Netgate SG-1000 microFirewall

Author Topic: configure squid & squidguard/dansguardian with SSL $60  (Read 10178 times)

0 Members and 1 Guest are viewing this topic.

Offline justsomeone

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +3/-1
    • View Profile
configure squid & squidguard/dansguardian with SSL $60
« on: July 15, 2014, 11:47:50 pm »
I need help configuring Squid3-dev with SSL (https) and Squidguard or Dansguardian. A complete walk through per-say, as I have tried many times to no avail and just want it done.

I'm guess I will pay $60.
« Last Edit: July 16, 2014, 09:52:56 am by justsomeone »
"Bad shit happens to drunk people."

Offline aaronouthier

  • Full Member
  • ***
  • Posts: 119
  • Karma: +3/-0
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #1 on: September 24, 2014, 09:00:29 pm »
I am trying to get this to work as well. I don't have the time to spear-head this, but I am willing to compare notes and beta-test with anyone who is.

I don't need the $60 (or any part thereof), so if anyone is interested in heading this up, please don't use that as a reason not to.

Offline aGeekHere

  • Sr. Member
  • ****
  • Posts: 523
  • Karma: +41/-1
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #2 on: October 21, 2014, 07:06:58 pm »
You can follow this thread https://forum.pfsense.org/index.php?topic=73640.0

Summery

Install
squid3-dev
squidGuard-squid3
System Patches

Go System: Patches
Then add new patch
Description - give a name
URL/Commit ID - leave blank
Patch Contents

Code: [Select]
--- squidguard_configurator.inc.orig
+++ squidguard_configurator.inc
@@ -94,3 +94,3 @@
-define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
-define('REDIRECTOR_PROGRAM_OPT',   'redirect_program');
-define('REDIRECT_BYPASS_OPT',      'redirector_bypass');
+define('REDIRECTOR_OPTIONS_REM',   '# squidGuard options');
+define('REDIRECTOR_PROGRAM_OPT',   'url_rewrite_program');
+define('REDIRECT_BYPASS_OPT',      'url_rewrite_bypass');
@@ -98,1 +98,1 @@
-define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started
+define('REDIRECTOR_PROCESS_COUNT', '16 startup=8 idle=4 concurrency=0'); # redirector processes count will started

Path Strip Count: leave as default
Base Directory - /usr/local/pkg
Ignore Whitespace tic
Auto Apply no
save
Click test
then apply

in Proxy server
Proxy interface(s) - lan
Proxy port - default
ICP port - default
Allow users on interface - tic
Patch captive portal - default
Resolv dns v4 first - tic
Disable ICMP  - default
Use alternate DNS-servers for the proxy-server  - default
Transparent HTTP proxy - tic
Transparent Proxy interface(s) - lan
Bypass proxy for Private Address destination - default
Bypass proxy for these source IPs - default
Bypass proxy for these destination IPs  - default
HTTPS/SSL interception - tic
SSL Intercept interface(s) - lan
SSL Proxy port - default
CA We will come back to this
sslcrtd children - default
Remote Cert checks - Click accept remote server certificate errors
Certificate adapt - none (unselect is ctrl click)
Logging Settings - all default

Integrations
for i386
Code: [Select]
redirect_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5

for amd64
Code: [Select]
url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom ACLS (Before_Auth)

Code: [Select]
always_direct allow all
ssl_bump server-first all

save

Local cache can be set up later, same with antivirus

Proxy filter SquidGuard: General settings

enable
add a black list

now create a Certificate
Follow this guide
http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/
Put it on all computers

then
Proxy server: General settings
CA = your certificate
Save

----------------------------------------------------------
[Issue to fix] Windows updates and other updates like adobe can not connect

Hope this helps
Never Fear, A Geek is Here!

Offline justsomeone

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +3/-1
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #3 on: October 21, 2014, 11:19:03 pm »
Many thanks, I'll give it a try tomorrow.
"Bad shit happens to drunk people."

Offline thecableguy

  • Jr. Member
  • **
  • Posts: 79
  • Karma: +0/-3
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #4 on: January 22, 2015, 06:12:21 am »
How did you go?

Offline killmasta93

  • Sr. Member
  • ****
  • Posts: 585
  • Karma: +13/-0
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #5 on: April 26, 2015, 09:12:19 pm »
aGeekHere i know this post is old but im curious about the certificate. In your post it says install it on all the computers but what about on the phones? Would I still get that certificate error? I haven't tried this just because I would need to install certificate on all the computers. Or did i understand wrong?

Thank you

Offline exograpix

  • Full Member
  • ***
  • Posts: 141
  • Karma: +2/-2
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #6 on: April 26, 2015, 11:47:15 pm »
Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

Offline killmasta93

  • Sr. Member
  • ****
  • Posts: 585
  • Karma: +13/-0
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #7 on: April 26, 2015, 11:53:28 pm »
Its a old post, I suggest you use pfsense 2.1.5 in case you want to use these settings, it is more stable than current release. You can load self signed certificate in phone too, but its a pain. I suggest to put them in the bypass list.

but if i put it on the bypass list https wont get blocked on phones or am i wrong? I was considering to do wpad but currently pfBlockerNG does get the job done besides youtube. :-[  And only shows cannot find page which kinda sucks compared to website blocked notification though squidguard

off topic completely for exograpix: any news when e2guardian is coming out for pfSense 2.2.2?

Offline aGeekHere

  • Sr. Member
  • ****
  • Posts: 523
  • Karma: +41/-1
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #8 on: April 27, 2015, 06:14:43 am »
Hi, yes you need to put it in the phone and tablets and ANY/ALL other devices, old post but most of the steps still are still correct.

You can skip System Patches part.
Never Fear, A Geek is Here!

Offline killmasta93

  • Sr. Member
  • ****
  • Posts: 585
  • Karma: +13/-0
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #9 on: April 27, 2015, 10:45:29 pm »
but it seems like for pfSense 2.2.2 theres issues with squid3

Offline exograpix

  • Full Member
  • ***
  • Posts: 141
  • Karma: +2/-2
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #10 on: April 28, 2015, 12:07:24 am »
Lots of issues, don't waste on latest version, it is very unstable

Offline aGeekHere

  • Sr. Member
  • ****
  • Posts: 523
  • Karma: +41/-1
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #11 on: April 28, 2015, 12:18:56 am »
I am moving (trying to workout how to set it up now) from using a Transparent proxy to using a WPAD.
Never Fear, A Geek is Here!

Offline exograpix

  • Full Member
  • ***
  • Posts: 141
  • Karma: +2/-2
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #12 on: April 28, 2015, 02:18:18 am »
Do send the process if you are successful.

Offline killmasta93

  • Sr. Member
  • ****
  • Posts: 585
  • Karma: +13/-0
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #13 on: April 28, 2015, 09:18:55 am »
any update on fixing squid3 for 2.2.2?  :)

Offline aGeekHere

  • Sr. Member
  • ****
  • Posts: 523
  • Karma: +41/-1
    • View Profile
Re: configure squid & squidguard/dansguardian with SSL $60
« Reply #14 on: April 28, 2015, 06:31:15 pm »
any update on fixing squid3 for 2.2.2?  :)

squid3 works fine with 2.2.2 for Transparent HTTP proxy (have not tried https).

Or are you referring to setting up a WPAD with squid3 for pfsense 2.2.2, if that is the case, i am working on it (getting somewhere).
Never Fear, A Geek is Here!