Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 issues related to dansguardian (ssl content filtering & xforwardedfor + squid)

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      elemay
      last edited by

      Hi,

      i've got dansguardian running forwarding to squid on pfSense 2.0.1 amd 64

      dansguardian = LAN
      squid = loop

      i've 2 problems now :)

      1. if i want to enable ssl filtering i only got an error message like: sec_error_invalid_time

      i created the certs with cert manager in pfsense, all default options. one internal ca and one user cert.

      2. if i look at my lightsquid proxy report i only see localhost as the user requesting sites, i enabled use xforwardedfor in dansguardian (also tried use forwardedfor)

      any hints?

      thanks.

      1 Reply Last reply Reply Quote 0
      • E Offline
        elemay
        last edited by

        OK :)

        SSL error seems related to http://forum.pfsense.org/index.php?topic=46207.0

        1 Reply Last reply Reply Quote 0
        • marcellocM Offline
          marcelloc
          last edited by

          You need to change squid log format to change real ip to xforward ip.

          The ssl is a issue I could not fix yet.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • E Offline
            elemay
            last edited by

            Hi,

            and thanks to your fast reply :)

            How do i change the log behaviour?

            i couldn't find it on the webgui.

            is it right to use xforwardedfor in dansguardian?

            thanks again :)

            1 Reply Last reply Reply Quote 0
            • marcellocM Offline
              marcelloc
              last edited by

              This is the way to pass client real ip.

              I'm not sure if this log change can be done via squid gui.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • E Offline
                elemay
                last edited by

                if i use the example method from squid-cache.org, edited to my needs

                acl localhost src 127.0.0.1;acl my_other_proxy srcdomain .workgroup.local;follow_x_forwarded_for allow localhost;follow_x_forwarded_for allow my_other_proxy;log_uses_indirect_client on;

                i can't access the internet anymore. squid tells me access denied.

                if anyone has an idea, i would be glad to hear :)

                1 Reply Last reply Reply Quote 0
                • E Offline
                  elemay
                  last edited by

                  Hi,

                  found the solution.

                  add to squid custom options

                  log_uses_indirect_client on;follow_x_forwarded_for allow localhost;

                  and in dansguardian choose:

                  General -> useforwardedfor

                  if you have more subents using dansguardian and squid only listening to loop then add them to allowed subnets under access control in squid config tab.

                  have a nice day!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.