Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3-dev Transparent Mode

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      networkinggeek
      last edited by

      Hello Forum,
      I am encountering the error in Squid3-dev while using transparent mode. If its enabled then I am not able to browse the internet.
      If i disable the transparent mode then its working fine. The logs show "TCP_MISS 403" error, so I have attached the screen-shot
      of my configuration and the logs which I get when the Transparent mode is enabled. Just wanna know where am I going wrong
      in the configuration
      Squid3-dev.png
      Squid3-dev.png_thumb
      ![Squid logs.png](/public/imported_attachments/1/Squid logs.png)
      ![Squid logs.png_thumb](/public/imported_attachments/1/Squid logs.png_thumb)

      "Mastery isn't a natural gift. Its a daily devotion"

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        TCP_MISS 403 simply means that you requested an element and it wasn't in Squid's cache.  Do you also have SquidGuard installed?  Is this a brand new install, or did you upgrade from squid2?  Squid3-dev can be a real bear to get working, and I've managed to get it to the point where I had to reinstall the whole system.

        1 Reply Last reply Reply Quote 0
        • N
          networkinggeek
          last edited by

          @KOM:

          TCP_MISS 403 simply means that you requested an element and it wasn't in Squid's cache.  Do you also have SquidGuard installed?  Is this a brand new install, or did you upgrade from squid2?  Squid3-dev can be a real bear to get working, and I've managed to get it to the point where I had to reinstall the whole system.

          Yes I also have SquidGuard-squid3 running. In common acl's I have allowed all websites by default.
          Squid3-dev is not working with the transparent mode. I have not tried the previous versions because
          SSL filtering is available only in the above mentioned version.

          And one more thing about transparent mode, If I type "http://www.google.com" then it's giving TCP_MISS 403 error. If I change it to https then it works perfectly.

          "Mastery isn't a natural gift. Its a daily devotion"

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking.

            Here's the thing about SSL filtering.  To do it, you will need to do one of the following:

            • install a certificate on every client, or
            • set the proxy server on every client

            You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients.

            I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server.

            1 Reply Last reply Reply Quote 0
            • N
              networkinggeek
              last edited by

              @KOM:

              Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking.

              I have disabled the SquidGuard, Set the proxy interface as LAN in squid and enabled Transparent mode, No SSL filtering.
              It still gives the same error i.e TCP_MISS 403

              @KOM:

              Here's the thing about SSL filtering.  To do it, you will need to do one of the following:

              • install a certificate on every client, or
              • set the proxy server on every client

              You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients.

              I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server.

              I will surely try this method. SquidGuard or SquidGuard-devel has to be used with Squid2.
              because those two SquidGuard versions might not work with Squid3

              "Mastery isn't a natural gift. Its a daily devotion"

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.