Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Need to Allow certain sites through proxy [Solved]

    pfSense Packages
    3
    7
    6672
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Equiping last edited by

      Prelim
      Oh man I feel woefully inadequate in this area and I apologise ahead of time for my inane questions. I have ordered the new pfSense book but that's not due to arrive till the end of December, I have trawled Google, this site and the pfSense main site and doc site for answers but I just can't find what I need so I've come here.

      I am administering our site, a contractor installed pfSense for us, and when I have asked him questions about our set-up I have gotten the distinct impression he did not really understand the system and certainly could not tell me how to achieve what I want to achieve.

      What I think I've worked out
      As far as I can tell our system is set up with pfSense as a peripheral firewall with squid proxy enabled. It is not a transparent proxy, our proxy port is 3128.

      I think I have worked out that basically any client request for a website is first evaluated by the squid proxy then passed on to the firewall for evaluation hence:

      LAN Client –-> Squid Proxy = authorised user/password? OK --> Firewall = Not blocked site? --> WAN

      My problem
      I want to allow Ubuntu machines on our site to have unfettered access for updating and upgrading - ie they wont need to authenticate against the proxy to do updates and upgrades. I have entered IP ranges for the Ubuntu update sites in our firewall but I just don't have a clue about where to set these in the proxy.
      At the moment in /var/squid/log/access.log when an Ubuntu user tries to update or upgrade I get entries like:
      1258010920.301      1 192.168.5.118 TCP_DENIED/407 1927 GET http://au.archive.ubuntu.com/ubuntu/dists/karmic-security/multiverse/binary-amd64/Packages.gz - NONE/- text/html

      Now, as far as I can tell this is a block from the proxy not the firewall.

      My question
      What I would like to do is allow all requests to *.ubuntu.com free access not having to authenticate against the proxy - where do I set this and how please.

      TIA
      Karl

      1 Reply Last reply Reply Quote 0
      • P
        Perry last edited by

        Might help
        http://wiki.squid-cache.org/SquidFaq/WindowsUpdate#How_do_I_stop_Squid_popping_up_the_Authentication_box_for_Windows_Update.3F

        1 Reply Last reply Reply Quote 0
        • E
          Equiping last edited by

          Perry thanks for that. Do you know if it's possible to have the rule stating all sub domains of the main domain? what I mean is *.ubuntu.com rather than having to define all the possible sub domains such as au.archive.ubuntu.com, archive.ubuntu.com, changlog.ubuntu.com etc etc etc.

          Also, one of the benefits of pfSense is its ability to be controlled through the web GUI rather than modifying config files, so is there a way of achieving this through the GUI?

          I tried adding ubuntu.com and au.archive.ubuntu.com in "Proxy filter SquidGuard: Destinations" but I'm still being blocked with 407.

          1 Reply Last reply Reply Quote 0
          • P
            Perry last edited by

            The list shows

            acl windowsupdate dstdomain .update.microsoft.com

            so .ubuntu.com would be my guess.

            1 Reply Last reply Reply Quote 0
            • E
              Equiping last edited by

              yes that was my guess too. But when, within the pfSense web GUI, I entered that into
              "Proxy filter SquidGuard: Destinations" it comes back with

              The following input errors were detected:

              * DEST 'Ubuntu': Item '.ubuntu.com' is not a domain.

              I'm a bit loath to edit squid.conf directly for fear of breaking our system but I can do it as an experiment and restore a backed up copy I guess. So after editing squid.conf would the changes take place immediately or do I need to restart something? Similaly, after making changes in "Proxy filter SquidGuard: Destinations" should they be reflected immediately or does something need to be applied or restarted? There's no "Apply" button like in the Firewall section.

              1 Reply Last reply Reply Quote 0
              • M
                mhab12 last edited by

                It's way easier than you're thinking, just put

                ubuntu.com

                in the whitelist under Proxy Server/Access Control and you'll be all set.  I can't comment on the integration between Squid Guard and Squid, but I would think this would override anything in Squid Guard that is blocking the domain.  Listing a domain in the white list without a leading period allows ALL sub-domains, if you only want to allow certain sub-domains, lead the entry with them….i.e.

                allowedsubdomain.ubuntu.com

                In Squid ACLs, a period is a wild card but it is not necessary when listing domains.  If you want to block sub-domains, you'll have to list those out in the blacklist.

                1 Reply Last reply Reply Quote 0
                • E
                  Equiping last edited by

                  mhab12 thanks for that, it was the key I was looking for.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy