squid0.3.5Proxy Server: General Settings/usr/local/pkg/squid.incsquidsquid.shsquidSquid Proxy Server Serviceclamdclamav-clamdclamdClamAV Antivirusc-icapc-icapc-icapICAP Inteface for Squid and ClamAV integrationGeneral/pkg_edit.php?xml=squid.xml&id=0Remote Cache/pkg.php?xml=squid_upstream.xmlLocal Cache/pkg_edit.php?xml=squid_cache.xml&id=0Antivirus/pkg_edit.php?xml=squid_antivirus.xml&id=0ACLs/pkg_edit.php?xml=squid_nac.xml&id=0Traffic Mgmt/pkg_edit.php?xml=squid_traffic.xml&id=0Authentication/pkg_edit.php?xml=squid_auth.xml&id=0Users/pkg.php?xml=squid_users.xmlReal Time/squid_monitor.phpSync/pkg_edit.php?xml=squid_sync.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid.inc/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc/usr/local/www/shortcuts/https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc/etc/inc/priv/https://packages.pfsense.org/packages/config/squid3/34/squid.priv.inc/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_cache.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml/usr/local/pkg/https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml/usr/local/www/https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php/usr/local/www/https://packages.pfsense.org/packages/config/squid3/34/squid_monitor.php/usr/local/www/https://packages.pfsense.org/packages/config/squid3/34/squid_monitor_data.php/usr/local/bin/0755https://packages.pfsense.org/packages/config/squid3/34/check_ip.php/usr/local/pkg/0755https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh/usr/local/www/0755https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php/usr/local/pkg/0755https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.phpenabledSquid General SettingslisttopicProxy Interface(s)active_interfaceNote: Use CTRL + click to select multiple interfaces.
]]>
interfaces_selectionlanProxy Portproxy_portThis is the port the proxy server will listen on.input53128ICP Porticp_port
Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.
]]>
input5Allow Users on Interfaceallow_interface
There will be no need to add the interface's subnet to the list of allowed subnets.
]]>
checkboxonPatch Captive Portalpatch_cpNote: You may need to reapply Captive Portal settings after changing this option. Warning: This alters /etc/inc/captiveportal.inc file! USE WITH CAUTION! (A backup is made available under /root directory.)
]]>
checkboxResolve DNS IPv4 Firstdns_v4_firstcheckboxDisable ICMPdisable_pingercheckboxUse Alternate DNS Servers for the Proxy Serverdns_nameserversNote: Separate entries by semi-colons (;)
]]>
input70Transparent Proxy SettingslisttopicTransparent HTTP Proxytransparent_proxyNote: Transparent mode will filter SSL (port 443) if you enable man-in-the-middle options below.
In order to proxy both HTTP and HTTPS protocols without intercepting SSL connections, configure WPAD/PAC options on your DNS/DHCP servers.
]]>
checkboxtransparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_destTransparent Proxy Interface(s)transparent_active_interfaceNote: Use CTRL + click to select multiple interfaces.
]]>
interfaces_selectionlanBypass Proxy for Private Address Destinationprivate_subnet_proxy_off
destinations through the proxy server but let is pass directly through the firewall.
]]>
checkboxBypass Proxy for These Source IPsdefined_ip_proxy_off
source IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall.
(Applies only to transparent mode.)
Note: Separate entries by semi-colons (;)
]]>
input70Bypass Proxy for These Destination IPsdefined_ip_proxy_off_dest
destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.
(Applies only to transparent mode.)
Note: Separate entries by semi-colons (;)
]]>
input70SSL Man In the Middle FilteringlisttopicHTTPS/SSL interceptionssl_proxyEnable SSL filtering.checkboxssl_active_interface,dca,sslcrtd_children,ssl_proxy_port,interception_checksSSL Intercept Interface(s)ssl_active_interfaceNote: Use CTRL + click to select multiple interfaces.
]]>
interfaces_selectionlanSSL Proxy portssl_proxy_portThis is the port the proxy server will listen on to intercept SSL while using transparent proxy.input53129CAdca
To create a CA on pfSense, go to System -> Cert Manager.
Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection.
]]>
select_sourcedescrrefidSSL Certificate Deamon Childrensslcrtd_children
Default: 5
]]>
input25Remote Cert Checksinterception_checks
Note: Use CTRL + click to select multiple options.
]]>
select3Certificate Adaptinterception_adapt
Hint: Set the subject CN - see fake certificate properties documentation for details.
]]>
select3Logging SettingslisttopicEnable Logginglog_enabled
Warning: Do not switch this on if you don't have much disk space left.
]]>
checkboxlog_dir,log_rotateLog Store Directorylog_dir
Default: /var/squid/logs Note: Do NOT include the trailing / when setting a custom location.
]]>
input60/var/squid/logsRotate Logslog_rotateDefines how many days of logfiles will be kept. Rotation is disabled if left empty.input5Visible Hostnamevisible_hostnameThis is the hostname to be displayed in proxy server error messages.input60localhostAdministrator's Emailadmin_emailThis is the email address displayed in error messages to the users.input60admin@localhostError Languageerror_languageSelect the language in which the proxy server will display error messages to users.selectenX-Forwarded Header Modexforward_mode
on: Squid will append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: 192.1.2.3. off: Squid will NOT append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: unknown transparent: Squid will not alter the X-Forwarded-For header in any way. delete: Squid will delete the entire X-Forwarded-For header. truncate: Squid will remove all existing X-Forwarded-For header entries and place the client's IP address as the only header entry.
Default: on
]]>
selectonDisable VIA Headerdisable_viaIf not set, Squid will include a Via header in requests and replies as required by RFC2616.checkboxLog Pages Denied by SquidGuardlog_sqdNote: This option will only work if you include the code below in your sgerror.php file.
This forces the client browser to send a second request to Squid with the denied string in URL.
Hint: You MUST remove extra spaces in the above iframe HTML tags.
]]>
checkboxURI Whitespace Characters Handlinguri_whitespace
strip: The whitespace characters are stripped out of the URI. This is the behavior recommended by RFC2396.
deny: The request is denied. The user receives an "Invalid Request" message.
allow: The request is allowed and the URI is not changed. The whitespace characters remain in the URI.
encode: The request is allowed and the whitespace characters are encoded according to RFC1738.
chop: The request is allowed and the URI is chopped at the first whitespace.
]]>
selectstripSuppress Squid Versiondisable_squidversionSuppresses Squid version string info in HTTP headers and HTML error pages if enabled.checkboxIntegrationscustom_optionstextarea785Custom ACLS (Before Auth)custom_options_squid3Warning: These need to be squid.conf native options, otherwise Squid will NOT work.
]]>
textareabase647810Custom ACLS (After Auth)custom_options2_squid3Warning: These need to be squid.conf native options, otherwise Squid will NOT work.
]]>
textareabase647810
squid_resync();
squid_validate_general($_POST, $input_errors);
squid_resync();
squid_generate_rules