Squid 3.3.4 package for pfsense with ssl filtering
-
I just created an account to say thank you. I've wasted all my afternoon after the upgrade, trying to guess why ssl bumping stopped to work at our school, but tomorrow everything (included the filter for the students) will be able to continue as expected.
-
Thanks for your good words!
Also, at school, www.bellera.cat :) :) :) :)
-
ssl_bump acls were inside auth loop. I'm fixing it right now.
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
-
Hi,
Thanks for update regarding squid fixing, please look into icap issue too, somehow not able to successfully run squid after clam update.
Thanks in advance
This is still under devel. Current feedback says that's only working on i386 version.
-
where can i set below parameter permanently.
always_direct allow all
ssl_bump server-first allThanks in advance
-
With squid-devel pf 2.1 multi-WAN loadbalancing doesn't work. Failover works because default WAN gets switched.
More specifically, the floating rule-based setup that used to work for pfsense 2.0.x doesn't work any more. Squid only sends through default WAN, whatever that is at any point.
Marcello, can you please shed light on this? Whether this is squid-side issue or any nuance of 2.1.x?
Also, will it be possible to do loadbalancing with transparent SSL proxy?
-
Another question: does delay pooling-based traffic management work with transparent SSL proxy'ing?
-
Hi everyone. I hope you all are having a good night. I'm a newbie with pfsense. For the life of me, I can't even the the squid3 dev package to work at all. It won't work in transparent mode or anything, but the non dev squid3 works like a champ. Any thoughts on where to start to looking?
I'm currently running
pfsense 2.1.2
(works)squid3 3.1.20 pkg 2.0.6 works
(doesn't seem to work at all) 3.3.10 pkg 2.2.2Thanks
-
did you followed some squid posts to get it working?
check missing libs?
ipv6 enabled?
netstat -an to see if squid port is closed or listening… -
Bug at squid3-dev 3.3.10 pkg 2.2.2
http://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762 -
Steps for SSL interception. In Spanish, please use translate.google.com
https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349 -
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
-
Hello!
Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?
Thanks!
You can try old havp or test your squid in i386 pfsense version.
-
i tried installing squid 3.3.10 dev in 2.1.3v i386
no issues found yet
squid starts after configuration.
looks like the missing lib before where now incorporated in the new version -
Anyone has issues while using transparent mode in squid3-dev on amd64? I keep getting Access Denied.
If I configure proxy settings in the browser then it works fine. Just can't use transparent mode. Switching back to squid 3.1.20 works fine.
-
I think there is a mistake in the reverse proxy config, I was having trouble so I read the squid.conf in pbi/…/etc and I found the directive
round-robin
even though I don't want that since my servers are independent of each other. I suggest either add a checkbox for that or remove that directive. Thanks! -
The 2nd issue I found was with ebay, went I wanted to pay I receive this error:
The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443
Failed to establish a secure connection to site-ip
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa
10/CN=VeriSign Class 3 Secure Server CA - G3This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
What I did was to clear certs folders, empty index.txt, size folder value to 0, latter remove my ca from the browsers, create a new one and start over.
I could pay on ebay, the only issue I have is with my bank now, I will try to add the option that skip some sites from ssl-bump.
I still nervous if I can send this to production.
Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.
Many thanks.
-
For what it's worth, I'm using latest Squid3-dev (3.3.10 pkg 2.2.2) with ssl intercept and am able to browse to that moto360 site with no error.
Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.
Many thanks.
-
For what it's worth, I'm using latest Squid3-dev (3.3.10 pkg 2.2.2) with ssl intercept and am able to browse to that moto360 site with no error.
Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.
Many thanks.
That's very odd, as I'm on exactly the same build, and using ssl intercept/transparent. Is there any specific configuration parameters you've changed/added in your squid setup?
Also do you have any problems in posting messages to https sites (e.g. this forum) when going through the proxy? I keep getting an error in posting, and thus have to use a machine that doesn't go through the proxy.
