PfSense 2.1 and Squid3 HTTPS authentication issues (SERIOUS SQUID EXPERT NEEDED)



  • HI. Using of the the latest snapshots i'm getting some security and browsing issues with the latest pfsense snapshots and squid3 package.

    I have to say that latest pfSense snapshots look and work even better than pfSense 2.0.1 so i'm using the latest snapshots for production environment even if tons of people want to suggest me not to.

    The only issue i'm having is with Squid3 installed from pfSense packages.
    No matter what setting i put i always have issues logging into facebook. Sometimes it does logs in but then it doesn't work properly. Sometimes even shows me other clients facebook walls but soon it requires me to log in.
    That means that i can actually have a preview of other facebook walls that belong to other people without logging into theirs.

    Sometimes it just tries to log in but then facebook tells me i have cookies turned off!

    Below this i pasted the squid setting i have been using for several months and worked always good.

    A nice gentleman in this forum told me to set dns_v4_first on; (default is off) to make sure https works fine in IPv4 networks but no matter if dns_v4_first is on or off the facebook login issue is still there.

    GMAIL, HOTMAIL and other HTTPS websites didn't work at all until november 2012 when somebody fixed the latest squid package. Now it works with GMAIL, Hotmail and stuff but with facebook there are still issues. Maybe there are problems with other https websites as well but i could not test squid3 as much to find out more.

    This is my squid configuration setting: please tell me if there is something that could affect HTTPS compatibility and caching efficiency.
    Note that this is the most aggressive caching config i could set for squid.
    It always worked fine until i used the latest squid3 packages.
    It also works fine with squid 2.7 and Lusca cache.

    refresh_pattern -i .$ 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://- 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://-.com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://-.net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://. 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://.-* 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://.-.com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    .-.net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..* 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..- 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..-.com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..-.net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://... 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://...-* 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://...-.com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    ...-.net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://....* 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://....- 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://....com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://....net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://...com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    ...net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..co.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://..org 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://.co.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    .com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://.gg.in.th 99999 999999% 99999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    .in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://.net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://
    .org 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www.....com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www.....net 99999 999999% 99999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www....com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www.
    ...net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www...co.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www...com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www...in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www...net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www...org 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www..co.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www.
    .com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www..in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www.
    .net 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^http://www..org 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^https://
    .com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^https://.in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^https://www.
    .com 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i ^https://www.*.in.th 99999 999999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(3g2|3gp|asf|asx|avi|divx|flv|iff|ifo|m3u|m4a|m4v|mov|mpa|mpeg|mpe|qt|qtm|viv|mpg|ogg|rm|rmvb|scr|swf|vob|wmv|x-flv|xvid)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate override-lastmod store-stale;
    refresh_pattern -i .(aif|aiff|amr|cda|mid|wav|wma|midi|au|ram|ra|snd|mp2|mp3|mp4)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(3dm|ai|ani|art|bmp|cdr|cdt|cmf|cur|drw|dwg|dxf|eps|eps2|gif|icl|icm|ico|indd|jpeg|jpg|jpe|max|pct|pcx|png)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(ps|psd|psp|qxd|qxp|rels|svg|tga|thm|tif|tiff|wmf|wrl|xbm|xcf|xif|yuv|pnm|pbm|pgm|ppm|rgb|xpm|xwd|pic|pict)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(accdb|bfc|cbr|chm|csv|db|dbf|doc|docx|dot|hlp|kml|Kmz|lab|log|mdb|msg|odt|ost|pages|pdb|pdf|pps|txt|ppt|pptx|pst|pub|rtf|wpd|wps|wri|xlr|xls|xlsx|xlt)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(app|bat|cmd|com|exe|gadget|msi|pif|vb|wsf|torrent)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private reload-into-ims ignore-must-revalidate refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(8bi|bin|cat|cpl|dbx|dll|drv|gam|hex|hqx|lnk|nes|plugin|reg|rom|sav|sys|xll)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(arj|sit|zip|rar|rgz|psf|lzh|lha|cab|tar|tgz|gz|Z|wp|wp5|7z|pkg|rpm|sea|sitx|tar.gz|zipx|prn|srf|tex|latax|gpf|upd|jar|bz2|gzip|ace|kf|a[0-9][0-9]|r[0-9][0-9])$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(fnt|fon|otf|ttf)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(dmg|iso|toast|vcd)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(api|bas|c|cbl|class|cpp|cs|dtd|fla|java|m|pl|py|vbx)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(bak|bup|cdl|cfg|dat|deb|dss|dvf|efx|emf|eml|gho|gpx|ini|key|keychain|m4b|m4p|mcd|mim|mswmm|ori|prf|ptb|qbb|qbw|raw|sdf|ses|sql|ss|tmp|uue|uxx|vcf|xml|xsl|xtm)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i .(ht|htm|html|shtml|xhtml|css|js|jsp|asp|cer|cgi|csr|part|php|phtml|rss)$ 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern ^gopher: 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern ^ftp: 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern . 99999 99999% 9999999 override-expire ignore-no-cache ignore-no-store ignore-reload ignore-private ignore-must-revalidate reload-into-ims refresh-ims override-lastmod store-stale;
    refresh_pattern -i (/cgi-bin/|?)$ 0 0% 0;
    tcp_outgoing_address 127.0.0.1;
    max_filedescriptors 65536;
    quick_abort_min 0 KB;
    quick_abort_max 0 KB;
    quick_abort_pct 0;
    ie_refresh off;
    client_db off;
    range_offset_limit 0;
    reload_into_ims on;
    retry_on_error on;
    via off;
    refresh_all_ims on;
    half_closed_clients off;
    vary_ignore_expire on;
    strip_query_terms on;
    server_persistent_connections on;
    ipcache_size 16384;
    fqdncache_size 16384;
    log_fqdn off;
    positive_dns_ttl 999 hours;
    negative_dns_ttl 999 hours;
    negative_ttl 999 hours;
    dns_v4_first on;
    pipeline_prefetch on;
    maximum_object_size_in_memory 384 KB;


Locked