Captive portal + squid3-dev trouble

saftig

Hi!

I have a problem that I can't seem to be able to figure out on my own. I've been having lots of trouble with Captive portal combined with squid3/squid3-dev, I basically just want to run squid so that I can redirect all of the DNS requests to OpenDNS to control
what the users can access. I managed to get it working with squid3, but since it sporadically stopped working for some reason (after rebooting it would work sometimes and sometimes it wouldn't) I decided to give squid3-dev a go to see if it was more reliable in that regard.

With the identical settings as I used with squid3 I can't get it to work at all. None of the requests are blocked when they're supposed to and every page resolves. The weird thing is that when I shut the squid3-dev service down it won't resolve any DNS addresses, so all of the DNS traffic is clearly using squid3-dev but for some reason it doesn't seem to use the correct DNS server to resolve the actual addresses. Here is my config:

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 10.0.60.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 7
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /dev/null
cache_log /var/squid/logs/cache.log
cache_store_log none

logfile_rotate 0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.0.60.0/24
uri_whitespace strip
dns_nameservers 208.67.220.220 208.67.222.222 
acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 1 MB
maximum_object_size_in_memory 1 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 10000 KB
reply_body_max_size 10000 KB allsrc 
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
delay_access 1 allow throttle_exts
delay_access 1 deny allsrc

# Reverse Proxy settings

# Custom options before auth

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

I have patched Captive portal as well as reinstalled squid3-dev and also reconfigured Captive portal several times to make sure that I've not made any mistakes. HTTPS/SSL interception is turned off, do I need to enable that?

Hope you guys can help me out, just ask me if you need any more info.

marcelloc

Check squid access.log and cache.log

rjcrowder

If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…

doktornotor

+1. Using squid to force usage of particular DNS servers? WTF.

saftig

@rjcrowder:

If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…

Thanks!

That is just what I wanted to achieve. I couldn't get it to resolve the Captive portal page at first, but then I forgot that I'd not allowed the OpenDNS addresses through… Before I figured that out I thought I'd go with squid3 to work around my (non existent really) problem.

marcelloc

You can also try to forward any dns request to a specific dns server using nat rules.