What a heck! Squid? Yes, you heard right. But I am not referring to the squid that is similar to an octopus, with a distint head and eight to ten arms. Neither am i referring to spongebob in nickelodeon.
I am however, talking about a Linux base proxy server that can act as an intermediary, simply passing the client’s request on to the server and saving a copy of the requested object. If the same client or multiple clients request the same object before it expires from Squid’s cache, Squid can then immediately serve it, accelerating the download and saving bandwidth. You can read more about squid from this
In this “Squid Proxy Server and SquidGuard Configuration on Pfsense”, we will install squid proxy on pfsense and use it to control both http and https traffic. Next, we will install squidguard to filter web traffic and get insight into websites that are visited by our users.
Enough of the talking, now lets pull up our pfsense server and install some squid int this Squid Proxy Server and SquidGuard Configuration on Pfsense guide.
Squid Proxy Server and SquidGuard Configuration on Pfsense.
Now that you are logged into pfsense, navigate to system => package manager and available packages. Locate squid and squidguard and install them. If you are having trouble viewing your available packages, simply go to your pfsense shell(command line) and type: #pkg upgrade -f. Make sure to have quality internet service.
Now go to services=>Proxy server
ENABLE TRANSPARENT PROXY ON PFSENSE.
A problem that we a re trying to avoid is having to go to 500 computers on the network and install certificates on them or having to go to the same number of computers to manually enter the ip address of the proxy server. Therefore, we will simply use the transparent http proxy service.
Now, click on local cache to set the size on hard disk for the cache file.
In my case, I used 100mb, but you could use 500mb to 1GB depending on your needs. Then click save
To enable transparent mode on pfsense firewall, we will click on proxy server =>general settings, tick enable squid proxy server check box.
Next, in the proxy interface, select the interface you want your proxy server to monitor. In our case, it is our LAN.
Tick the allow users on interface to allow all users on the lan interface to use the proxy.
In the transparent proxy settings, tick to enable transparent proxy. Select the interface to monitor.
You can select some destinations that can be accessed by your clients directly. For instance, I once worked for a branch office that employed pfsense, while the head office used cisco routers. The branch office users made use of vpn to connect to head office. The head office made use of a proxy server that dished out non transparent proxy ip address to clients anytime they connected to head office. As soon as the clients disconnected from head office, the pfsense transparent mode kicks in. There was lots of conflicts. Some users in the branch could not access the mail server in the head office once connected to vpn. To resolve this, I simply entered in the mail server fully qualified domain name(mail.server.com) or ip address in the bypass proxy for the destination ips and the issue was resolved.
Now click save.
CONFIGURE SQUIDGUARD ON PFSENSE
Click on services=>squidguard.
Before you enable squidguard, tick the enable log and enable log rotation. Also tick enable blacklist and enter the url (http://www.shallalist.de/Downloads/shallalist.tar.gz) . Now click on save.
Now click on blacklist to download the blacklist from the url supplied above.
Now, click on target categories tab and click add. We will be adding sites to allow access to.
We will grant access to google and yahoo alone. We will enter in a name of Sites to Grant_Access. In the domain list, enter google.com and yahoo.com separated by a space as shown below.
click save. To grant our domain names the actual access, click commonACL, and click the target rule list + sign. Locate the Grant_Access we created earlier and give it an access of allow as shown.
Without showing you, i will deny access to some sites in the list.
Tick, do not allow ip address in url to avoid clients access a website using the ip address. Now save.
Now, go back to general setting and click the apply button.
Try to access a http site that has been blocked, and you should get the familiar error block screen.
SQUID PROXY FOR HTTPS TRAFFIC.
Up untill now, we have been filtering http traffic. To filter https traffic, first create an internal authority certificate. Go to system=>certificate manager and enter in the details as shown. Note: this is a self signed certificate authority.
Now, go back to squid proxy server=>click on general settings.Locate ssl man in the middle filtering and tick https/ssl interception to enable it.
In ssl mode, select splice All.
In interface, select your lan.
In your CA field, select your certificate you created above. Now click on save.
Now try to access google. Access granted. Yeah!
I blocked a porn site. Try to access a porn site and 🙂
That is that. Next, we will look at viewing sites our users visited and displaying some graphs. Stay Tuned.