengines {
              domainlist blk_BL_searchengines/domains
              urllist blk_BL_searchengines/urls
              log block.log
              }

              dest blk_BL_sex_education {
              domainlist blk_BL_sex_education/domains
              urllist blk_BL_sex_education/urls
              log block.log
              }

              dest blk_BL_sex_lingerie {
              domainlist blk_BL_sex_lingerie/domains
              urllist blk_BL_sex_lingerie/urls
              log block.log
              }

              dest blk_BL_shopping {
              domainlist blk_BL_shopping/domains
              urllist blk_BL_shopping/urls
              log block.log
              }

              dest blk_BL_socialnet {
              domainlist blk_BL_socialnet/domains
              urllist blk_BL_socialnet/urls
              log block.log
              }

              dest blk_BL_spyware {
              domainlist blk_BL_spyware/domains
              urllist blk_BL_spyware/urls
              log block.log
              }

              dest blk_BL_tracker {
              domainlist blk_BL_tracker/domains
              urllist blk_BL_tracker/urls
              log block.log
              }

              dest blk_BL_updatesites {
              domainlist blk_BL_updatesites/domains
              urllist blk_BL_updatesites/urls
              log block.log
              }

              dest blk_BL_urlshortener {
              domainlist blk_BL_urlshortener/domains
              urllist blk_BL_urlshortener/urls
              log block.log
              }

              dest blk_BL_violence {
              domainlist blk_BL_violence/domains
              urllist blk_BL_violence/urls
              log block.log
              }

              dest blk_BL_warez {
              domainlist blk_BL_warez/domains
              urllist blk_BL_warez/urls
              log block.log
              }

              dest blk_BL_weapons {
              domainlist blk_BL_weapons/domains
              urllist blk_BL_weapons/urls
              log block.log
              }

              dest blk_BL_webmail {
              domainlist blk_BL_webmail/domains
              urllist blk_BL_webmail/urls
              log block.log
              }

              dest blk_BL_webphone {
              domainlist blk_BL_webphone/domains
              urllist blk_BL_webphone/urls
              log block.log
              }

              dest blk_BL_webradio {
              domainlist blk_BL_webradio/domains
              urllist blk_BL_webradio/urls
              log block.log
              }

              dest blk_BL_webtv {
              domainlist blk_BL_webtv/domains
              urllist blk_BL_webtv/urls
              log block.log
              }

              rew safesearch {
              s@(google../search?.q=.)@\1&safe=active@i
              s@(google..
              /images.q=.)@\1&safe=active@i
              s@(google../groups.q=.)@\1&safe=active@i
              s@(google..
              /news.q=.)@\1&safe=active@i
              s@(yandex../yandsearch?.text=.)@\1&fyandex=1@i
              s@(search.yahoo..
              /search.p=.)@\1&vm=r&v=1@i
              s@(search.live../.q=.)@\1&adlt=strict@i
              s@(search.msn..
              /.q=.)@\1&adlt=strict@i
              s@(.bing..*/.q=.)@\1&adlt=strict@i
              log block.log
              }

              acl {

              default  {
              	pass !blk_BL_aggressive !blk_BL_alcohol !blk_BL_anonvpn !blk_BL_porn !blk_BL_recreation_martialarts !blk_BL_socialnet !blk_BL_spyware !blk_BL_violence !blk_BL_webphone !blk_BL_webradio !blk_BL_webtv blk_BL_adv blk_BL_automobile_bikes blk_BL_automobile_boats blk_BL_automobile_cars blk_BL_automobile_planes blk_BL_chat blk_BL_costtraps blk_BL_dating blk_BL_downloads blk_BL_drugs blk_BL_dynamic blk_BL_education_schools blk_BL_finance_banking blk_BL_finance_insurance blk_BL_finance_moneylending blk_BL_finance_other blk_BL_finance_realestate blk_BL_finance_trading blk_BL_fortunetelling blk_BL_forum blk_BL_gamble blk_BL_government blk_BL_hacking blk_BL_hobby_cooking blk_BL_hobby_games-misc blk_BL_hobby_games-online blk_BL_hobby_gardening blk_BL_hobby_pets blk_BL_homestyle blk_BL_hospitals blk_BL_imagehosting blk_BL_isp blk_BL_jobsearch blk_BL_library blk_BL_military blk_BL_models blk_BL_movies blk_BL_music blk_BL_news blk_BL_podcasts blk_BL_politics blk_BL_radiotv blk_BL_recreation_humor blk_BL_recreation_restaurants blk_BL_recreation_sports blk_BL_recreation_travel blk_BL_recreation_wellness blk_BL_redirector blk_BL_religion blk_BL_remotecontrol blk_BL_ringtones blk_BL_science_astronomy blk_BL_science_chemistry blk_BL_searchengines blk_BL_sex_education blk_BL_sex_lingerie blk_BL_shopping blk_BL_tracker blk_BL_updatesites blk_BL_urlshortener blk_BL_warez blk_BL_weapons blk_BL_webmail all
              	redirect http://10.1.1.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
              	rewrite safesearch
              	log block.log
              }
              

              }

              1 Reply Last reply Reply Quote 0
              • A
                andre.junior 0
                last edited by andre.junior 0

                Alex bom dia,

                Eu analisei rapidamente, devido a correria do trabalho não conseguir analisar com calma mais esse final de semana vou analisar mais profundamente. Vendo a configurações aparentemente está tudo ok.

