SquidGuard ssl cert error for denied page and a few other questions
-
I've tried searching, hopefully I didn't miss this somewhere.
I'm now to using pfSense and I've just setup 2.1 release in a vm on esxi 5.5 for my home environment. pfSense itself works fine right now.
I've installed squid3-dev and squidGuard-squid3 packages and it works, except the antivirus part which is less important at the moment; but, when I test the filtering and go to a blocked page in the porn category, it will block it. I just get a warning about an ssl cert. here are the details: https://192.168.1.1/sgerror.php?url=403%20&a=192.168.1.48&n=&i=&s=default&t=blk_BL_porn&u=http://www.*******.com/ (I * out the site. figured it would not be appreciated to have it here. )
I'm guessing it's because it's trying to read or being redirected to the pfSense box to get the denied error page. Not sure why it's doing this.
The proxy is setup in transparent mode. If I continue on, I get the default denied page.
I've been a long time ipcop user and have never run into this.
After the two reboots mentioned below, I see that the squid guard service is stopped and will not start though the filtering still seems to be working. ….. scratch that. it's running now. does it just take a while to start or show it's running? I also went to the Proxy Filter page and hit apply too. maybe that did it. If so, why does it not start on boot up?
Less important problems are below. I haven't looked into them much yet, but figured I'd go ahead and throw them out while I'm posting.
1 the system time seems to get set back 5 hours ever reboot and the NTP service fails to start. If I go to the general setup page and just click save with out making any changes it sets the time correctly and NTP service starts up. ntp server is set to the default pfsense server. I'm NOT syncing esxi and pfsense time with each other.
Just did a couple of reboots after clearing the log files to try and find something to post here (nothing looks notable), but then noticed after a second reboot, the time got corrected but the ntp service still isn't starting normally. Edit: ugh, just was about to log out of the web gui and notice pfSense has revereted back 5 hours. Got to be timezone related. i'm -5:00 EST/EDT timezone. I just went to the general setup page, clicked save, went to the services page and started the ntpd service and the time corrected it self again. As I was going from the services page to the dashboard, I had to log into the webgui again. Does this by chance have something to do with a time out period?
the last is the clamAV. It just keeps failing. Says I need to run freshclam first. I've tried just typing freshclam in the gui command prompt page but it tells me "WARNING: Can't get information about user clamav." I could try this at the console if anyone things it will help. I'm just not sure that's the right/full command.
I'll try some more reboots tomorrow when I drag myself out of bed, but for now I'm going to try and get some sleep. If you need any more information please ask and please understand I may not know where to find it in pfSense. So hints are welcome. Thanks for any help.
-
just thought i'd post an update.
I removed the 3.x versions of squid and squidguard.
installed squid 2.7.9 pkg v.4.3.3 and squidguard 1.4_4 pkg v.1.9.5
I still get the ssl cert errors when I go to a page that is blocked. It's sending it to https://192.168.1.1.
I've tried disabling the redirect to https that I would use to ensure the http page doesn't work. Still get the cert errors.
I've also tried changing the page to redirect to external page and just set http://127.0.0.1 and still get the cert errors. Seems it's still going to/through pfsense via https links. Any thoughts on this?
I have no ideas currently.
When I had the 3x squid/guard packages that offer https proxy, I even tried enabling that and disabling that on the off change that may have been causing it. when it was enabled, https sites acted as expected and worked correctly once disabled again. Just thought i'd throw that out as well.
The last thing I tried was changing the interface the proxy works on to the loopback to only find that it doesn't work on the lan. Not sure what this is for though.
-
Ok, tried a new clean install except I used the x86 version this time and only used squid 2 and squid guard 1.5x still I get the ssl cert because it's trying to go through https.
reading this post: http://forum.pfsense.org/index.php?topic=7317.0
I decided to force webconfig to http and not https. i no longer get the https error and it goes directly to the error page as expected.
Seems obvious, but i thought with out checking the "Disable webConfigurator redirect rule" i wouldn't need to do this. I'd still only have the https web configurator port only.
Any way this can be fixed? I'm thinking about trying some of the stuff listed in this old thread, but i don't know if that will do any good. Could/should i change the squid port to 80? seems this may be asking for trouble if i do that.