Integration of the Squid Cache Manager into pfSense

Steve Evans

Is squid working correctly? Do you have a rule to allow access from the LAN to port 3128 on your pfSense box?

Steve

rocaembole

Squid works perfectly. ACL allows all. Firewall is widely opened (pass any to any from/to any port) on LAN.-

I'm trying by proxy and by LAN (My squid's in non transparent mode) and can't access…

attach some other images also squid.conf & squidguard.conf

# Do not edit manually !
http_port 10.0.0.6:3128
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/pbi/squid-i386/etc/squid/errors/Spanish
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
logfile_rotate 0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.0.0.0/255.255.255.0
uri_whitespace strip

cache_mem 1024 MB
maximum_object_size_in_memory 100 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 50000 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
cache deny donotcache
# No redirector configured

# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 8000-8010 8000-8010
acl sslports port 443 563  8000-8010 8000-8010
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin ?
acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
cache deny dynamic
http_access allow manager localhost

# Allow external cache managers
acl ext_manager_1 src 127.0.0.1 
http_access allow manager ext_manager_1
acl ext_manager_2 src 10.0.0.6 
http_access allow manager ext_manager_2

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 5000000 KB
reply_body_max_size 5120000000 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i '/var/squid/acl/throttle_exts.acl'
delay_access 1 allow throttle_exts
delay_access 1 deny all

# Custom options
redirect_program /usr/pbi/squidguard-i386/bin/squidGuard -c /usr/pbi/squidguard-i386/etc/squidGuard/squidGuard.conf
redirector_bypass off
url_rewrite_children 5
# Always allow access to whitelist domains
http_access allow whitelist
auth_param basic program /usr/pbi/squid-i386/libexec/squid/squid_ldap_auth -v 3 -b DC=pfsense,DC=local -R -D CN=squid,CN=Users,DC=pfsense,DC=local -w a1s2d3.. -f 'sAMAccountName=%s' -u uid -P 10.0.0.80:389
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 60 minutes
acl password proxy_auth REQUIRED
http_access allow password localnet
# Default block all to be sure
http_access deny all

# ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn cn=squid,cn=users,dc=pfsense,dc=local
ldapbindpass a1s2d3..
ldapprotover 3

# test schedulle
time test_porn {
	weekly * 16:00-16:40
}

# 
src test {
	user   jfilogna
	log block.log
}

# 
dest blk_BL_adv {
	domainlist blk_BL_adv/domains
	urllist blk_BL_adv/urls
	log block.log
}

# 
dest blk_BL_aggressive {
	domainlist blk_BL_aggressive/domains
	urllist blk_BL_aggressive/urls
	log block.log
}

# 
dest blk_BL_alcohol {
	domainlist blk_BL_alcohol/domains
	urllist blk_BL_alcohol/urls
	log block.log
}

# 
dest blk_BL_anonvpn {
	domainlist blk_BL_anonvpn/domains
	urllist blk_BL_anonvpn/urls
	log block.log
}

# 
dest blk_BL_automobile_bikes {
	domainlist blk_BL_automobile_bikes/domains
	urllist blk_BL_automobile_bikes/urls
	log block.log
}

# 
dest blk_BL_automobile_boats {
	domainlist blk_BL_automobile_boats/domains
	urllist blk_BL_automobile_boats/urls
	log block.log
}

# 
dest blk_BL_automobile_cars {
	domainlist blk_BL_automobile_cars/domains
	urllist blk_BL_automobile_cars/urls
	log block.log
}

# 
dest blk_BL_automobile_planes {
	domainlist blk_BL_automobile_planes/domains
	urllist blk_BL_automobile_planes/urls
	log block.log
}

# 
dest blk_BL_chat {
	domainlist blk_BL_chat/domains
	urllist blk_BL_chat/urls
	log block.log
}

# 
dest blk_BL_costtraps {
	domainlist blk_BL_costtraps/domains
	urllist blk_BL_costtraps/urls
	log block.log
}

# 
dest blk_BL_dating {
	domainlist blk_BL_dating/domains
	urllist blk_BL_dating/urls
	log block.log
}

# 
dest blk_BL_downloads {
	domainlist blk_BL_downloads/domains
	urllist blk_BL_downloads/urls
	log block.log
}

# 
dest blk_BL_drugs {
	domainlist blk_BL_drugs/domains
	urllist blk_BL_drugs/urls
	log block.log
}

# 
dest blk_BL_dynamic {
	domainlist blk_BL_dynamic/domains
	urllist blk_BL_dynamic/urls
	log block.log
}

# 
dest blk_BL_education_schools {
	domainlist blk_BL_education_schools/domains
	urllist blk_BL_education_schools/urls
	log block.log
}

# 
dest blk_BL_finance_banking {
	domainlist blk_BL_finance_banking/domains
	urllist blk_BL_finance_banking/urls
	log block.log
}

# 
dest blk_BL_finance_insurance {
	domainlist blk_BL_finance_insurance/domains
	urllist blk_BL_finance_insurance/urls
	log block.log
}

# 
dest blk_BL_finance_moneylending {
	domainlist blk_BL_finance_moneylending/domains
	urllist blk_BL_finance_moneylending/urls
	log block.log
}

# 
dest blk_BL_finance_other {
	domainlist blk_BL_finance_other/domains
	urllist blk_BL_finance_other/urls
	log block.log
}

# 
dest blk_BL_finance_realestate {
	domainlist blk_BL_finance_realestate/domains
	urllist blk_BL_finance_realestate/urls
	log block.log
}

# 
dest blk_BL_finance_trading {
	domainlist blk_BL_finance_trading/domains
	urllist blk_BL_finance_trading/urls
	log block.log
}

# 
dest blk_BL_fortunetelling {
	domainlist blk_BL_fortunetelling/domains
	urllist blk_BL_fortunetelling/urls
	log block.log
}

# 
dest blk_BL_forum {
	domainlist blk_BL_forum/domains
	urllist blk_BL_forum/urls
	log block.log
}

# 
dest blk_BL_gamble {
	domainlist blk_BL_gamble/domains
	urllist blk_BL_gamble/urls
	log block.log
}

# 
dest blk_BL_government {
	domainlist blk_BL_government/domains
	urllist blk_BL_government/urls
	log block.log
}

# 
dest blk_BL_hacking {
	domainlist blk_BL_hacking/domains
	urllist blk_BL_hacking/urls
	log block.log
}

# 
dest blk_BL_hobby_cooking {
	domainlist blk_BL_hobby_cooking/domains
	urllist blk_BL_hobby_cooking/urls
	log block.log
}

# 
dest blk_BL_hobby_games-misc {
	domainlist blk_BL_hobby_games-misc/domains
	urllist blk_BL_hobby_games-misc/urls
	log block.log
}

# 
dest blk_BL_hobby_games-online {
	domainlist blk_BL_hobby_games-online/domains
	urllist blk_BL_hobby_games-online/urls
	log block.log
}

# 
dest blk_BL_hobby_gardening {
	domainlist blk_BL_hobby_gardening/domains
	urllist blk_BL_hobby_gardening/urls
	log block.log
}

# 
dest blk_BL_hobby_pets {
	domainlist blk_BL_hobby_pets/domains
	urllist blk_BL_hobby_pets/urls
	log block.log
}

# 
dest blk_BL_homestyle {
	domainlist blk_BL_homestyle/domains
	urllist blk_BL_homestyle/urls
	log block.log
}

# 
dest blk_BL_hospitals {
	domainlist blk_BL_hospitals/domains
	urllist blk_BL_hospitals/urls
	log block.log
}

# 
dest blk_BL_imagehosting {
	domainlist blk_BL_imagehosting/domains
	urllist blk_BL_imagehosting/urls
	log block.log
}

# 
dest blk_BL_isp {
	domainlist blk_BL_isp/domains
	urllist blk_BL_isp/urls
	log block.log
}

# 
dest blk_BL_jobsearch {
	domainlist blk_BL_jobsearch/domains
	urllist blk_BL_jobsearch/urls
	log block.log
}

# 
dest blk_BL_library {
	domainlist blk_BL_library/domains
	urllist blk_BL_library/urls
	log block.log
}

# 
dest blk_BL_military {
	domainlist blk_BL_military/domains
	urllist blk_BL_military/urls
	log block.log
}

# 
dest blk_BL_models {
	domainlist blk_BL_models/domains
	urllist blk_BL_models/urls
	log block.log
}

# 
dest blk_BL_movies {
	domainlist blk_BL_movies/domains
	urllist blk_BL_movies/urls
	log block.log
}

# 
dest blk_BL_music {
	domainlist blk_BL_music/domains
	urllist blk_BL_music/urls
	log block.log
}

# 
dest blk_BL_news {
	domainlist blk_BL_news/domains
	urllist blk_BL_news/urls
	log block.log
}

# 
dest blk_BL_podcasts {
	domainlist blk_BL_podcasts/domains
	urllist blk_BL_podcasts/urls
	log block.log
}

# 
dest blk_BL_politics {
	domainlist blk_BL_politics/domains
	urllist blk_BL_politics/urls
	log block.log
}

# 
dest blk_BL_porn {
	domainlist blk_BL_porn/domains
	urllist blk_BL_porn/urls
	log block.log
}

# 
dest blk_BL_radiotv {
	domainlist blk_BL_radiotv/domains
	urllist blk_BL_radiotv/urls
	log block.log
}

# 
dest blk_BL_recreation_humor {
	domainlist blk_BL_recreation_humor/domains
	urllist blk_BL_recreation_humor/urls
	log block.log
}

# 
dest blk_BL_recreation_martialarts {
	domainlist blk_BL_recreation_martialarts/domains
	urllist blk_BL_recreation_martialarts/urls
	log block.log
}

# 
dest blk_BL_recreation_restaurants {
	domainlist blk_BL_recreation_restaurants/domains
	urllist blk_BL_recreation_restaurants/urls
	log block.log
}

# 
dest blk_BL_recreation_sports {
	domainlist blk_BL_recreation_sports/domains
	urllist blk_BL_recreation_sports/urls
	log block.log
}

# 
dest blk_BL_recreation_travel {
	domainlist blk_BL_recreation_travel/domains
	urllist blk_BL_recreation_travel/urls
	log block.log
}

# 
dest blk_BL_recreation_wellness {
	domainlist blk_BL_recreation_wellness/domains
	urllist blk_BL_recreation_wellness/urls
	log block.log
}

# 
dest blk_BL_redirector {
	domainlist blk_BL_redirector/domains
	urllist blk_BL_redirector/urls
	log block.log
}

# 
dest blk_BL_religion {
	domainlist blk_BL_religion/domains
	urllist blk_BL_religion/urls
	log block.log
}

# 
dest blk_BL_remotecontrol {
	domainlist blk_BL_remotecontrol/domains
	urllist blk_BL_remotecontrol/urls
	log block.log
}

# 
dest blk_BL_ringtones {
	domainlist blk_BL_ringtones/domains
	urllist blk_BL_ringtones/urls
	log block.log
}

# 
dest blk_BL_science_astronomy {
	domainlist blk_BL_science_astronomy/domains
	urllist blk_BL_science_astronomy/urls
	log block.log
}

# 
dest blk_BL_science_chemistry {
	domainlist blk_BL_science_chemistry/domains
	urllist blk_BL_science_chemistry/urls
	log block.log
}

# 
dest blk_BL_searchengines {
	domainlist blk_BL_searchengines/domains
	urllist blk_BL_searchengines/urls
	log block.log
}

# 
dest blk_BL_sex_education {
	domainlist blk_BL_sex_education/domains
	urllist blk_BL_sex_education/urls
	log block.log
}

