Configure squid & squidguard/dansguardian with SSL $60



  • I need help configuring Squid3-dev with SSL (https) and Squidguard or Dansguardian. A complete walk through per-say, as I have tried many times to no avail and just want it done.

    I'm guess I will pay $60.



  • I am trying to get this to work as well. I don't have the time to spear-head this, but I am willing to compare notes and beta-test with anyone who is.

    I don't need the $60 (or any part thereof), so if anyone is interested in heading this up, please don't use that as a reason not to.



  • You can follow this thread https://forum.pfsense.org/index.php?topic=73640.0

    Summery

    Install
    squid3-dev
    squidGuard-squid3
    System Patches

    Go System: Patches
    Then add new patch
    Description - give a name
    URL/Commit ID - leave blank
    Patch Contents

    
    --- squidguard_configurator.inc.orig
    +++ squidguard_configurator.inc
    @@ -94,3 +94,3 @@
    -define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
    -define('REDIRECTOR_PROGRAM_OPT',   'redirect_program');
    -define('REDIRECT_BYPASS_OPT',      'redirector_bypass');
    +define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
    +define('REDIRECTOR_PROGRAM_OPT',   'url_rewrite_program');
    +define('REDIRECT_BYPASS_OPT',      'url_rewrite_bypass');
    @@ -98,1 +98,1 @@
    -define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started
    +define('REDIRECTOR_PROCESS_COUNT', '16 startup=8 idle=4 concurrency=0'); # redirector processes count will started
    
    

    Path Strip Count: leave as default
    Base Directory - /usr/local/pkg
    Ignore Whitespace tic
    Auto Apply no
    save
    Click test
    then apply

    in Proxy server
    Proxy interface(s) - lan
    Proxy port - default
    ICP port - default
    Allow users on interface - tic
    Patch captive portal - default
    Resolv dns v4 first - tic
    Disable ICMP  - default
    Use alternate DNS-servers for the proxy-server  - default
    Transparent HTTP proxy - tic
    Transparent Proxy interface(s) - lan
    Bypass proxy for Private Address destination - default
    Bypass proxy for these source IPs - default
    Bypass proxy for these destination IPs  - default
    HTTPS/SSL interception - tic
    SSL Intercept interface(s) - lan
    SSL Proxy port - default
    CA We will come back to this
    sslcrtd children - default
    Remote Cert checks - Click accept remote server certificate errors
    Certificate adapt - none (unselect is ctrl click)
    Logging Settings - all default

    Integrations
    for i386

    
    redirect_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5
    
    

    for amd64

    
    url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0
    
    

    Custom ACLS (Before_Auth)

    
    always_direct allow all
    ssl_bump server-first all
    
    

    save

    Local cache can be set up later, same with antivirus

    Proxy filter SquidGuard: General settings

    enable
    add a black list

    now create a Certificate
    Follow this guide
    http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
    Put it on all computers

    then
    Proxy server: General settings
    CA = your certificate
    Save

    –--------------------------------------------------------
    [Issue to fix] Windows updates and other updates like adobe can not connect

    Hope this helps



  • Many thanks, I'll give it a try tomorrow.



  • How did you go?



  • aGeekHere i know this post is old but im curious about the certificate. In your post it says install it on all the computers but what about on the phones? Would I still get that certificate error? I haven't tried this just because I would need to install certificate on all the computers. Or did i understand wrong?

    Thank you



  • Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.



  • @exograpix:

    Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

    but if i put it on the bypass list https wont get blocked on phones or am i wrong? I was considering to do wpad but currently pfBlockerNG does get the job done besides youtube. :-[  And only shows cannot find page which kinda sucks compared to website blocked notification though squidguard

    off topic completely for exograpix: any news when e2guardian is coming out for pfSense 2.2.2?



  • Hi, yes you need to put it in the phone and tablets and ANY/ALL other devices, old post but most of the steps still are still correct.

    You can skip System Patches part.



  • but it seems like for pfSense 2.2.2 theres issues with squid3



  • Lots of issues, don't waste on latest version, it is very unstable



  • I am moving (trying to workout how to set it up now) from using a Transparent proxy to using a WPAD.



  • Do send the process if you are successful.



  • any update on fixing squid3 for 2.2.2?  :)



  • @killmasta93:

    any update on fixing squid3 for 2.2.2?  :)

    squid3 works fine with 2.2.2 for Transparent HTTP proxy (have not tried https).

    Or are you referring to setting up a WPAD with squid3 for pfsense 2.2.2, if that is the case, i am working on it (getting somewhere).



  • well.. if i reboot i need to stop squid3 and squidGuard and start it again weird..but it works. I just gave up on https so I use pfblockerNG for all the https sites (facebook,twitter,whatsapp) Funny thing I cant get youtube to block though IP.  :-[

    But in theory 90 percent of people when they go to youtube or facebook they usually type on the url facebook.com that always comes at http. But if you search in google facebook it will come as https (thats where pfBlockerNG comes in)

    I have been also following your post for WPAD pretty impressive stuff best of luck  ;) But one thing i cant understand is how WPAD works with squid or squidGuard



  • @killmasta93:

    if i reboot i need to stop squid3 and squidGuard and start it again weird

    I have to reinstall the blocklist.

    @killmasta93:

    I have been also following your post for WPAD pretty impressive stuff best of luck

    If I work it out i'll post a how to;



  • I have to reinstall the blocklist.

    thats the worst hopefully fix soon :)

    If I work it out i'll post a how to

    Thanks  ;)



  • Just to post an update I have got the wpad working with http and https filtering working without using a transparent proxy.
    see link https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254

    Hope this helps some people



  • Squid3 works just fine for me in explicit mode.


Log in to reply