next »

[tertius]

Hi

Current setup is latest pfsense installed with packages squid, squid-guard and light-squid installed. Squid is setup in transparent mode so no manual proxy changes are made on the clients pc. I'm using Shallalist in squid-guard to block content and using light-squid for bandwidth monitoring. This firewall is installed in a company of 100 users.

Everything works fine in the offices but if i make any changes on the firewall and allow certain catergories that has been blocked in squid-guard then i have to clear the cache in all users browsers for the change to take effect. firefox/chrome/IE all keeps the blocked pages in there cache. Also there a a few laptop users who take there laptops home and connect it to there personal wifi, they all have to clear there browser cache before they can browse the internet, otherwise what ever content is blocked by squid-guard on the pfsense firewall will still be in there browser cache. The way around this is that i can set all users browsers to clear the cache upon exit of the browser, this involves a lot of admin work tho.

Please let me know if there is a solution to this or if i'm configuring something wrong

thanks

[phil.davis]

I would also like to sort this out - I know it has been discussed before. I tried changing the error from a 403 forbidden to a 404 not found in squidguard_configurator.inc, thinking that the browsers would not cache a 404. But it didn't work, Firefox still seemed to cache it.
In my case, I have small sites that don't have a 24-hour internal server/system. Often in the evening there might be just pfSense, an AP and someone on a laptop. So I would like Squid/SquidGuard to do its filtering and send back reject messages entirely internally to the pfSense box (Alix nanobsd - so shouldn't add too many extras). But I need to find a message type to send back that does not get cached by popular browsers. These are the user scenarios:
a) Desktop that lives in the office all the time, page is permanently blacklisted - no problem caching the reject, it is likely to still be blacklisted in future anyway.
b) Accessing a page that has timed rules in SquidGuard - definitely do not want to cache, since the page WILL be allowed at some other time today.
c) Accessing rejected pages from a laptop (work owned or personal) - do not want to cache, the laptop will be on other networks, public WiFi etc, and it will really annoy the user if they have a bunch of cached reject pages stuck in their browser

Maybe the default reject page can contain "do not cache" directives in the header?

[Nachtfalke]

Did you try with this custom options to reduce the squid dns cache?

Code:

negative_ttl 10 seconds
negative_dns_ttl 30 seconds
positive_dns_ttl 6 hours
dns_timeout 30 seconds;

for testing purposes you could reduce the times for all to 10 seconds or less and try what is happening.

[tertius]

How do i change these cache options in pfsense?

[phil.davis]

These would need to go in Proxy Server:General Settings, Custom Options.
But my question is, these are options that control how Squid itself caches 403, 404 messages and DNS results that worked or failed recently.
But we want to try and convince the browser on the user's computer not to cache this stuff.
So how would that work?