# 
dest blk_BL_sex_lingerie {
	domainlist blk_BL_sex_lingerie/domains
	urllist blk_BL_sex_lingerie/urls
	log block.log
}

# 
dest blk_BL_shopping {
	domainlist blk_BL_shopping/domains
	urllist blk_BL_shopping/urls
	log block.log
}

# 
dest blk_BL_socialnet {
	domainlist blk_BL_socialnet/domains
	urllist blk_BL_socialnet/urls
	log block.log
}

# 
dest blk_BL_spyware {
	domainlist blk_BL_spyware/domains
	urllist blk_BL_spyware/urls
	log block.log
}

# 
dest blk_BL_tracker {
	domainlist blk_BL_tracker/domains
	urllist blk_BL_tracker/urls
	log block.log
}

# 
dest blk_BL_updatesites {
	domainlist blk_BL_updatesites/domains
	urllist blk_BL_updatesites/urls
	log block.log
}

# 
dest blk_BL_urlshortener {
	domainlist blk_BL_urlshortener/domains
	urllist blk_BL_urlshortener/urls
	log block.log
}

# 
dest blk_BL_violence {
	domainlist blk_BL_violence/domains
	urllist blk_BL_violence/urls
	log block.log
}

# 
dest blk_BL_warez {
	domainlist blk_BL_warez/domains
	urllist blk_BL_warez/urls
	log block.log
}

# 
dest blk_BL_weapons {
	domainlist blk_BL_weapons/domains
	urllist blk_BL_weapons/urls
	log block.log
}

# 
dest blk_BL_webmail {
	domainlist blk_BL_webmail/domains
	urllist blk_BL_webmail/urls
	log block.log
}

# 
dest blk_BL_webphone {
	domainlist blk_BL_webphone/domains
	urllist blk_BL_webphone/urls
	log block.log
}

# 
dest blk_BL_webradio {
	domainlist blk_BL_webradio/domains
	urllist blk_BL_webradio/urls
	log block.log
}

# 
dest blk_BL_webtv {
	domainlist blk_BL_webtv/domains
	urllist blk_BL_webtv/urls
	log block.log
}

# vagina tetas striptis culo striptease stripteasse
dest palabras_blk {
	expressionlist palabras_blk/expressions
}

# 
rew nosslsearch {
	s@regexi ^(http://www.google..*/search?.*)@1&safe=active@r
	s@regexi ^(http://www.google..*/images?.*)@1&safe=active@r
}

# 
rew safesearch {
	s@(google..*/search?.*q=.*)@
&safe=active@i
	s@(google..*/images.*q=.*)@
&safe=active@i
	s@(google..*/groups.*q=.*)@
&safe=active@i
	s@(google..*/news.*q=.*)@
&safe=active@i
	s@(yandex..*/yandsearch?.*text=.*)@
&fyandex=1@i
	s@(search.yahoo..*/search.*p=.*)@
&vm=r&v=1@i
	s@(search.live..*/.*q=.*)@
&adlt=strict@i
	s@(search.msn..*/.*q=.*)@
&adlt=strict@i
	s@(.bing..*/.*q=.*)@
&adlt=strict@i
	log block.log
}

# 
acl  {
	# 
	test  within test_porn {
		pass !blk_BL_porn palabras_blk all
		rewrite safesearch
		log block.log
		} else {
		pass !palabras_blk !blk_BL_porn all
		redirect http://10.0.0.6:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
		rewrite safesearch
		log block.log
	}
	# 
	default  {
		pass !palabras_blk !blk_BL_porn all
		redirect http://pranaglobal.com.ar/acceso_denegado.jpg
		rewrite safesearch
		log block.log
	}
}


mir

Did you remember to add localhost and your pfsense box' interface IP to 'External Cache-Managers' under the tab Access Control?

My setting:
LAN: 192.168.2.0/24. Gateway (pfsense) 192.168.2.1
External Cache-Managers: 127.0.0.1;192.168.2.1;

rocaembole

yes =/


mir

I can see that I have the following link: ln -s /var/log/squid /var/squid/logs/

rocaembole

In my case /var/log/squid doesn't exists :)

mir

Does this folder have any contents? /var/squid/logs/
That folder did not exists on my pfsense either but the reason was that squid seems to log into /var/log/squid

rocaembole

[2.1.5-RELEASE][root@pfsense.localdomain]/var/squid/logs(42): ls
access.log cache.log  squid.pid  store.log

