Squid3+squidGuard

Naughty

Hello Everyone.

i have a question please if someone can help me in that .
i have pfsense 2.2.6 and installed squid3 version 0.4.7 in transparent mode to block HTTPS traffic & squidguard version 1.9.18 to with shallablacklist to deny per categories and it works fine,,,,,,However, i get the same results but in non-transparent mode so i can use pfsense as webfilter only not to be the default gateway so any luck by that ?

KOM

Could you please rephrase that?  I'm not quite sure what you mean.

Naughty

Hi ,,

what i mean that i need to make the pfsense as webfilter only which means i need to manually configure the pfsense ip (ex:1.1.1.1 port 3128) which has  "squid3 and squid guard proxies together " in all the browser so i can filter all the HTTP & HTTPS traffic ….is it possible ?

KOM

Yes.

Naughty

so would you please explain that to me how can i do that ?
as whenever i go to Squid3 proxy server and uncheck "transparent Http proxy " it doesn't work and get me a wired message written in different language …
so if possible to guide me to the correct way ?

KOM

I've never done it, but I believe the process is something like this:

• Install pfSense with just a single WAN interface and configure it as if it was a LAN client

• Install & configure squid3

• Install and configure squidGuard

• On your main firewall, block ports 80 and 443

• Configure WPAD to allow clients to auto-discover the proxy

• For clients that don't support WPAD (such as Android), manually configure their proxy settings to point to the IP address used by pfSense WAN

Naughty

first thank you for your reply and i need just to clarify something :
1-Install pfSense with just a single WAN interface and configure it as if it was a LAN client ….can't i use multiwan gateways?
2-Install & configure squid3
3-Install and configure squidGuard
4-On your main firewall, block ports 80 and 443 ….do you mean the default rule on pfsense that applied on lan (anti-lockout rule) ?
5-Configure WPAD to allow clients to auto-discover the proxy....as i read from the article ...i don't know how can i Create wpad.dat.... in pfsense ?
For clients that don't support WPAD (such as Android), manually configure their proxy settings to point to the IP address used by pfSense WAN

KOM

OK, yellow on grey is very hard to read.

Why are you talking about multi-WAN when you said you didn't want it to be the default gateway??

Naughty

sorry for that …
i'm just asking ...for sake of knowing...
and let me explain my idea clearly

i made a virtual lab (pc connected normally to my gateway but only i need to configure in any browser 192.168.1.1 port 3128 as the below image )
so i can disable the HTTP & HTTPS Traffic from pfsense

i hope i did clarify everything

KOM

I understood what you meant and my suggestion would do what you were asking for: a standalone web filter.

Naughty

yes that what i need for pfsense to do….is that will be possible ?

KOM

I already answered that question.  It was my second reply to you.

https://forum.pfsense.org/index.php?topic=107950.msg601540#msg601540

Naughty

i have pfsense 2.2.6 but as mentioned below ….any luck by that ?
4-On your main firewall, block ports 80 and 443 ....do you mean the default rule on pfsense that applied on lan (anti-lockout rule) ?
5-Configure WPAD to allow clients to auto-discover the proxy....as i read from the article ...i don't know how can i Create wpad.dat.... in pfsense ?

KOM

4-On your main firewall, block ports 80 and 443 ….do you mean the default rule on pfsense that applied on lan (anti-lockout rule) ?

I mean create a rule that blocks ports 80 and 443, and put it above the Default allow LAN to any rule.

5-Configure WPAD to allow clients to auto-discover the proxy….as i read from the article ...i don't know how can i Create wpad.dat.... in pfsense ?

It's just a text file.  Create it using your favourite text editor.  While you can use pfSense to host the file once you have created it, WPAD won't work if you have pfSense running in HTTPS mode.  HTTP only.

Naughty

i did create a text file with the below content :
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}
but as per the article i can't loaded in the specified path "/usr/local/www/" as it's not supported in pfsense 2.2.6 so it went to /tmp/wpad.dat.

so would u please explain to me if that will work <<

KOM

but as per the article i can't loaded in the specified path "/usr/local/www/" as it's not supported in pfsense 2.2.6

???  What do you mean?  I'm running 2.2.6 and I have my wpad.dat, wpad.da and proxy.pac files in /usr/local/www.  It works like a charm.

aGeekhere

@Naughty:

i did create a text file with the below content :
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}
but as per the article i can't loaded in the specified path "/usr/local/www/" as it's not supported in pfsense 2.2.6 so it went to /tmp/wpad.dat.

so would u please explain to me if that will work <<

Hi, if it helps follow how i set up my wpad
https://forum.pfsense.org/index.php?topic=93060.0