Pfsense Squid block http traffic



  • Hi

    I am using pfsense server and it is working fine. Today I have installed the squid on it. And enable transparent mode. Now our user can access the https traffic but can't browse the http traffic. it is getting the error message.
    Please help me in this regards.
    Thank You
    Thisara



  • @tiperera said in Pfsense Squid block http traffic:

    it is getting the error message.

    I can't imagine why you wouldn't put the error message into your post.



  • Please find the error msg

    Access Denied

    Access control configuration prevents your request from being allowed at this time.

    Thank



  • Squid doesn't typically control access. Did you also install squidguard?



  • Following as I've got a very similar issue.... except I'm not blocking everything :(

    Tried deleting all squid related config using the guide at:
    https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html

    But seemed to make no difference. Not running SquidGuard, but am using the devel version of pfSense.

    What's even odder is that if I don't use transparent proxy, and then specify the proxy in the web browser, I can access the site/s in question. When set to "Transparent Proxy", then the web browser gets the Access Denied message.

    Site trying to access: http://ffs-global.funplusgame.com/mobilegateway.php

    It's only normally used by an app to access Family Farm Seaside, but if you put it in a web browser, you can get a message of "{"domain":"phpweb","error_code":100010,"error_msg":"sso lost","data":[]}"

    Doing it with transparent proxy enabled gives me Access Denied!

    Have removed Squid for the moment, as my missus will go apes*** if she can't play her Apple game lol



  • Squid is basically useless these days except as a base for squidguard URL filtering. If you're not concerned about filtering, don't bother with squid. The benefit you get from the tiny amount of successful caching is more than offset by the hassles with connecting to some sites and other anomalies.



  • @landrocket
    The best way I have found to set up squid on a home network is without transparent.
    It is pretty simple to set the proxy setting's in the browser.

    Also has the added benefit if you have a problem connecting you can reset your browser
    and just bypass the proxy until you figure out the problem (check the real time log's)

    The way I set up mine is pretty much default. (Create Internal Cert. of Auth.)
    1)Enable Proxy
    2)Select Lan and Loopback
    3)Allow User's
    4)Resolve IPv4 first
    5)Disable ICMP Pinger helper
    6)Enable SSL filtering
    7)Splice Whitelist Bump otherwise
    8)Select Lan
    9)Proxy port-3129
    10)Compatibility mode-intermediate
    11)Cert. Adapt Not Before
    12)X-Forward (transparent)
    13)Disable Via Header
    14)URL Whitespace (Strip)
    15)X-Forward (transparent)

    After you reboot the firewall you can go to the ACL's tab and can enter in site's that you don't
    want to SSL bump- here is what I use. Window's Updates, Live Mail, OneDrive, Steam etc.
    Some of them might not be relevant anymore. But steam will take the proxy down quick if
    it isn't whitelisted.
    I am sure there is a way around that but I didn't want to put in the effort.

    0_1540791260483_Whitelist.txt