Tag Archive for proxy

install and configure squid guard – pfsense


To install packages you would go to Systems > Packages menu and click on the Available Packages tab and click on the (+) sign next to each package


pack1 pack2 pack3

Configure Squid:

So now you have your packages installed it’s now time to enable squid, but before we do that we need to configure some squid options:

1.) Go to Services > Proxy Server
2.) Select the interface that squid listens on, by default your LAN interface is selected.
3.) Change the port that squid listens on, by default this is port 3128 and the most common ports is 3128 and 8080.
4.) Ensure that Allow users on interface is selected.
5.) If you don’t want to use proxy authentication then you can select Transparent HTTP Proxy. If you don’t configure squid in transparent mode
then you will need to manually configure the proxy settings in your browser, or create a WPAD for your DHCP Server to push your settings
automatically, as well as configure users and authentication.
6.) If you find that Squid is having issues resolving websites then you can add alternative DNS servers separated by semi-colons in the Use Alternate
      DNS-Servers for the proxy-server field.
7) If you are going to be using LightSquid for reports than you will have to enable logging by checking the Enable Logging box
8) Once you click on the Save button at the bottom of the page Squid will save your settings and start the Squid service.

At this point in time squid should work and start processing web requests but there are a few things you may look at to try and make  squid more efficient along with configuring authentication in the event that you chose to not use the transparent proxy option.

Squid Tweak:

First we will take a look at the local cache settings. The only thing you really need to adjust here is the Hard Disk Cache Settings and the Memory Cache Settings, below is a example of how I have changed things:


So let me take a moment just to explain some of the items on this page that are more relevant:

  •  Hard Disk Cache size (in MB) is the amount of space that the proxy is allowed to use for cached pages.
  • Maximum Object size (in KB) is the maximum size of an object that gets put in cache, anything larger will be ignored and will be fetched every time it is needed, set to a small size if you want speed or to a larger size if you want to save on bandwidth.
  • Memory Cache Size (in MB) is the maximum amount of memory that is used for cached object kept in memory for faster retrieval.

You can set these to any values that you want depending on the disk space and physical memory on your system that is available for squid to use, but keep in mind that squid uses roughly 10MB of physical memory per 1GB of disk space that is used for caching. So essentially you need to ensure that there is enough physical memory to handle both the amount of memory used for disk cache as well as the memory cache.

Here is a quick example:

say you have a 100GB hard drive space and 1GB physical RAM available to squid, you wont be able to use the whole 100GB of HDD space for the disk cache as it would require the entire 1GB of RAM.
so the easiest way to work out how things should be to allocate the Memory Cache Size (remembering it may not exceed 50% of the available memory) and then work out how much memory is available for the drive cache.
i.e. if we allocate 256MB of RAM to the memory cache then the maximum amount of drive space you can assign to the drive cache would be  74.4GB or 76334MB (as 1026 MB = 1GB)
simple put :
1000 (1GB RAM)
-  256  (256MB Memory Cache)
=744 / 10 = 74.4 GB

For a more advanced tweak you can even set the vfs read max setting from the default value of 32 under system Tunables  under the Advanced System settings to increase the UFS read ahead speeds on your drive (this is the amount of bytes your system will read ahead on your drive when pulling data), but be careful with the this setting as setting to high will make your system unstable, i normally set it to a value of 128 to be safe

Squid Authentication:

if you decided to leave the Transparent Proxy setting off you will need to configure squid authentication, there are 5 options to choose from:

  1. None – no authentication is used, similar to transparent mode.
  2. Local – Usernames and Passwords are configured under the Users tab.
  3. LDAP – users and passwords are pulled from a LDAP server or Active Directory server for authentication
  4. RADIUS – Users and Passwords are pulled from a Radius server either on another server or on a the local free-radius configuration on the pfSense Server
  5. NT domain – for use with a Server 2000 AD and earlier NT domains form earlier NT servers

Local authentication is the simplest to setup, apart from None as that requires no setup, and is simple as setting the Authentication method to local and then adding users via the Users tab.

If you want to use LDAP authentication you can change your settings to match the image below:

replacing “ldapserver.example.com” with your LDAP server host name or IP address,
set the LDAP version to match your LDAP server version (2 or 3),
replace the DN entries with your entries (USER=your username, USERS=the container name,EXAMPLE=domain).
if you would like to manage users’ acces via a Group you may use the following in the LDAP search filter:
(&(memberOf=CN=Group Name,CN=Users,DC=example,DC=com)(sAMAccountName=%s))

To use RADIUS you can change the authentication server to point to your radius server and then enter the radius secret at the bottom of the page.

remember to click SAVE  to save any changes and restart squid after making any changes and clicking on another tab.

Configure SquidGuard:

Before SquidGuard will start filtering web content you will need to either download and configure a blacklist or create your own Target Categories, once done you will then have to check the Enable box, hit Save and then apply to apply the changes and start the SquidGuard service.

To download or add a blacklist you can search the web for free blacklists and get the URL, I normally use the Shalla blacklists as they are kept up to date regularly and are free, click on the Blacklist tab and paste/type in the URL of the blacklist into the blacklist update field and click on download.

Once the blacklist download is completed you can then go back to the General Settings page and click save and apply after checking the enable box.

keeping in mind that the default access rule is deny on the ACLs so before you enable or apply these settings I would suggest setting your default access to allow on under the Common ACL tab along with perhaps configuring what you would like to block and allow by doing the following:


1.) Services > Proxy Filter


2.) To change blacklist categories select ‘Common ACL’


3.) Select ‘(click here)’ to display all of the blacklist category rules.


