Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal + squid3-dev trouble

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saftig
      last edited by

      Hi!

      I have a problem that I can't seem to be able to figure out on my own. I've been having lots of trouble with Captive portal combined with squid3/squid3-dev, I basically just want to run squid so that I can redirect all of the DNS requests to OpenDNS to control
      what the users can access. I managed to get it working with squid3, but since it sporadically stopped working for some reason (after rebooting it would work sometimes and sometimes it wouldn't) I decided to give squid3-dev a go to see if it was more reliable in that regard.

      With the identical settings as I used with squid3 I can't get it to work at all. None of the requests are blocked when they're supposed to and every page resolves. The weird thing is that when I shut the squid3-dev service down it won't resolve any DNS addresses, so all of the DNS traffic is clearly using squid3-dev but for some reason it doesn't seem to use the correct DNS server to resolve the actual addresses. Here is my config:

      
      # This file is automatically generated by pfSense
      # Do not edit manually !
      
      http_port 10.0.60.1:3128
      http_port 127.0.0.1:3128 intercept
      icp_port 7
      dns_v4_first off
      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/pbi/squid-amd64/etc/squid/icons
      visible_hostname localhost
      cache_mgr admin@localhost
      access_log /dev/null
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      
      logfile_rotate 0
      shutdown_lifetime 3 seconds
      # Allow local network(s) on interface(s)
      acl localnet src  10.0.60.0/24
      uri_whitespace strip
      dns_nameservers 208.67.220.220 208.67.222.222 
      acl dynamic urlpath_regex cgi-bin \?
      cache deny dynamic
      
      cache_mem 1 MB
      maximum_object_size_in_memory 1 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      
      minimum_object_size 0 KB
      maximum_object_size 4 KB
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      cache allow all
      
      # No redirector configured
      
      #Remote proxies
      
      # Setup some default acls
      # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
      # acl localhost src 127.0.0.1/32
      acl allsrc src all
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
      acl sslports port 443 563  
      
      # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
      #acl manager proto cache_object
      
      acl purge method PURGE
      acl connect method CONNECT
      
      # Define protocols used for redirects
      acl HTTP proto HTTP
      acl HTTPS proto HTTPS
      http_access allow manager localhost
      
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      # From 3.2 further configuration cleanups have been done to make things easier and safer. 
      # The manager, localhost, and to_localhost ACL definitions are now built-in.
      # http_access allow localhost
      
      quick_abort_min 0 KB
      quick_abort_max 0 KB
      request_body_max_size 10000 KB
      reply_body_max_size 10000 KB allsrc 
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      # Throttle extensions matched in the url
      acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
      delay_access 1 allow throttle_exts
      delay_access 1 deny allsrc
      
      # Reverse Proxy settings
      
      # Custom options before auth
      
      # Setup allowed acls
      # Allow local network(s) on interface(s)
      http_access allow localnet
      # Default block all to be sure
      http_access deny allsrc
      
      

      I have patched Captive portal as well as reinstalled squid3-dev and also reconfigured Captive portal several times to make sure that I've not made any mistakes. HTTPS/SSL interception is turned off, do I need to enable that?

      Hope you guys can help me out, just ask me if you need any more info.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Check squid access.log and cache.log

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder
          last edited by

          If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

          Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            +1. Using squid to force usage of particular DNS servers? WTF.

            1 Reply Last reply Reply Quote 0
            • S
              saftig
              last edited by

              @rjcrowder:

              If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

              Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…

              Thanks!

              That is just what I wanted to achieve. I couldn't get it to resolve the Captive portal page at first, but then I forgot that I'd not allowed the OpenDNS addresses through… Before I figured that out I thought I'd go with squid3 to work around my (non existent really) problem.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                You can also try to forward any dns request to a specific dns server using nat rules.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.