squid 0.3.8 Proxy Server: General Settings /usr/local/pkg/squid.inc Squid Proxy Server Modify the proxy server settings
Services
/pkg_edit.php?xml=squid.xml&id=0
Squid Reverse Proxy Modify the reverse proxy server settings
Services
/pkg_edit.php?xml=squid_reverse_general.xml&id=0
squid squid.sh squid Squid Proxy Server Service clamd clamd.sh clamd ClamAV Antivirus c-icap c-icap.sh c-icap ICAP Inteface for Squid and ClamAV integration General /pkg_edit.php?xml=squid.xml&id=0 Remote Cache /pkg.php?xml=squid_upstream.xml Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 Antivirus /pkg_edit.php?xml=squid_antivirus.xml&id=0 ACLs /pkg_edit.php?xml=squid_nac.xml&id=0 Traffic Mgmt /pkg_edit.php?xml=squid_traffic.xml&id=0 Authentication /pkg_edit.php?xml=squid_auth.xml&id=0 Users /pkg.php?xml=squid_users.xml Real Time /squid_monitor.php Sync /pkg_edit.php?xml=squid_sync.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid.inc /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc /usr/local/www/shortcuts/ https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc /etc/inc/priv/ https://packages.pfsense.org/packages/config/squid3/34/squid.priv.inc /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_cache.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml /usr/local/www/ https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php /usr/local/www/ https://packages.pfsense.org/packages/config/squid3/34/squid_monitor.php /usr/local/www/ https://packages.pfsense.org/packages/config/squid3/34/squid_monitor_data.php /usr/local/bin/ 0755 https://packages.pfsense.org/packages/config/squid3/34/check_ip.php /usr/local/pkg/ 0755 https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh /usr/local/www/ 0755 https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php /usr/local/pkg/ 0755 https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.php enabled Squid General Settings listtopic Enable Squid Proxy enable_squid Note: If unchecked, all Squid services will be disabled and stopped.
]]>
checkbox
Keep Settings/Data keep_squid_data Note: If disabled, all settings and data will be wiped on package uninstall/reinstall/upgrade. ]]> checkbox on Proxy Interface(s) active_interface Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection lan Proxy Port proxy_port This is the port the proxy server will listen on. input 5 3128 ICP Port icp_port Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP. ]]> input 5 Allow Users on Interface allow_interface There will be no need to add the interface's subnet to the list of allowed subnets. ]]> checkbox on Patch Captive Portal patch_cp Note: You may need to reapply Captive Portal settings after changing this option.
Warning: This alters /etc/inc/captiveportal.inc file! USE WITH CAUTION! (A backup is made available under /root directory.) ]]>
checkbox
Resolve DNS IPv4 First dns_v4_first checkbox Disable ICMP disable_pinger checkbox Use Alternate DNS Servers for the Proxy Server dns_nameservers Note: Separate entries by semi-colons (;) ]]> input 70 Transparent Proxy Settings listtopic Transparent HTTP Proxy transparent_proxy Note: Transparent mode will filter SSL (port 443) if you enable man-in-the-middle options below.
In order to proxy both HTTP and HTTPS protocols without intercepting SSL connections, configure WPAD/PAC options on your DNS/DHCP servers. ]]>
checkbox transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest
Transparent Proxy Interface(s) transparent_active_interface Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection lan Bypass Proxy for Private Address Destination private_subnet_proxy_off destinations through the proxy server but let is pass directly through the firewall. ]]> checkbox Bypass Proxy for These Source IPs defined_ip_proxy_off source IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall. (Applies only to transparent mode.)

Note: Separate entries by semi-colons (;) ]]>
input 70
Bypass Proxy for These Destination IPs defined_ip_proxy_off_dest destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.
(Applies only to transparent mode.)

Note: Separate entries by semi-colons (;) ]]>
input 70
SSL Man In the Middle Filtering listtopic HTTPS/SSL interception ssl_proxy Enable SSL filtering. checkbox ssl_active_interface,dca,sslcrtd_children,ssl_proxy_port,interception_checks SSL Intercept Interface(s) ssl_active_interface Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection lan SSL Proxy port ssl_proxy_port This is the port the proxy server will listen on to intercept SSL while using transparent proxy. input 5 3129 CA dca To create a CA on pfSense, go to System -> Cert Manager.
Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection. ]]>
select_source descr refid
SSL Certificate Deamon Children sslcrtd_children Default: 5 ]]> input 2 5 Remote Cert Checks interception_checks Note: Use CTRL + click to select multiple options.
]]>
select 3
Certificate Adapt interception_adapt Hint: Set the subject CN - see fake certificate properties documentation for details. ]]> select 3 Logging Settings listtopic Enable Logging log_enabled Warning: Do not switch this on if you don't have much disk space left. ]]> checkbox log_dir,log_rotate Log Store Directory log_dir Default: /var/squid/logs
Note: Do NOT include the trailing / when setting a custom location. ]]>
input 60 /var/squid/logs
Rotate Logs log_rotate Defines how many days of logfiles will be kept. Rotation is disabled if left empty. input 5 Visible Hostname visible_hostname This is the hostname to be displayed in proxy server error messages. input 60 localhost Administrator's Email admin_email This is the email address displayed in error messages to the users. input 60 admin@localhost Error Language error_language Select the language in which the proxy server will display error messages to users. select en X-Forwarded Header Mode xforward_mode on: Squid will append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: 192.1.2.3.
off: Squid will NOT append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: unknown
transparent: Squid will not alter the X-Forwarded-For header in any way.
delete: Squid will delete the entire X-Forwarded-For header.
truncate: Squid will remove all existing X-Forwarded-For header entries and place the client's IP address as the only header entry.

Default: on ]]>
select on
Disable VIA Header disable_via If not set, Squid will include a Via header in requests and replies as required by RFC2616. checkbox Log Pages Denied by SquidGuard log_sqd Note: This option will only work if you include the code below in your sgerror.php file.
This forces the client browser to send a second request to Squid with the denied string in URL.

$sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");
$str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

Hint: You MUST remove extra spaces in the above iframe HTML tags. ]]>
checkbox
URI Whitespace Characters Handling uri_whitespace strip: The whitespace characters are stripped out of the URI. This is the behavior recommended by RFC2396. deny: The request is denied. The user receives an "Invalid Request" message. allow: The request is allowed and the URI is not changed. The whitespace characters remain in the URI. encode: The request is allowed and the whitespace characters are encoded according to RFC1738. chop: The request is allowed and the URI is chopped at the first whitespace. ]]> select strip Suppress Squid Version disable_squidversion Suppresses Squid version string info in HTTP headers and HTML error pages if enabled. checkbox Integrations custom_options textarea 78 5 Custom ACLS (Before Auth) custom_options_squid3 Warning: These need to be squid.conf native options, otherwise Squid will NOT work. ]]> textarea base64 78 10 Custom ACLS (After Auth) custom_options2_squid3 Warning: These need to be squid.conf native options, otherwise Squid will NOT work. ]]> textarea base64 78 10
squid_resync(); squid_validate_general($_POST, $input_errors); squid_resync(); squid_deinstall_command(); squid_generate_rules