pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-01-12T09:46:50ZpfSense bugtracker
Redmine pfSense Packages - Feature #13863 (New): squidguard auto update blacklisthttps://redmine.pfsense.org/issues/138632023-01-12T09:46:50ZMustafa Avcı
<p>Instead of creating a custom cron job none, auto update with a dropdown for daily, weekly, biweekly or monthly updates would be nice</p> pfSense Packages - Bug #13544 (New): SquidGuard either denying everything or proxying everythinghttps://redmine.pfsense.org/issues/135442022-10-05T01:40:03ZJimmy Michaelson
<p>Hey,</p>
<p>I truly doubt this is a configuration issue as I've tried all the possible combinations.</p>
<p>Relevant images and config:</p>
<p><a class="external" href="https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6">https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6</a></p>
<p>FYI: The bounty has been bumped to $20 and is also valid here.</p> pfSense Packages - Bug #13421 (New): Stunnel certificate does not refreshhttps://redmine.pfsense.org/issues/134212022-08-16T21:11:42ZA Schnee
<p>I use stunnel with ACME certificates which expires every 90 days. When the certificate is 6í days old ACME auto refreshes the certificate. Unfortunately stunnel does not pick up this change. When opening the stunnel config page the certificate are shown but they are not refreshing even on restart of the stunnel service.</p>
<p>The only way i found to refresh is to connect via ssh, go to /usr/local/etc/stunnel and delete the corresponding pem files. After that on the gui open open one of the stunnel configs and save. THis will copy the new cert files from /conf/acme directory to the stunnel directory.</p>
<p>I have to repeat the above steps every time the cert expires. I would expect stunnel to use the certificate from it's original location (/conf/acme), thus it would update the new certificate on service restart.</p>
<p>Stunnel version: 5.50_11<br />PFSense version: 2.6.0-RELEASE (amd64)</p> pfSense Packages - Bug #13412 (New): SquidGuard, Rewrite rules, only one sub-rule will work if mo...https://redmine.pfsense.org/issues/134122022-08-13T01:21:21ZUserPfbUg User
<p>So, SquidGuard - Rewrites<br />If we create a new rewrite rule, add 1 rewrite condition and save it, Apply, it works fine, we can also check SquidGuard - Log - Filter config, we can see the rewrite rule we have created.</p>
<p>However, if we add more conditions in the same rewrite rule, and if we go to SquidGuard - Log - Filter config and check again, there will always be only 1 condition under the rule which we have defined.</p>
<p>So,</p>
<p>Instead of</p>
<p>rew app_p {<br /><a class="email" href="mailto:s@11.22.33.44">s@11.22.33.44</a>@example1.com@ir<br /><a class="email" href="mailto:s@11.22.33.55">s@11.22.33.55</a>@example2.com@ir<br />log block.log<br />}</p>
<p>We only get</p>
<p>rew app_p {<br /><a class="email" href="mailto:s@11.22.33.55">s@11.22.33.55</a>@example2.com@ir<br />log block.log<br />}</p>
<p>OR</p>
<p>rew app_p {<br /><a class="email" href="mailto:s@11.22.33.44">s@11.22.33.44</a>@example1.com@ir<br />log block.log<br />}</p>
<p>No matter hoe many conditions we add to the rule, there will only be one condition show here, which eventually effects how the condition works, because all other conditions defined in the rule are ignored, only the shown one will work.</p>
<p>Will someone be able to fix this bug?</p> pfSense Packages - Bug #13141 (New): wrong page squidguard block https://redmine.pfsense.org/issues/131412022-05-09T17:33:52ZRobson Ferreira
<p>when i using squid+squidguard, a few versions before I could use redirect mode external url move.<br />So there i was putting page to redirect and its works.<br />But now when i put page, if i check on squidguard file there are redirect 302, but before wasnt .<br />look the picture</p> pfSense Packages - Bug #12732 (New): Squid https filtering squidguard acl target list - erratic b...https://redmine.pfsense.org/issues/127322022-01-26T09:11:28Zfr scm
<p>Bug that could be described as an erratic behaviour in squid https filtering : some websites specified in squidgard target categories pass through the web filtering, and some don't.</p>
<p>Investigations using a very simplified pfsense configuration as follows :<br /> - fresh install of pfsense 2.5.2 whith only squid and squidguard installed<br /> - squid with default configuration, transparent mode and SSL man in the middle filtering activated (with an internal CA created through the certificate manager with default parameters)<br /> - squidguard : created a target categorie with two URLs, parisaeroport.fr and visitstrasbourg.fr, and denying this in Common ACL target rules list.</p>