4.) Select ‘Allow’ or ‘Deny’ to block categories accordingly.


5.) Click ‘Save’ at the bottom of page when done.


6.) Select ‘General Settings’ > Save > Apply, to apply all changes made previously.


save apply


1.) Services > Proxy filter


2.) Select ‘Target categories’ – This is where you will CREATE CUSTOM BLACKLISTS / WHITELISTS that you set under Services > Proxy filter > Common ACL’s > Target Rules.

Click the highlighted button to edit.


3.) Filter by domain / URL / regular expression. These can be used to Allow / Block depending on what you select for your custom category under Services > proxy filter > Common ACL > ‘click here’ menu.


Click save once you’ve edited as needed.


4.) Select ‘General Settings’ > Save > Apply, to apply all changes made previously.


save apply

Now you should have a fully operational Web Proxy and Proxy Filter running and ready to go, basically depending on how you’ve decided to go about your configuration you should now have either speeding up your browsing experience or you are using less bandwidth, as well as blocked some sites from being accessed if you don’t want them to be (such as porn or even YouTube).

*NB: if you have decided to use transparent proxy then you need to be aware that secure sites (sites using HTTPS) are not being passed through the proxy or the proxy filter and pass though the firewall directly. If you want this feature you will need to configure squid with out transparent mode.

Configure LightSquid (optional):

So now that you have configured squid and have been using it for awhile you maybe want to start seeing how much bandwidth is actually being used by internet browsing or which site is being visited most or even which user is using the most bandwidth, well that’s when LightSquid comes in.

LightSquid is a light http driven report tool (unfortunately the reports aren’t exportable but still handy) that can be configured very easily for use on pfSense.

to configure/access LightSquid go to Status > Proxy Report

on the settings page you will only need to change a few settings:

  1. change the Language to your preferred language.
  2. select the IP resolve method, do not leave it on demo(the options are shown on the page).
  3. change the refresh schedule.
  4. click on the Refresh Full button to generate the report.

now to view your reports you just have to click on the LightSquid Report tab to access the reports that are generated.

**NB: for the reports to work you need to have enabled squid logging under the squid and kept the default log directory of “/var/squid/log”

Well that’s all for our Episode today, feel free to drop a comment if you have any further questions.

courtesy: http://www.theninjageek.co.za/blog/2013/06/06/the-pfsense-walkthrough-part-3-squid3-and-squidguard-proxy-filter/

Squid https transparent proxy setup with SSL certificate

Squid https transparent proxy setup with SSL certificate

Let’s understand first how squid proxy works in transparent mode. While setting up squid as a transparent proxy we can forward the entire request coming from port 80 to squid server’s port i.e. 3128 by default. When we talk about port 80 it means http protocol. What if we request for Gmail who uses https protocol and this protocol by default send request to port 443 of squid’s port, and we iptable firewall rules to forward traffic from port 80 to port 3128 and we forget about port 443 which is used by https protocol and squid is http proxy server. Now many folks may think it’s easy and forward all traffic coming from port 443 to squid port 3128.  No it won’t work.  Because https connection establishes a secure connection over the network and for that it uses certificate and public key private key pairs. And first of all I thanks God for RSA and DSA algorithm as it is not so easy to decrypt data which is encrypted by use of this algorithm. Squid proxy is a middle man who changes packets header and route traffic to internet world. So what we have to do is to create certificate and public key private key pair for internal network which can be used by squid client and squid server and later squid server can route your traffic to internet world. To yield faster results it is better to sign certificate from CA. self signed certificates are little bit slowing the connection. As in a transparent mode encryption and decryption done twice so it may yields result slow so I advised you to keep patience.

Steps are:

  1. iptables  -t nat -A PREROUTING -i eth0  -p tcp –dport 80 -j REDIRECT –to-port 3128
  2. iptables  -t nat -A PREROUTING -i eth0  -p tcp –dport 80 -j REDIRECT –to-port 3128
  3. iptables  -t nat -A PREROUTING  -i eth0 -p tcp –dport  443 -j REDIRECT –to-port 3130
  4. iptables  -t nat -A PREROUTING  -i eth0 -p tcp –dport  443 -j REDIRECT –to-port 3130

Certificate and public key private key generation.

  1. openssl genrsa -des3 -out server.key 1024
  2. openssl req -new –key -out server.csr
  3. openssl req -new -key server.key -out server.cs

Steps to remove passphrase

  1. cp server.key server.key.old
  2. openssl rsa -in server.key.old -out server.key

Create server certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now make some changes to squid.conf file

  1. http_port 3128 transparent
  2. https_port 3130 transparent cert=/”path to server.crt” key=/”path to server.key”.


Another easy way to create certificates and public key private key pair is using genkey utility. In order to use that you have crypto-utils package install on your machine.

Steps are:

  1. #yum -y install crypto-utils
  2. genkey -days 365 squidserver.hostname.com
  3. Hit next.
  4. Select number of bits for data encryption. Default is 1024. This command will generate random bits.
  5. Generate the certificate.
  6. I will suggest you to never used passphrase for key, because if u assigns passphrase to key then along with public key we need to share passphrase.
  7. Certificate and key are stored at /etc/pki/tls/certs/ and /etc/pki/tls/private/
  8. In squid.conf make necessary change like this

http_port 3128 transparent

https_port 3130 transparent cert=/etc/pki/tls/certs/squidserver.hostname.com.crt key=/etc/pki/tls/private/squidserver.hostname.com.key.