Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to Allow certain sites through proxy [Solved]

    pfSense Packages
    3
    7
    8.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Equiping
      last edited by

      Prelim
      Oh man I feel woefully inadequate in this area and I apologise ahead of time for my inane questions. I have ordered the new pfSense book but that's not due to arrive till the end of December, I have trawled Google, this site and the pfSense main site and doc site for answers but I just can't find what I need so I've come here.

      I am administering our site, a contractor installed pfSense for us, and when I have asked him questions about our set-up I have gotten the distinct impression he did not really understand the system and certainly could not tell me how to achieve what I want to achieve.

      What I think I've worked out
      As far as I can tell our system is set up with pfSense as a peripheral firewall with squid proxy enabled. It is not a transparent proxy, our proxy port is 3128.

      I think I have worked out that basically any client request for a website is first evaluated by the squid proxy then passed on to the firewall for evaluation hence:

      LAN Client –-> Squid Proxy = authorised user/password? OK --> Firewall = Not blocked site? --> WAN

      My problem
      I want to allow Ubuntu machines on our site to have unfettered access for updating and upgrading - ie they wont need to authenticate against the proxy to do updates and upgrades. I have entered IP ranges for the Ubuntu update sites in our firewall but I just don't have a clue about where to set these in the proxy.
      At the moment in /var/squid/log/access.log when an Ubuntu user tries to update or upgrade I get entries like:
      1258010920.301      1 192.168.5.118 TCP_DENIED/407 1927 GET http://au.archive.ubuntu.com/ubuntu/dists/karmic-security/multiverse/binary-amd64/Packages.gz - NONE/- text/html

      Now, as far as I can tell this is a block from the proxy not the firewall.

      My question
      What I would like to do is allow all requests to *.ubuntu.com free access not having to authenticate against the proxy - where do I set this and how please.

      TIA
      Karl

      1.2.3-RC3
      built on Tue Oct 6 01:32:12 UTC 2009

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        Might help
        http://wiki.squid-cache.org/SquidFaq/WindowsUpdate#How_do_I_stop_Squid_popping_up_the_Authentication_box_for_Windows_Update.3F

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • E
          Equiping
          last edited by

          Perry thanks for that. Do you know if it's possible to have the rule stating all sub domains of the main domain? what I mean is *.ubuntu.com rather than having to define all the possible sub domains such as au.archive.ubuntu.com, archive.ubuntu.com, changlog.ubuntu.com etc etc etc.

          Also, one of the benefits of pfSense is its ability to be controlled through the web GUI rather than modifying config files, so is there a way of achieving this through the GUI?

          I tried adding ubuntu.com and au.archive.ubuntu.com in "Proxy filter SquidGuard: Destinations" but I'm still being blocked with 407.

          1.2.3-RC3
          built on Tue Oct 6 01:32:12 UTC 2009

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            The list shows

            acl windowsupdate dstdomain .update.microsoft.com

            so .ubuntu.com would be my guess.

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • E
              Equiping
              last edited by

              yes that was my guess too. But when, within the pfSense web GUI, I entered that into
              "Proxy filter SquidGuard: Destinations" it comes back with

              The following input errors were detected:

              * DEST 'Ubuntu': Item '.ubuntu.com' is not a domain.

              I'm a bit loath to edit squid.conf directly for fear of breaking our system but I can do it as an experiment and restore a backed up copy I guess. So after editing squid.conf would the changes take place immediately or do I need to restart something? Similaly, after making changes in "Proxy filter SquidGuard: Destinations" should they be reflected immediately or does something need to be applied or restarted? There's no "Apply" button like in the Firewall section.

              1.2.3-RC3
              built on Tue Oct 6 01:32:12 UTC 2009

              1 Reply Last reply Reply Quote 0
              • M
                mhab12
                last edited by

                It's way easier than you're thinking, just put

                ubuntu.com

                in the whitelist under Proxy Server/Access Control and you'll be all set.  I can't comment on the integration between Squid Guard and Squid, but I would think this would override anything in Squid Guard that is blocking the domain.  Listing a domain in the white list without a leading period allows ALL sub-domains, if you only want to allow certain sub-domains, lead the entry with them….i.e.

                allowedsubdomain.ubuntu.com

                In Squid ACLs, a period is a wild card but it is not necessary when listing domains.  If you want to block sub-domains, you'll have to list those out in the blacklist.

                1 Reply Last reply Reply Quote 0
                • E
                  Equiping
                  last edited by

                  mhab12 thanks for that, it was the key I was looking for.

                  1.2.3-RC3
                  built on Tue Oct 6 01:32:12 UTC 2009

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.