Netgate SG-1000 microFirewall

Author Topic: SquidGuard Inconsistencies  (Read 126 times)

0 Members and 1 Guest are viewing this topic.

Offline RPX_D

  • Newbie
  • *
  • Posts: 2
  • Karma: +1/-0
  • There's no place like 127.0.0.1
    • View Profile
SquidGuard Inconsistencies
« on: January 31, 2018, 12:33:20 pm »
Hey all,

I'm running into an odd issue. I want to use SquidGuard for web filtering (http & https), but as Squid is required to run Squidguard I need to run Squid as a proxy as well. I am not interested in using the proxy/caching info, so I have set up squid to be a transparent proxy with Cache size of 0, and HD Cache system set to Null. I turned SSL filtering on, but set to "Splice-All Destinations". I setup a specific Cert CA for this use (as it is required), but it says this does not need to be set in client machines.

Once I had this setup, I went to squidguard and set "netflix.com" as my test domain. Once saved and applied, netflix gets blocked (when navigating to http://netflix.com I get a redirect to an error page, and when going to https://netflix.com I get a "Thie site cant provide a secure connection" error page) and it appears to work. However, shortly after other sites (ie mail.google.com) begin intermittently showing the same error. By intermittent I mean, one user may get the error when another does not, or one user may get the error, refresh his webpage a number of times, then is able to get to mail.google.com without the error.

I'm trying to figure out why if Splice-All is set when a transparent proxy, why are these sites being interfered with if not on the blocklist? All I want is to use SquidGuard to blacklist webpages. I want to set Squid to do the absolute minimum, just so SquidGuard can run. Anyone have this working this way?

Current Versions:
Device: Netgate XG-2758 Version 2.3.5-RELEASE-p1

Squid: 0.4.42_1

SquidGuard: 1.16.4

Thanks for any advise.

Offline iska

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: SquidGuard Inconsistencies
« Reply #1 on: January 31, 2018, 02:14:27 pm »
try to upgrade your squid version

Offline beauw

  • Newbie
  • *
  • Posts: 8
  • Karma: +1/-0
    • View Profile
Re: SquidGuard Inconsistencies
« Reply #2 on: February 01, 2018, 06:42:15 pm »
I've found the same type of behavior running Squid on a medium sized network (800+ clients).

I've found the behavior is most often related to the number of SSL daemon children and certificate verification.  The cache doesn't really go to zero unless you edit the config files....lots of forum posts on that.

If you set the firewall to not perform remote certificate checks I've found that this error is seen less often, but not eradicated.

Would love to see if anyone else has the same issue / fixes.

Offline iska

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: SquidGuard Inconsistencies
« Reply #3 on: February 02, 2018, 10:51:14 am »
On Proxy Server>General Settings> SSL Man In the Middle Filtering> enable HTTPS/SSL Interception and SSL/MITM Mode Splice All and SSL Intercept Interfaces "LAN" and CA choose what you make it on your CERT Manager rest is should remain by default. When I did it, it worked fine