Squid 3.3.4 package for pfsense with ssl filtering

marcelloc

@ipis:

Hi marcelloc, kindly see attached file, I hope this is what we are looking for

did you tried to whitelist the aborted sites( in red)?

ipis

Yes i've tried. Its the akamai.net. Putting it to whitelist won't work, but if I try to put that address to source ip, the page is fixed again, but doing so will also bypass the block rule for all clients

exograpix

The links are working thanks for the help.

Nachtfalke

Hi,

today I installed a test machine with pfsense 2.1 and squid3-dev + squidguard-squid3.
I added the files marcelloc posted in several threads here and squid seems to start without any issues.

My questions:
1.) I first installed squid3-dev and the squidguard-squid3. Will this contain the latest squid-3.3.8 version? Or does squidguard-squid3 uses older squid3 version?

2.) On squid3-dev GUI I only see OPT1, OPT2, …. interfaces and not the names I assigned them in GUI. I know that squid2 shows the "correct" names. Is this a bug or a feature in squid3-dev?  ;)

ipis

Hi marcelloc. How can i allow mobile apps to work, because most of the doctors in our organization is using facebook apps. also yahoo messenger. while our offices are not allowed to use what i mentioned. Thanks

marcelloc

@ipis:

Hi marcelloc. How can i allow mobile apps to work, because most of the doctors in our organization is using facebook apps. also yahoo messenger. while our offices are not allowed to use what i mentioned. Thanks

What you get on squid logs?

Did you tried to install pfsense ca certificate on your mobiles?

stanthewizard

Hello

Can you help on a big issue.

I have (in a lab):
Exchange 2013
Remote Desktop Gateway

The external FQDN is: toto.com

I have multiple web servers and mapping working correctly

The exchange server is working correctly

The SSL cert is self signed:
imported in pfsense
on exchange
on TS Gateway

I'm unable to connect to the gateway … sort of timedout.

If the gateway is directly redirected (80/443 nat to the correct IP) ... IT WORKS
If the gateway is accessed through reverse proxy ... DON'T WORKS

Any idea ?
It's driving me mad

Thanks

stanthewizard

I found the SOLUTION

Create a web servers
IP of the TSG
https
named rdc_443

mapping
group name rdc_443
group description (url of the gateway)
peers rdc_443
URIs (this is the tricky part)
^https://yoururlgateway/rpcwithcert/rpcproxy.dll.$
^https://yoururlgateway/rpc/rpcproxy.dll.$

DONE

keyser

@StantheWizard

I think you and I discussed this Terminal Services Gateway Issue before since I wanted that to work as well.

Are you saying it works now with the Squid 3.3.8-Dev package? (Using your additional instructions)?

Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?

-Keyser

marcelloc

@keyser:

Can you upgrade from the Squid 3.1.20 package to the 3.3.8-dev, or do I need to recreate all the settings from square one again?

Do not forget to check -dev dependences before upgrading.

Most options are the same but I suggest you to check all tabs after upgrading it.

keyser

Marcelloc

How do i do the upgrade? i can't seem to find a way to click upgrade in the package manager, and the new one only offers to install (will that automatically upgrade the old one?)

marcelloc

uninstall squid3 and then install squid3-dev

ncolunga

Nice work, it's a great addition to pfsense and works very well. Is this going to be implemented on the squid3 "normal" package too?

marcelloc

squid3-dev will be squid3 when finished.

Dipouss

Hi everyone. I am using Squid3-dev (3.3.8 ) and squidGuard-squid3. Everything is ok in transparent mode on http and https (Thanks to Marcelloc  ;) ).
But you said it was possible to use both transparent and authentication with squid3-dev:

@marcelloc:

@wheelz:

Is it possible to run squid as explicit on one interface (like loopback or LAN) and also run it as transparent on a different interface like a guest net at the same time?

On squid3-dev yes  ;D

Remember to do not use loopback on any configuration while using transparent mode.

I have tried and it does not work for me: I use 2 interfaces on the same LAN with a different IP address for each one (192.168.1.254 and 192.168.1.253). I have selected the both for "Proxy interface(s)" in "Squid General Settings".
In 'Transparent Proxy Settings" and "SSL man in the middle Filtering", just the 192.168.1.254 is selected. When I use this interface for the web navigation, it is ok, the transparent mode is working.
But if I explicitly use the 192.168.1.253 (not selected in transparent mode), the proxy doesn't ask me for authentication.

These are the squid.conf first lines:

http_port 192.168.1.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

http_port 192.168.1.253:3128
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/

I don't know why the IP is 127.0.0.1 for the "intercept" and not juste the 192.168.1.254, even if I suppose it is normal. Have I to edit manually the squid.conf? Is there someone using both transparent and anthentication on 2 different interfaces? Could someone help me please?

NetWiz

Hope it will be soon release. But last time I roll back from -dev version of Squid. To much problem for the first time using of pfSense.

exograpix

There is another issue, I am not able to auth through captive portal and provide different acl to various groups. May be I doing something wrong, please post the right procedure to do it.

Thanks in advance

marcelloc

@exograpix:

There is another issue, I am not able to auth through captive portal

Did you applied captive portal patch on squid config?

@exograpix:

and provide different acl to various groups.

Are you doing it with custom options?

exograpix

I feel it is sorted now, yes captive portal is set as auth medium in squid, I have now added groups and username in the squidguard group acl, seems to be working.

Another issue is i am not able to configure antivirus with squid3-dev and neither with havp package.

NetWiz

How to check pf operational after squid-dev removal? I also had patches for it and HAVP. I don't see any garbage in webgui, but I see some trash from old package in configs. Now I have one headache - ipcad doesn't report to access.log. If client goes on proxy-port 3128 it's traced in logs. Direct connections - not.