Configure squid & squidguard/dansguardian with SSL $60

justsomeone

I need help configuring Squid3-dev with SSL (https) and Squidguard or Dansguardian. A complete walk through per-say, as I have tried many times to no avail and just want it done.

I'm guess I will pay $60.

aaronouthier

I am trying to get this to work as well. I don't have the time to spear-head this, but I am willing to compare notes and beta-test with anyone who is.

I don't need the $60 (or any part thereof), so if anyone is interested in heading this up, please don't use that as a reason not to.

aGeekhere

You can follow this thread https://forum.pfsense.org/index.php?topic=73640.0

Summery

Install
squid3-dev
squidGuard-squid3
System Patches

Go System: Patches
Then add new patch
Description - give a name
URL/Commit ID - leave blank
Patch Contents

--- squidguard_configurator.inc.orig
+++ squidguard_configurator.inc
@@ -94,3 +94,3 @@
-define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
-define('REDIRECTOR_PROGRAM_OPT',   'redirect_program');
-define('REDIRECT_BYPASS_OPT',      'redirector_bypass');
+define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
+define('REDIRECTOR_PROGRAM_OPT',   'url_rewrite_program');
+define('REDIRECT_BYPASS_OPT',      'url_rewrite_bypass');
@@ -98,1 +98,1 @@
-define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started
+define('REDIRECTOR_PROCESS_COUNT', '16 startup=8 idle=4 concurrency=0'); # redirector processes count will started

Path Strip Count: leave as default
Base Directory - /usr/local/pkg
Ignore Whitespace tic
Auto Apply no
save
Click test
then apply

in Proxy server
Proxy interface(s) - lan
Proxy port - default
ICP port - default
Allow users on interface - tic
Patch captive portal - default
Resolv dns v4 first - tic
Disable ICMP  - default
Use alternate DNS-servers for the proxy-server  - default
Transparent HTTP proxy - tic
Transparent Proxy interface(s) - lan
Bypass proxy for Private Address destination - default
Bypass proxy for these source IPs - default
Bypass proxy for these destination IPs  - default
HTTPS/SSL interception - tic
SSL Intercept interface(s) - lan
SSL Proxy port - default
CA We will come back to this
sslcrtd children - default
Remote Cert checks - Click accept remote server certificate errors
Certificate adapt - none (unselect is ctrl click)
Logging Settings - all default

Integrations
for i386

redirect_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5

for amd64

url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom ACLS (Before_Auth)

always_direct allow all
ssl_bump server-first all

save

Local cache can be set up later, same with antivirus

Proxy filter SquidGuard: General settings

enable
add a black list

now create a Certificate
Follow this guide
http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
Put it on all computers

then
Proxy server: General settings
CA = your certificate
Save

–--------------------------------------------------------
[Issue to fix] Windows updates and other updates like adobe can not connect

Hope this helps

justsomeone

Many thanks, I'll give it a try tomorrow.

thecableguy

How did you go?

killmasta93

aGeekHere i know this post is old but im curious about the certificate. In your post it says install it on all the computers but what about on the phones? Would I still get that certificate error? I haven't tried this just because I would need to install certificate on all the computers. Or did i understand wrong?

Thank you

exograpix

Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

killmasta93

@exograpix:

Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

but if i put it on the bypass list https wont get blocked on phones or am i wrong? I was considering to do wpad but currently pfBlockerNG does get the job done besides youtube. :-[  And only shows cannot find page which kinda sucks compared to website blocked notification though squidguard

off topic completely for exograpix: any news when e2guardian is coming out for pfSense 2.2.2?

aGeekhere

Hi, yes you need to put it in the phone and tablets and ANY/ALL other devices, old post but most of the steps still are still correct.

You can skip System Patches part.

killmasta93

but it seems like for pfSense 2.2.2 theres issues with squid3

exograpix

Lots of issues, don't waste on latest version, it is very unstable

aGeekhere

I am moving (trying to workout how to set it up now) from using a Transparent proxy to using a WPAD.

exograpix

Do send the process if you are successful.

killmasta93

any update on fixing squid3 for 2.2.2?  :)

aGeekhere

@killmasta93:

any update on fixing squid3 for 2.2.2?  :)

squid3 works fine with 2.2.2 for Transparent HTTP proxy (have not tried https).

Or are you referring to setting up a WPAD with squid3 for pfsense 2.2.2, if that is the case, i am working on it (getting somewhere).

killmasta93

well.. if i reboot i need to stop squid3 and squidGuard and start it again weird..but it works. I just gave up on https so I use pfblockerNG for all the https sites (facebook,twitter,whatsapp) Funny thing I cant get youtube to block though IP.  :-[

But in theory 90 percent of people when they go to youtube or facebook they usually type on the url facebook.com that always comes at http. But if you search in google facebook it will come as https (thats where pfBlockerNG comes in)

I have been also following your post for WPAD pretty impressive stuff best of luck  ;) But one thing i cant understand is how WPAD works with squid or squidGuard

aGeekhere

@killmasta93:

if i reboot i need to stop squid3 and squidGuard and start it again weird

I have to reinstall the blocklist.

@killmasta93:

I have been also following your post for WPAD pretty impressive stuff best of luck

If I work it out i'll post a how to;

killmasta93

I have to reinstall the blocklist.

thats the worst hopefully fix soon :)

If I work it out i'll post a how to

Thanks  ;)

aGeekhere

Just to post an update I have got the wpad working with http and https filtering working without using a transparent proxy.
see link https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254

Hope this helps some people

KOM

Squid3 works just fine for me in explicit mode.