                Para adiantar seu lado faço o seguinte,

                1° - Para o serviço do squidGuard, e tenta fazer os bloqueios só pelo squid, assim tiramos a dúvida se pode ter algum erro nas configurações.

                2° - Depois de feito os testes sem o squidGaurd, e constatado que o squid está fazendo os bloqueios e liberações de acordo com sua necessidade, constamos que pode ser alguma configuração no squidGuard que está fazendo esse mau funcionamento.

                3° - Feito a constatação que é o SquidGuard, verifica nas Common ACL, e veja a opção de redirecionamento, talvez possa ser isso. Aconteceu algo parecido comigo, e observando as Common ACL as mesmas estavam atrapalhando as minhas ACLs customizadas. Deixa o redirecionamento padrão (Int erro page) e em Target Rules List, deixa Default access Allow (Permitindo tudo) e nas suas ACLs você faz o bloqueio. Ou coloca como Deny(Bloqueando tudo) e nas suas ACLs você faz as liberações.
                E veja se o problema resolve.

                4° - Da uma olhada também nesse canal, https://www.youtube.com/channel/UCiAi1UAkIPuPxYfdUcWinaw/videos
                Me ajudou muito nas configurações do Squdi na versão que estamos usando a 2.4.3. Os vídeos dele são um pouco mais atuais do que a referência que você usou.

                Grande abraço. Valeu.

                1 Reply Last reply Reply Quote 0
                • A
                  Alex Barbosa Ferreira
                  last edited by

                  André, boa tarde!
                  obrigado pelo retorno. Vou fazer o que sugeriu e posto para lhe falar se deu certo ou não.
                  Muito obrigado, por enquanto.

                  1 Reply Last reply Reply Quote 0
                  • A
                    Alex Barbosa Ferreira
                    last edited by

                    André, bom dia!

                    fiz o teste de parar o serviço do SquidGuard e, dessa forma não consegui acessar nenhuma url.
                    Após esse teste reativei o serviço e deixei tudo liberado no Default Access Allow e mesmo assim o erro persistiu.

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      ghislenidroid @Alex Barbosa Ferreira
                      last edited by

                      @alex-barbosa-ferreira Bom dia amigo, vc está usando um proxy transparente, certo?
                      Se sim, criou a cadeia de certificados (CA e certificado de servidor) e associou ao PF e instalou nas máquinas client?

                      1 Reply Last reply Reply Quote 0
                      • A
                        Alex Barbosa Ferreira
                        last edited by

                        Boa tarde!

                        não cheguei a criar os certificados. Para proxy transparente isso se faz necessário?

                        G 1 Reply Last reply Reply Quote 0
                        • G
                          ghislenidroid @Alex Barbosa Ferreira
                          last edited by

                          @alex-barbosa-ferreira Sim, e instalar máquina a máquina na pasta Cadeia de certificados Raiz.

                          1 Reply Last reply Reply Quote 0
                          • A
                            Alex Barbosa Ferreira
                            last edited by

                            Obrigado, vou fazer o teste e reporto se deu certo.

                            1 Reply Last reply Reply Quote 0
                            • A
                              andre.junior 0
                              last edited by

                              Boa noite Alex, é um alternativa como o nosso amigo ghislenidroid falou de usar certificado, já que o proxy em modo transparente não consegui fazer o tratamento de Https, da uma olhada nesse canal no youtube lá tem uma playlist só do pfsense https://www.youtube.com/channel/UCiAi1UAkIPuPxYfdUcWinaw/videos

                              Caso os testes não derem certe, recomendo fazer uma instalação limpa e reconfigura o squid+squidGuard, pode está acontecendo um erro nos pacotes. Pode seguir os tutoriais desse canal, acredito que vai lha ajudar muito.

                              Também posta os prints da tela da interface web, das configurações do squid e squidguard, caso não der para postar aqui manda para o meu e-mail apfjpe16@hotmail.com, assim fica melhor de analisar.

                              Abraço.

                              1 Reply Last reply Reply Quote 0
                              • A
                                Alex Barbosa Ferreira
                                last edited by

                                Bom dia!

                                fiz os testes recomendados com a versão 2.4.3 e não obtive o sucesso esperado. Neste caso fiz uma instalação limpa da versão 2.3.4 e tudo foi resolvido.
                                Muito obrigado pelo apoio e orientação de todos os envolvidos.
                                Att.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  andre.junior 0
                                  last edited by

                                  Alex boa tarde,

                                  Que bom que deu tudo certo meu amigo. A não esquece de colocar o tópico como resolvido. Um forte abraço.

                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.