pfSense Support Subscription

Author Topic: Squid\SquidGuard configurations on the client side  (Read 2515 times)

0 Members and 1 Guest are viewing this topic.

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Squid\SquidGuard configurations on the client side
« on: May 20, 2012, 02:47:18 am »
I'm running DHCP and DNS on a different server (server 2008). I have only few workstations that I need to manage with Squid (I don't mind set everything manually if I need to).

Which configurations do I need to set on the client to make it work with\through pfSense\Squid ?


Many thanks! :)


Offline SGTR

  • Hero Member
  • *****
  • Posts: 616
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #1 on: May 20, 2012, 03:24:29 am »
Hi,

You can do it with two way. First in Dhcp Server you can make a reservation(you hould know that pcs mac address(es)). And configure as gateway to pfSense. Second way; assign ip address manually then give them pfSense ip address for gateway. (you can give as dns server your server 2008)

Regards,
SGTR
Ever never give up even there is no hope.

Offline SGTR

  • Hero Member
  • *****
  • Posts: 616
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #2 on: May 20, 2012, 03:33:03 am »
By the way it is an option to give proxy server settings (pfSense ip address). It would be best for you.
Ever never give up even there is no hope.

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #3 on: May 20, 2012, 04:47:58 am »
The pfSense is the gateway for everyone.
Only few people should be limited with pfSense.
DHCP and DNS is our windows server.

I tried playing with that and it doesn't look complicated. I set an ACL to choose the limited group, set default to block and allowed few websites only (one allowed group with few websites). If on the client no proxy configured it had full access to everything. When I tried to set the proxy manually, I didn't get access to anything (but I might just set a wrong configurations and broke it).


Any light on the subject will be appreciated!


Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #4 on: May 20, 2012, 07:07:42 am »
If you squid is running in transparent mode squid+squidguard can only filter http traffic on port 80. With this configuration there is no need to change anything on the clients browser.

If you are running squid in non-transparent mode you need to setup the clients browser to use the proxy or you can use WPAD or PAC to do this automatically for you.

In squidguard you need to setup a target with the sites you want to allow.
you the create a Group ACL and setup this target as "whitelist" and the default rule as "deny".
In the Group ACL you setup the clients IP addresses.

After that you need to click "save" and "apply" on "general settings" tab of squidguard.
Then it should work.

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #5 on: May 20, 2012, 11:49:21 pm »
Most of the websites are https so I guess transparent mode wouldn't work (?).
Which configurations do I need to put in their browsers? There are few types of proxy and I'm not sure what are the right configurations to put there.


Thanks again.

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #6 on: May 21, 2012, 04:54:03 am »
Most of the websites are https so I guess transparent mode wouldn't work (?).
Which configurations do I need to put in their browsers? There are few types of proxy and I'm not sure what are the right configurations to put there.

Thanks again.

Yes, transparent mode will not work with https. So you need to run squid in non-transparent mode and put the IP and the squid port in the clients brwoser as proxy. Probably the pfsense LAN interface IP and the default squid port 3128 (if you did not change it).

If you do not like to add this manually search the forum for "WPAD" and "PAC". These configuration files will help the client's brwoser to automatically search and add proxy server address.

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #7 on: May 21, 2012, 04:04:56 pm »
Thanks,
I'm not sure what am I doing wrong but I still have the same issue, when using proxy configurations I don't get access to anything, nor error messages, just like typing wrong proxy (231.123.123.123 port 1231 will act the same).

I did verified the IP, port and that my client IP is in the ACL list.


Edit: I tried "telnet IP 3128" and I got no answer so I guess for some reason I can't access pfSense box on this port.
What can it be?

« Last Edit: May 21, 2012, 04:45:16 pm by V4705 »

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #8 on: May 22, 2012, 02:46:53 am »
Did you allow the subnets to work with the proxy ?
There is a checkbox

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #9 on: May 22, 2012, 03:25:33 pm »
Thanks everyone!

For some reason the checkmark wasn't enough, I needed to add a rule to allow connection on port 3128 (dunno why, the proxy and the client are on the same interface\lan).

BTW, I still can't whitelist facebook.com, for some reason this domain isn't enough to view the website as it should be. If someone knows which domains I need to allow to browse facebook.com it will be highly appreciated :)



Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #10 on: May 23, 2012, 02:51:46 pm »
Check your proxy filter log to see what squidguard is blocking when you connect to facebook.com.

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #11 on: May 24, 2012, 11:45:49 am »
Thanks, I'll try that with Facebook,

Unfortunately right now I experiencing much critical issue with Squid,
Our reps using "helponclick.com" chat system,
For some reason even though I added this domain to their whitelist (and contacted the manufacture to make sure all their servers\subdomains are under this domain), we still experienced slowness, delays and losing chats.

To make it run faster and less buggy I tried to exclude this domain from being cashed ("do not cache" under "proxy server") but for some reason now they get the chat system very fast but with even more issues like:
Losing most of chats, can't see who's online on the website, visitors sometimes get "no available representative" message and such...

In the log I don't see any mention to helponclick.
The information their support gave me: all servers sub-domains are under the same domain name, only ports you need are 80 and 443 and requests are performed by AJAX (I don't know if squid can make issues with AJAX).



Any suggestions?

Many (many) thanks!

Offline G843629

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Squid\SquidGuard configurations on the client side
« Reply #12 on: May 24, 2012, 03:51:45 pm »
Looks like the issue was with IE.
Now I need to find a way to restrict proxy changing on FF or Chrome.
(With IE I just restricted the "connection" tab with GPO, but they can still access this tab from Chrome, thanks for the great security, microsoft...).