Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.3.4 package for pfsense with ssl filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    305 Posts 72 Posters 305.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NetWiz
      last edited by

      Hope it will be soon release. But last time I roll back from -dev version of Squid. To much problem for the first time using of pfSense.

      1 Reply Last reply Reply Quote 0
      • E
        exograpix
        last edited by

        There is another issue, I am not able to auth through captive portal and provide different acl to various groups. May be I doing something wrong, please post the right procedure to do it.

        Thanks in advance

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          @exograpix:

          There is another issue, I am not able to auth through captive portal

          Did you applied captive portal patch on squid config?

          @exograpix:

          and provide different acl to various groups.

          Are you doing it with custom options?

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • E
            exograpix
            last edited by

            I feel it is sorted now, yes captive portal is set as auth medium in squid, I have now added groups and username in the squidguard group acl, seems to be working.

            Another issue is i am not able to configure antivirus with squid3-dev and neither with havp package.

            1 Reply Last reply Reply Quote 0
            • N
              NetWiz
              last edited by

              How to check pf operational after squid-dev removal? I also had patches for it and HAVP. I don't see any garbage in webgui, but I see some trash from old package in configs. Now I have one headache - ipcad doesn't report to access.log. If client goes on proxy-port 3128 it's traced in logs. Direct connections - not.

              1 Reply Last reply Reply Quote 0
              • T
                titus91360
                last edited by

                Hi Marcelloc

                I just installed a test machine with pFsense 2.1 Release, squid3-dev and squidGuard-squid3.
                I can't start squidguard service, but can't find why.

                In logs, here is my error message:

                pfSense php: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy'

                Any Idea ?

                1 Reply Last reply Reply Quote 0
                • P
                  Pankar
                  last edited by

                  Hi,

                  I have read this thread and several topics/tutorials on the web but I still cant figure out whether Squid3 and especially 3.3.8-dev is able to cach dynamic content.

                  I understand that 3.3.8-dev has solved an issue on squid3 stable where enabling dynamic content wouldn't let anything to cache: I have enabled dynamic content on 3.3.8 and static content (pictures, etc) is caching correctly.

                  However, enabling dynamic content doesnt seem to serve its purpose: cache any URL that includes a ? (it returns a TCP_MISS/200)

                  This is my squid.conf. My main goal is to cache iOS updates and ibooks since I am a school IT Manager and there are 50+ identical ibook downloads per day through the iTunesU platform. The iBook URLS are like:

                  http://.phobos.apple.com///*/example.ibooks?downloadKey=12345678

                  # This file is automatically generated by pfSense
                  # Do not edit manually !
                  
                  http_port 10.0.10.2:3128
                  http_port 127.0.0.1:3128 intercept
                  icp_port 7
                  dns_v4_first off
                  pid_filename /var/run/squid.pid
                  cache_effective_user proxy
                  cache_effective_group proxy
                  error_default_language el
                  icon_directory /usr/pbi/squid-i386/etc/squid/icons
                  visible_hostname localhost
                  cache_mgr admin@localhost
                  access_log /var/squid/logs/access.log
                  cache_log /var/squid/logs/cache.log
                  cache_store_log none
                  
                  logfile_rotate 30
                  shutdown_lifetime 3 seconds
                  # Allow local network(s) on interface(s)
                  acl localnet src  10.0.0.0/16
                  httpd_suppress_version_string on
                  uri_whitespace strip
                  
                  # Windows Update refresh_pattern
                  range_offset_limit -1
                  refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
                  refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
                  refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
                  refresh_pattern -i ([^.]+.|)(appldnld|update).(apple.|)com/.* 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate
                  refresh_pattern -i ([^.]+.|)(phobos).(apple.|)com/.*\.(zip|ibooks|ipa) 10080 100% 10080 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate
                  
                  cache_mem 1600 MB
                  maximum_object_size_in_memory 4096 KB
                  memory_replacement_policy lru
                  cache_replacement_policy heap LFUDA
                  cache_dir ufs /var/squid/cache 30000 16 256
                  minimum_object_size 0 KB
                  maximum_object_size 2048000 KB
                  offline_mode off
                  cache_swap_low 90
                  cache_swap_high 95
                  cache allow all
                  
                  # Add any of your own refresh_pattern entries above these.
                  refresh_pattern ^ftp:    1440  20%  10080
                  refresh_pattern ^gopher:  1440  0%  1440
                  refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
                  refresh_pattern .    0  20%  4320
                  
                  # No redirector configured
                  
                  #Remote proxies
                  
                  # Setup some default acls
                  # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
                  # acl localhost src 127.0.0.1/32
                  acl allsrc src all
                  acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 80 443
                  acl sslports port 443 563  443
                  
                  # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
                  #acl manager proto cache_object
                  
                  acl purge method PURGE
                  acl connect method CONNECT
                  
                  # Define protocols used for redirects
                  acl HTTP proto HTTP
                  acl HTTPS proto HTTPS
                  acl allowed_subnets src 10.0.5.1/24 10.0.10.2/24
                  http_access allow manager localhost
                  
                  # Allow external cache managers
                  acl ext_manager src 10.0.10.2
                  http_access allow manager ext_manager
                  
                  http_access deny manager
                  http_access allow purge localhost
                  http_access deny purge
                  http_access deny !safeports
                  http_access deny CONNECT !sslports
                  
