Pfsense and squid proxy filter not block extension after update

ricain59

Hi,

I have updated to latest version of pfsense, but on reboot, squid proxy filter not present.
I have reinstall and reboot and present again, but not block working on block extension file.

I have on target categories -> regular expression this:

(./..(ade|adp|app|bas|bat|cab|cmd|com|cpl|dll|exe|gz|inf|ini|msi|prg|scf|scr|vbe|vbs|vb|bz2|cdr|cue|dmg|hqx|sea|sit|smi|avi|midi|mov|mp3|mp4|mpeg|mpg|ogg|qt|rar|wav|wma|wmf|wmv|zip|7z))

But not filter after update.

Anything i do wrong?

Thank you for help

ricain59

Anyone for my problem?
thank you

KOM

@ricain59 Have you looked in squidguard's log?

ricain59

@kom Yes but not appear block extension :(

KOM

@ricain59 Is it blocking anything? Is squidguard working at all?

The pfSense docs show a different string. Yours has a forward slash and periods that I don't understand. Netgate uses:

(.*\/.*\.(asf|wm|wma|wmv|zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3|wm.|vpu))

Configuring the SquidGuard Package

Edit: I just tried it myself and while it blocks domains in my blacklist category, it doesn't block the download of an .exe file when I use the Netgate string.

ricain59

Yes this is block domain but not download files. In the log not appear anything about block.
Anyway to resolve this?

viktor_g

@ricain59 said in Pfsense and squid proxy filter not block extension after update:

Yes this is block domain but not download files. In the log not appear anything about block.
Anyway to resolve this?

Could you show the generated /usr/local/etc/squid/squid.conf file?

ricain59

@viktor_g said in Pfsense and squid proxy filter not block extension after update:

/usr/local/etc/squid/squid.conf

Of course, the file:

# This file is automatically generated by pfSense
# Do not edit manually !

http_port x.x.x.x:8080
http_port 127.0.0.1:8080
tcp_outgoing_address x.x.x.x
icp_port 0
digest_generation off
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language pt
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr help-desk@fafedis.pt
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  x.x.x.0/24 127.0.0.0/8
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 512 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 3000 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 80 8080 3129 1025-65535
acl sslports port 443 563 80

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src x.x.x.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
acl sslwhitelist ssl::server_name_regex -i "/var/squid/acl/whitelist.acl"
acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings


# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth


# Always allow access to whitelist domains
http_access allow whitelist
# Block access to blacklist domains
http_access deny blacklist
# Set YouTube safesearch restriction
acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_access YouTube-Restrict deny all
request_header_add YouTube-Restrict none youtubedst
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED
authenticate_ip_ttl 5 minute
# Custom options after auth


http_access allow password localnet
http_access allow password allowed_subnets
# Default block all to be sure
http_access deny allsrc

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all

ricain59

Anyone for help?

Thank you