mir

[2.2-RC][root@pfsense.datanom.net]/var/squid/logs: ls -l
total 73472
-rw-r–---  1 proxy  proxy  2009012 Jan 12 19:53 access.log
-rw-r-----  1 proxy  proxy  4067785 Jan 12 00:00 access.log.0
-rw-r-----  1 proxy  proxy  3174363 Jan 11 00:00 access.log.1
-rw-r-----  1 proxy  proxy  3861748 Jan  1 23:59 access.log.10
-rw-r-----  1 proxy  proxy  4091622 Dec 31 23:59 access.log.11
-rw-r-----  1 proxy  proxy  3596919 Dec 31 00:00 access.log.12
-rw-r-----  1 proxy  proxy  3379364 Dec 29 23:59 access.log.13
-rw-r-----  1 proxy  proxy  3471317 Dec 29 00:00 access.log.14
-rw-r-----  1 proxy  proxy  3594618 Jan 10 00:00 access.log.2
-rw-r-----  1 proxy  proxy  2675342 Jan  9 00:00 access.log.3
-rw-r-----  1 proxy  proxy  3242169 Jan  8 00:00 access.log.4
-rw-r-----  1 proxy  proxy  2105987 Jan  7 00:00 access.log.5
-rw-r-----  1 proxy  proxy  16549068 Jan  6 00:00 access.log.6
-rw-r-----  1 proxy  proxy  3253532 Jan  4 23:59 access.log.7
-rw-r-----  1 proxy  proxy  3322237 Jan  4 00:00 access.log.8
-rw-r-----  1 proxy  proxy  4927550 Jan  2 23:59 access.log.9
-rw-r-----  1 proxy  proxy    71356 Jan 12 19:46 cache.log
-rw-r-----  1 proxy  proxy    312265 Jan 11 15:23 cache.log.0
-rw-r-----  1 proxy  proxy    12340 Jan 10 20:01 cache.log.1
-rw-r-----  1 proxy  proxy    19693 Jan  1 23:33 cache.log.10
-rw-r-----  1 proxy  proxy      4761 Dec 31 23:23 cache.log.11
-rw-r-----  1 proxy  proxy      2073 Dec 30 22:22 cache.log.12
-rw-r-----  1 proxy  proxy      4231 Dec 29 22:22 cache.log.13
-rw-r-----  1 proxy  proxy      2510 Dec 28 22:36 cache.log.14
-rw-r-----  1 proxy  proxy      2623 Jan  9 16:35 cache.log.2
-rw-r-----  1 proxy  proxy      1861 Jan  8 21:27 cache.log.3
-rw-r-----  1 proxy  proxy      774 Jan  7 19:04 cache.log.4
-rw-r-----  1 proxy  proxy      898 Jan  6 19:50 cache.log.5
-rw-r-----  1 proxy  proxy      8201 Jan  5 20:12 cache.log.6
-rw-r-----  1 proxy  proxy      381 Jan  4 23:19 cache.log.7
-rw-r-----  1 proxy  proxy    28029 Jan  3 22:23 cache.log.8
-rw-r-----  1 proxy  proxy      6779 Jan  2 18:57 cache.log.9
-rw-r--r--  1 proxy  proxy        6 Jan 10 02:22 squid.pid
-rw-r-----  1 proxy  proxy  6556746 Jan 10 02:28 store.log

rocaembole

cuz you rotate your logs <3

daxpfacc

Hi friends,

rocaembole

try to remove semicolon after 10.0.0.6, I have not and it works, then it say "separated" by semi-colons.
Just to try :)

rocaembole

I see that too and tried without semicolon but neither works

Steve Evans

@rocaembole:

I'm trying by proxy and by LAN (My squid's in non transparent mode) and can't access…

I use transparent mode. I wonder if that's part of your problem?

Steve

rocaembole

Thanks! that was my problem. Now i can access. thanks!

newkansan

I'm on pfSense 2.2.1 and I just installed squid3 and set up a simple transparent proxy.  No clamav, no squidguard.  I was trying to follow the OP's tuturial to add access to the cachemgr tab:

cd /usr/local/www
ln -s /usr/local/libexec/squid/cachemgr.cgi
cd /usr/local/etc/squid
cp cachemgr.conf.default cachemgr.conf

The problem is the paths are all different. 
/usr/local/libexec/squid and /usr/local/etc/squid do not exist.

Any ideas?

Thank you.

edit:  I figured it out (I'm a BSD noob…sorry)

Here are the paths.

/usr/pbi/squid-i386/local/etc/squid

/usr/pbi/squid-i386/local/libexec/squid

I'm not sure if the paths changed due to newer pfSense version, or the fact I'm using squid3 vs. squid, but it did work for me!