<p>Result : parisaeroport.fr is blocked as intended, but visitstrasbourg.fr is not blocked at all, without any clear records in squid logs that could highlight that difference.<br />It is not a cache problem.</p>
<p>Squidguard configuration file :</p>
<pre>
# ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================
logdir /var/squidGuard/log
dbhome /var/db/squidGuard
#
dest target_test {
domainlist target_test/domains
log block.log
}
#
rew safesearch {
s@(google..*/search?.*q=.*)@&safe=active@i
s@(google..*/images.*q=.*)@&safe=active@i
s@(google..*/groups.*q=.*)@&safe=active@i
s@(google..*/news.*q=.*)@&safe=active@i
s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i
s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i
s@(search.live..*/.*q=.*)@&adlt=strict@i
s@(search.msn..*/.*q=.*)@&adlt=strict@i
s@(.bing..*/.*q=.*)@&adlt=strict@i
s@(duckduckgo..*/?.*q=.*)@&kp=1@i
s@(rambler..*/?.*query=.*)@&adult=family@i
s@(qwant..*/?.*q=.*)@&s=2@i
s@(ecosia..*/search.*q=.*)@&safesearch=2@i
s@(onesearch..*/yhs/search.*)@&vm=r@i
log block.log
}
#
acl {
#
default {
pass !target_test all
redirect http://192.168.10.9:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}
}
</pre>
<p>Squid configuration :</p>
<pre>
# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.10.9:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
icp_port 0
digest_generation off
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language fr
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 5
logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 192.168.10.0/24
forwarded_for on
uri_whitespace strip
acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic
cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache deny all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
#Remote proxies
# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
acl sslports port 443 563
acl purge method PURGE
acl connect method CONNECT
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
# SslBump Peek and Splice
# http://wiki.squid-cache.org/Features/SslPeekAndSplice
# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
# Match against the current step during ssl_bump evaluation [fast]
# Never matches and should not be used outside the ssl_bump context.
#
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting TLS Client Hello info.
# SslBump3: After getting TLS Server Hello info.
# These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
# they can be used there for custom configuration.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
http_access allow localhost
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc
# Reverse Proxy settings
# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0
# Custom options before auth
# Set YouTube safesearch restriction
acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_access YouTube-Restrict deny all
request_header_add YouTube-Restrict none youtubedst
ssl_bump peek step1
ssl_bump bump all
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
</pre> pfSense Packages - Feature #12491 (New): squidguard: allow multiple regexhttps://redmine.pfsense.org/issues/124912021-10-28T15:30:01ZJesse Norelljesse@kci.net
<p>When adding a Target category, please allow multiple lines in the 'Regular Expression' list. The upstream squidguard supports that ("The expressionlist file format is lines with regular expressions as described in regex(5)"), but the pfsense squidGuard package strips the newlines out.</p> pfSense Packages - Feature #11784 (New): squidguard auto update blacklist optionhttps://redmine.pfsense.org/issues/117842021-04-06T01:53:14Zageekhere ageekhere
<p>Would be nice to have an auto update blacklist option with a drop down menu for none, daily, weekly, fortnightly or monthly updates instead of creating a custom cron job.</p> pfSense Packages - Bug #10994 (New): SquidGuard Blacklists Restore Default button does not workhttps://redmine.pfsense.org/issues/109942020-10-20T11:09:49ZConstantine Kormashev
<p>If SquidGuard/Blacklists Blacklist Update field is empty then clicking Restore Default restores nothing and generates an error message:<br /><pre>
Restore default blacklist DB.
Restore error: File /var/db/squidGuard.sample or /usr/local/etc/squidGuard/blacklist.files not found.
