Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense and squid proxy filter not block extension after update

    Cache/Proxy
    3
    9
    536
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ricain59 last edited by ricain59

      Hi,

      I have updated to latest version of pfsense, but on reboot, squid proxy filter not present.
      I have reinstall and reboot and present again, but not block working on block extension file.

      I have on target categories -> regular expression this:

      (./..(ade|adp|app|bas|bat|cab|cmd|com|cpl|dll|exe|gz|inf|ini|msi|prg|scf|scr|vbe|vbs|vb|bz2|cdr|cue|dmg|hqx|sea|sit|smi|avi|midi|mov|mp3|mp4|mpeg|mpg|ogg|qt|rar|wav|wma|wmf|wmv|zip|7z))

      But not filter after update.

      Anything i do wrong?

      Thank you for help

      1 Reply Last reply Reply Quote 0
      • R
        ricain59 last edited by ricain59

        Anyone for my problem?
        thank you

        KOM 1 Reply Last reply Reply Quote 0
        • KOM
          KOM @ricain59 last edited by

          @ricain59 Have you looked in squidguard's log?

          R 1 Reply Last reply Reply Quote 0
          • R
            ricain59 @KOM last edited by

            @kom Yes but not appear block extension :(

            KOM 1 Reply Last reply Reply Quote 0
            • KOM
              KOM @ricain59 last edited by KOM

              @ricain59 Is it blocking anything? Is squidguard working at all?

              The pfSense docs show a different string. Yours has a forward slash and periods that I don't understand. Netgate uses:

              (.*\/.*\.(asf|wm|wma|wmv|zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3|wm.|vpu))
              

              Configuring the SquidGuard Package

              Edit: I just tried it myself and while it blocks domains in my blacklist category, it doesn't block the download of an .exe file when I use the Netgate string.

              1 Reply Last reply Reply Quote 1
              • R
                ricain59 last edited by

                Yes this is block domain but not download files. In the log not appear anything about block.
                Anyway to resolve this?

                viktor_g 1 Reply Last reply Reply Quote 0
                • viktor_g
                  viktor_g Netgate @ricain59 last edited by

                  @ricain59 said in Pfsense and squid proxy filter not block extension after update:

                  Yes this is block domain but not download files. In the log not appear anything about block.
                  Anyway to resolve this?

                  Could you show the generated /usr/local/etc/squid/squid.conf file?

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    ricain59 @viktor_g last edited by

                    @viktor_g said in Pfsense and squid proxy filter not block extension after update:

                    /usr/local/etc/squid/squid.conf

                    Of course, the file:

                    # This file is automatically generated by pfSense
                    # Do not edit manually !
                    
                    http_port x.x.x.x:8080
                    http_port 127.0.0.1:8080
                    tcp_outgoing_address x.x.x.x
                    icp_port 0
                    digest_generation off
                    dns_v4_first off
                    pid_filename /var/run/squid/squid.pid
                    cache_effective_user squid
                    cache_effective_group proxy
                    error_default_language pt
                    icon_directory /usr/local/etc/squid/icons
                    visible_hostname localhost
                    cache_mgr help-desk@fafedis.pt
                    access_log /var/squid/logs/access.log
                    cache_log /var/squid/logs/cache.log
                    cache_store_log none
                    netdb_filename /var/squid/logs/netdb.state
                    pinger_enable on
                    pinger_program /usr/local/libexec/squid/pinger
                    
                    logfile_rotate 0
                    debug_options rotate=0
                    shutdown_lifetime 3 seconds
                    # Allow local network(s) on interface(s)
                    acl localnet src  x.x.x.0/24 127.0.0.0/8
                    forwarded_for on
                    uri_whitespace strip
                    
                    acl dynamic urlpath_regex cgi-bin \?
                    cache deny dynamic
                    
                    cache_mem 512 MB
                    maximum_object_size_in_memory 256 KB
                    memory_replacement_policy heap GDSF
                    cache_replacement_policy heap LFUDA
                    minimum_object_size 0 KB
                    maximum_object_size 4 MB
                    cache_dir ufs /var/squid/cache 3000 16 256
                    offline_mode off
                    cache_swap_low 90
                    cache_swap_high 95
                    cache allow all
                    # Add any of your own refresh_pattern entries above these.
                    refresh_pattern ^ftp:    1440  20%  10080
                    refresh_pattern ^gopher:  1440  0%  1440
                    refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
                    refresh_pattern .    0  20%  4320
                    
                    
                    #Remote proxies
                    
                    
                    # Setup some default acls
                    # ACLs all, manager, localhost, and to_localhost are predefined.
                    acl allsrc src all
                    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 80 8080 3129 1025-65535
                    acl sslports port 443 563 80
                    
                    acl purge method PURGE
                    acl connect method CONNECT
                    
                    # Define protocols used for redirects
                    acl HTTP proto HTTP
                    acl HTTPS proto HTTPS
                    acl allowed_subnets src x.x.x.0/24
                    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
                    acl sslwhitelist ssl::server_name_regex -i "/var/squid/acl/whitelist.acl"
                    acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
                    http_access allow manager localhost
                    
                    http_access deny manager
                    http_access allow purge localhost
                    http_access deny purge
                    http_access deny !safeports
                    http_access deny CONNECT !sslports
                    
                    # Always allow localhost connections
                    http_access allow localhost
                    
                    request_body_max_size 0 KB
                    delay_pools 1
                    delay_class 1 2
                    delay_parameters 1 -1/-1 -1/-1
                    delay_initial_bucket_level 100
                    delay_access 1 allow allsrc
                    
                    # Reverse Proxy settings
                    
                    
                    # Package Integration
                    url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
                    url_rewrite_bypass off
                    url_rewrite_children 16 startup=8 idle=4 concurrency=0
                    
                    # Custom options before auth
                    
                    
                    # Always allow access to whitelist domains
                    http_access allow whitelist
                    # Block access to blacklist domains
                    http_access deny blacklist
                    # Set YouTube safesearch restriction
                    acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
                    request_header_access YouTube-Restrict deny all
                    request_header_add YouTube-Restrict none youtubedst
                    auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
                    auth_param basic children 5
                    auth_param basic realm Please enter your credentials to access the proxy
                    auth_param basic credentialsttl 5 minutes
                    acl password proxy_auth REQUIRED
                    authenticate_ip_ttl 5 minute
                    # Custom options after auth
                    
                    
                    http_access allow password localnet
                    http_access allow password allowed_subnets
                    # Default block all to be sure
                    http_access deny allsrc
                    
                    icap_enable on
                    icap_send_client_ip on
                    icap_send_client_username on
                    icap_client_username_encode off
                    icap_client_username_header X-Authenticated-User
                    icap_preview_enable on
                    icap_preview_size 1024
                    
                    icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
                    adaptation_access service_avi_req allow all
                    icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
                    adaptation_access service_avi_resp allow all
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • R
                      ricain59 last edited by

                      Anyone for help?

                      Thank you

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post