Squid / squidguard advice needed

  • I have been using pf for 2 months now and really like it.  I use it at home primary needing URL / content filtering and time restriction for my internet addicted kids.  I use PF 2.0.2, squid 2.7.9, squidguard and HAVP in transparent proxy mode.  After endless nights digging, trying and reading forums, I basically got what I needed EXCEPT https filtering.  I heard squid 3 or above can filter ssl/https so I installed a brand new PF box (2.0.3) to start with.  Then I installed squid3 first, tested caching and it worked. Then I installed squidguard and then both squid3 and squidguard services won't start.  They just won't start no matter how many times I click the start service button or reboot.  I reversed the box back to factory config and installed squid3-dev, same thing.  The services just won't start at all not even with squidguard installed.  (I'm awared that squid3 or 3-dev are betas.)

    Is it true that squid 2.7.9 + squidguard can filter https in non-transparent mode (as I heard)?  Or I'd better off block port 443 on the firewall with a whitelist to allow some https exception ?  Can you guys point me in the right direction please ?

    Thanks in advance.

  • Hi,

    in general you could say that squid 2.x and squid 3.1 can only filter http (port 80) in transparent mode and https (port 443) only in non-transparent mode. When running in non-transparent mode you need to put the proxy IP address into the webbrowser of your kid's computers. Then you can block http/https websites with squidguard like you want.

    On pfsense 2.0.x there are some issues when installing squid3 and squidguard. The problem is that squidguard also installs squid2.

    If you want to use squid2 + squidguard do this:

    • install squid2 package

    • install squidguard package

    • configure both packages and you are done

    If you want to use squid3 + squidguard (on pfsense 2.0.x) do this:

    • install squid3.1 package

    • install squidguard package (which unfortunately installs squid2 in the background)

    • re-install squid3.1 package

    • configure both packages and you are done

    On pfsense 2.1 - which is "only" RC you do not have the problems with squid3 + squidguard.

    If you plan to try squid 3.3 then I would suggest you this thread because there are some extra things to do at the moment and not all functions are working "out of the box" as they should.

    So for your home environment I would suggest you to try squid2 + squidguard which are stable and running fine. Set squid as non-transparent proxy and put the proxy address into your kid's browsers. Further you must make sure via a firewall rule that traffic with destination port 80 and 443 is only allowed to the pfsense LAN interface but not to the internet. This will prevent traffic to bypass the proxy - for example if your kids remove the proxy settings or if they use another browser which does not have these settings.

  • Hi Nachtfalke,

    Thanks so much for your reply outlining the steps that I needed.

    At the end, you mentioned to only allow port 80 and 443 traffic to the PS's LAN interface but not to the internet.  If I understand it correctly, I need a "block" rule to stop traffic destined to these two ports from getting into the internet (so browser with no proxy config will not bypassing squid).  Because squid/squidguard are sitting behind the firewall, they will cache/filter packets before queuing them to the firewall for outgoing to the internet.  And the browser will ONLY be talking to squid via port 3128 (both http/https).  Am I correct in intepertation, as in the following diagram?

    Internet –-----------firewall----------------squid/squidguard----------------------------------kids PC
                                    ^                        [listen on 3128<<<–----------------config browser setting to use
                                    ^                                                                                    proxy on port 3128]     
                    (block 80/443 at firewall, LAN if)


    • AC

  • Yes, you are correct.  :)

  • I am doing what it sounds like you are wanting to do. I also started with transparent and excluded a few addresses the kids or guests would not use.

    I am currently using pfsense v2.0.2 and squid 2.7.9 pkg v.4.3.3 and squidguard 1.4_4 pkg v.1.9.2. This does filter SSL traffic, nothing special required to do so. Nachtfalke summed it up nicely.

    I also use Norton DNS servers. I put them in as the primary pfsense dns servers, and let dhcp hand them out to clients. I made a lan firewall rule that says any outbound traffic on port 53 is blocked unless it uses the Norton addresses. This works well.

    I also have the rule Nachtfalke mentioned, although what I did was to create an alias of a few addresses that would not be forced to use the proxy, and my rule actually says !alias (addresses not in the alias) so in the future I only need to add to the alias and not change the rules.

    I wanted to get WAPD to work to auto assing the proxy, but haven't succeeded in getting that to work yet.

    The only problem I have with using squid and squidguard is that when my kids try to go somewhere that I expect to work, and it does not, I wish there were more infos on way to go about detecting what is happening so one could fix the issue. If it is a squidguard issue, the only tool I see available is SARG, which is a PITA so far for me. It says it will display blocked squidguard entries. Other than that one has to look at the squidguard log, which is not impossible, but seems like the hard way.

    Anyway, just thought I'd comment that what you want to do is possible if I understand you correctly.

  • I would suggest you edit the sgerror.php file to show you the blocked URL.

    Then enable logging on squidguard for one client/IP and go to the URL which was blocked. Then you can see what(else) is blocked by squidguard.

    I am sure there are some sgerror.php examples here on the forum which show nice layout examples.

  • I will look into this. I had not seen that sort of info before.

    Thank you!

Log in to reply