</pre><br />It does not matter enabled SquidGuard/Squid or not.<br />Tried on 2.4.5-p1 ARM and Intel</p> pfSense Packages - Feature #10865 (New): squidGuard lacks options to send traffic action logs to ...https://redmine.pfsense.org/issues/108652020-09-04T21:55:01ZKris Phillips
<p>squidGuard has options to send logs to squid's logs, but these don't seem to arrive at a syslog server and are only logged locally.</p>
<p>squidGuard has an option for "enable syslog" that can be added to the SquidGuard.conf file, but it's value is overwritten when any changes are made to the squidGuard config from the GUI.</p>
<p>It would be helpful if the logs sent to squid could be shuttled off via syslog messages or if squidGuard could send its logs directly.</p> pfSense Packages - Bug #9286 (New): squidGuard - Unable to change IP for sgerror.php URL in confi...https://redmine.pfsense.org/issues/92862019-01-22T12:13:21ZKris Douglas
<p>There is an issue with squidGuard where a user is not able to specify the address that squidGuard provides the client machine on the event that a page has been blocked. If said address differs from the LAN IP on port 80, you are not able to serve errors to users.</p>
<p>(For example in the situation where there is a network being filtered with users on it that differs to the LAN, and you do not wish to have a route through, the error pages do not work). Can be fixed by editing config file but these are reset on reboot.</p> pfSense Packages - Bug #9025 (New): SquidGard + Target categorieshttps://redmine.pfsense.org/issues/90252018-10-08T01:00:25ZIssa Jacamanjacaman.issa@gmail.com
<p>Hello,</p>
<p>An error occurs after applying the changes to SquidGard when:<br />Removing an unwanted target category from "Target Categories" tab that is already applied to a curtain group(s) ACL with "whitelist, deny or allow",<br />The error is:<br />(A5) ACL 'Group_ACL_Name' error: destination name 'Target_Category' not found.</p>
<p>To bypass this error, The unwanted target category should be first changed to "---" in the "Group(s) ACL", then applying the changes to SquidGard.</p> pfSense Packages - Bug #8827 (New): Squidguard: ACL redirect modes 'redirect' and 'err page' send...https://redmine.pfsense.org/issues/88272018-08-24T12:40:47ZSteve Wheeler
<p>Squid running in bump mode. Though that should not affect this.</p>
<p>When configuring Common or Group ACLs or applying the redirect to a specific target catagory setting the redirect modes ''redirect' and 'err page'results in a bad URL being passed to the client.</p>
<p>If an https URL is entered the resulting client error is:<br /><pre>
The following error was encountered while trying to retrieve the URL: https://https/*
Unable to determine IP address from host name https
</pre></p>
<p>Choosing redirect mode 'url move' which sends a 301 to the client allows the error page to be shown as expected.</p> pfSense Packages - Bug #8752 (New): For SquidGuard in "Common ACL" menu "Target Rules List" "acce...https://redmine.pfsense.org/issues/87522018-08-06T05:17:47ZAzamat Khakimyanov
<p>I tried on 2.4.4-DEV 20180801 and 20180805 with the same result</p>
<p>I created Target Category "BlockSomeSites", then in Common ACL menu I chose "Deny" action for my category <br />and "Allow" for 'Default access[all]' but after pressing "Save" "access" option for my category was again with default value '---'.<br />Anyway my "BlockSomeSites" works and sites from this list are not available.<br />Screenshots are attached.</p>
<p>On 2.4.3_p1 I didn't see this issue: after choosing "Deny" action for my Target category and pressing "Save", "access" option for my category was "Deny" as it has to be.</p> pfSense Packages - Feature #4928 (New): Surftool - New Package to turn squidguard groups(/acls) o...https://redmine.pfsense.org/issues/49282015-08-10T07:29:32ZHeye Reimers
<p>Manage your squidguard groups/acls. This tool was made for schools. You can set every group very easily to one of five modes. The modes on/off/only/on plus and adminfree are available. This works also with other “target categories” from shalla or own “target categories”.</p>
<p>We made for every classroom a acl. And set for every classroom specific acls (block porn and so on). With this tool you can modify very easily the "Default access [all]" entry. Go to the surftool and click on the bottom of the classroom. This tool is simple and teacher proof ;-).</p>
<p><img src="surftool.png" alt="" /></p>
<p>The surf tool consists of two modules.<br />- The Web GUI reads the squidguard.conf file an writes the user commands to a separate file<br />- The “surftooldeamon” looks every x seconds for new command files and activates the changes</p>
<p>I built this tool for our school. Because others solutions are too expensive for us. I think others school have this problem to. So I decide to build a pfsense packages and hope that this will added to the pfsense packages.</p>