                  # Always allow localhost connections
                  # From 3.2 further configuration cleanups have been done to make things easier and safer. 
                  # The manager, localhost, and to_localhost ACL definitions are now built-in.
                  # http_access allow localhost
                  
                  quick_abort_min -1 KB
                  quick_abort_max 0 KB
                  quick_abort_pct 20
                  request_body_max_size 0 KB
                  delay_pools 1
                  delay_class 1 2
                  delay_parameters 1 -1/-1 -1/-1
                  delay_initial_bucket_level 100
                  delay_access 1 allow allsrc
                  
                  # Reverse Proxy settings
                  
                  # Custom options
                  
                  # Setup allowed acls
                  # Allow local network(s) on interface(s)
                  http_access allow allowed_subnets
                  http_access allow localnet
                  # Default block all to be sure
                  http_access deny allsrc
                  
                  

                  Do you have any suggestion? Would it be wise to uninstall 3.3.8-dev and then install Squid 2.7 and manually add the refresh_patterns found in older tutorials?

                  Thanks in advance,

                  Panos

                  1 Reply Last reply Reply Quote 0
                  • E
                    exograpix
                    last edited by

                    Is there is any way to run havp with squid-dev package, squid is working ok, but without antivirus, it is bit incomplete, please suggest.

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      IMHO, havp is old and obsolete but if you are not using ssl filtering, you may configure the same way you do on squid2

                      I'm working to get antivirus tab working for this -dev version.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • E
                        exograpix
                        last edited by

                        Any alternate antivirus working with ssl filtering.

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @exograpix:

                          Any alternate antivirus working with ssl filtering.

                          Not yet.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • P
                            Pankar
                            last edited by

                            Hello,

                            I have installed 3.3.8-dev and reinstalled lightsquid.

                            Problem is that the Proxysquid realtime stat, is either not showing client sessions at all, or, when it does, the list lines remain null and the following warning occurs several times (as many as the sessions):

                            gethostbyaddr(): Address is not a valid IPv4 or IPv6 address in /usr/local/www/sqstat/sqstat.class.php on line 426

                            Has anyone seen that before?

                            Thank you in advance.

                            1 Reply Last reply Reply Quote 0
                            • C
                              ccarreraalza
                              last edited by

                              I have a question.
                              I'm using squid 3.3.8-devel, well, when I go to facebook page shows me the warning I give exception and shows me confirm the facebook page but incompletely, as well as also the paypal page, and this because it is within the site of faccebook or https paypal there are other pages that are to be displayed, but they all come with an X.

                              as could validate the certificate on them to the web page or paypal facebook full display?

                              thanks

                              Google translator, sorry not mastered the English perfectly

                              1 Reply Last reply Reply Quote 0
                              • T
                                totalimpact
                                last edited by

                                Any tips to getting this working with dansguardian?

                                downloaded all the libs, installed Dans and then squid-dev, checked the boxes under squid to enable transparent mode and https MITM, installed Dans, and selected the same CA/Cert on pf.

                                Can see pages getting proxy'd, but no filtering is happening.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  Mozart
                                  last edited by

                                  Is it possible to update the Squid3-dev package so that I can add a couple of options to the reverse proxy part? I want to disable certain unsafe protocols like sslv2. Here is an example of the line in the config file that I updated:
                                  https_port 172.28.252.101:443 accel cert=/usr/pbi/squid-amd64/etc/squid/52038c08be9a9.crt key=/usr/pbi/squid-amd64/etc/squid/52038c08be9a9.key defaultsite=some.site.com vhost options=NO_SSLv2:NO_TLSv1 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

                                  I would like it if there would be an option in the GUI to do this. My workaround at the moment is editing the /usr/local/pkg/squid_reverse.inc file on line 85. I added the options there so they will stay in place in case I make an update to the reverse proxy.

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    exograpix
                                    last edited by

                                    Any news or timeline or alternative  of antivirus package compatible with squid -dev version.

                                    Thanks

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      leojoe
                                      last edited by

                                      amd64
                                      http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

                                      i386
                                      http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

                                      Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        Nachtfalke
                                        last edited by

                                        @leojoe:

                                        amd64
                                        http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

                                        i386
                                        http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

                                        Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

                                        I don't have any problems with these links. Try another browser or clear your browser's cache.

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          leojoe
                                          last edited by

                                          @Nachtfalke:

                                          @leojoe:

                                          amd64
                                          http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

                                          i386
                                          http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

                                          Hello All, Have tried to open the link above but displays forbidden? Anyone can check whats going on. Cannot start the Squid3 - dev for missing libraries.

                                          I don't have any problems with these links. Try another browser or clear your browser's cache.

                                          yeah it's working now.

                                          1 Reply Last reply Reply Quote 0
                                          • Z
                                            ZGruk
                                            last edited by

                                            I'm having a really weird issue with squid. I've got squid and dansguardian, and I added local authentication to squid.
                                            I defined 3 users in the squid GUI, one named admin, and two others.
                                            The "admin" user works as intended. It blocks access unless I log in, and once I do, it works fine. None of the other users work.
                                            When I try to log in with them, it acts like they don't exist or I put the wrong password in. I thought maybe it was linked somehow to the pfSense user "admin" but

                                            A) the squid admin password is different from the pfSense password and
                                            B) adding a pfSense user with one of the other names doesn't help.

                                            Any idea what could be causing this?

                                            Separately, do we know if SSL man-in-the-middle works with dansguardian? Older posts suggest that it doesn't, but I wondered if it had been fixed more recently.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.