Configure squid & squidguard/dansguardian with SSL $60

justsomeone · Jul 16, 2014, 2:52 PM

I need help configuring Squid3-dev with SSL (https) and Squidguard or Dansguardian. A complete walk through per-say, as I have tried many times to no avail and just want it done.

I'm guess I will pay $60.

aaronouthier · Sep 25, 2014, 2:00 AM

I am trying to get this to work as well. I don't have the time to spear-head this, but I am willing to compare notes and beta-test with anyone who is.

I don't need the $60 (or any part thereof), so if anyone is interested in heading this up, please don't use that as a reason not to.

aGeekhere · Oct 22, 2014, 12:06 AM

You can follow this thread https://forum.pfsense.org/index.php?topic=73640.0

Summery

Install
squid3-dev
squidGuard-squid3
System Patches

Go System: Patches
Then add new patch
Description - give a name
URL/Commit ID - leave blank
Patch Contents


--- squidguard_configurator.inc.orig
+++ squidguard_configurator.inc
@@ -94,3 +94,3 @@
-define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
-define('REDIRECTOR_PROGRAM_OPT',   'redirect_program');
-define('REDIRECT_BYPASS_OPT',      'redirector_bypass');
+define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
+define('REDIRECTOR_PROGRAM_OPT',   'url_rewrite_program');
+define('REDIRECT_BYPASS_OPT',      'url_rewrite_bypass');
@@ -98,1 +98,1 @@
-define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started
+define('REDIRECTOR_PROCESS_COUNT', '16 startup=8 idle=4 concurrency=0'); # redirector processes count will started

Path Strip Count: leave as default
Base Directory - /usr/local/pkg
Ignore Whitespace tic
Auto Apply no
save
Click test
then apply

in Proxy server
Proxy interface(s) - lan
Proxy port - default
ICP port - default
Allow users on interface - tic
Patch captive portal - default
Resolv dns v4 first - tic
Disable ICMP - default
Use alternate DNS-servers for the proxy-server - default
Transparent HTTP proxy - tic
Transparent Proxy interface(s) - lan
Bypass proxy for Private Address destination - default
Bypass proxy for these source IPs - default
Bypass proxy for these destination IPs - default
HTTPS/SSL interception - tic
SSL Intercept interface(s) - lan
SSL Proxy port - default
CA We will come back to this
sslcrtd children - default
Remote Cert checks - Click accept remote server certificate errors
Certificate adapt - none (unselect is ctrl click)
Logging Settings - all default

Integrations
for i386


redirect_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5

for amd64


url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom ACLS (Before_Auth)


always_direct allow all
ssl_bump server-first all

save

Local cache can be set up later, same with antivirus

Proxy filter SquidGuard: General settings

enable
add a black list

now create a Certificate
Follow this guide
http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
Put it on all computers

then
Proxy server: General settings
CA = your certificate
Save

–--------------------------------------------------------
[Issue to fix] Windows updates and other updates like adobe can not connect

Hope this helps

justsomeone · Oct 22, 2014, 4:19 AM

Many thanks, I'll give it a try tomorrow.

thecableguy · Jan 22, 2015, 12:12 PM

How did you go?

killmasta93 · Apr 27, 2015, 2:12 AM

aGeekHere i know this post is old but im curious about the certificate. In your post it says install it on all the computers but what about on the phones? Would I still get that certificate error? I haven't tried this just because I would need to install certificate on all the computers. Or did i understand wrong?

Thank you

exograpix · Apr 27, 2015, 4:47 AM

Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

killmasta93 · Apr 27, 2015, 4:53 AM

@exograpix:

Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

but if i put it on the bypass list https wont get blocked on phones or am i wrong? I was considering to do wpad but currently pfBlockerNG does get the job done besides youtube. :-[ And only shows cannot find page which kinda sucks compared to website blocked notification though squidguard

off topic completely for exograpix: any news when e2guardian is coming out for pfSense 2.2.2?

aGeekhere · Apr 27, 2015, 11:14 AM

Hi, yes you need to put it in the phone and tablets and ANY/ALL other devices, old post but most of the steps still are still correct.

You can skip System Patches part.

killmasta93 · Apr 28, 2015, 3:45 AM

but it seems like for pfSense 2.2.2 theres issues with squid3

exograpix · Apr 28, 2015, 5:07 AM

Lots of issues, don't waste on latest version, it is very unstable

aGeekhere · Apr 28, 2015, 5:18 AM

I am moving (trying to workout how to set it up now) from using a Transparent proxy to using a WPAD.

exograpix · Apr 28, 2015, 7:18 AM

Do send the process if you are successful.

killmasta93 · Apr 28, 2015, 2:18 PM

any update on fixing squid3 for 2.2.2? :)

aGeekhere · Apr 28, 2015, 11:31 PM

@killmasta93:

any update on fixing squid3 for 2.2.2? :)

squid3 works fine with 2.2.2 for Transparent HTTP proxy (have not tried https).

Or are you referring to setting up a WPAD with squid3 for pfsense 2.2.2, if that is the case, i am working on it (getting somewhere).

killmasta93 · Apr 29, 2015, 1:45 AM

well.. if i reboot i need to stop squid3 and squidGuard and start it again weird..but it works. I just gave up on https so I use pfblockerNG for all the https sites (facebook,twitter,whatsapp) Funny thing I cant get youtube to block though IP. :-[

But in theory 90 percent of people when they go to youtube or facebook they usually type on the url facebook.com that always comes at http. But if you search in google facebook it will come as https (thats where pfBlockerNG comes in)

I have been also following your post for WPAD pretty impressive stuff best of luck ;) But one thing i cant understand is how WPAD works with squid or squidGuard

aGeekhere · Apr 29, 2015, 1:54 AM

@killmasta93:

if i reboot i need to stop squid3 and squidGuard and start it again weird

I have to reinstall the blocklist.

@killmasta93:

I have been also following your post for WPAD pretty impressive stuff best of luck

If I work it out i'll post a how to;

killmasta93 · Apr 29, 2015, 7:32 PM

I have to reinstall the blocklist.

thats the worst hopefully fix soon :)

If I work it out i'll post a how to

Thanks ;)

aGeekhere · Jun 5, 2015, 6:10 AM

Just to post an update I have got the wpad working with http and https filtering working without using a transparent proxy.
see link https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254

Hope this helps some people

KOM · Jul 15, 2015, 6:09 PM

Squid3 works just fine for me in explicit mode.