install and configure squid guard – pfsense

To install packages you would go to Systems > Packages menu and click on the Available Packages tab and click on the (+) sign next to each package

menu

pack1 pack2 pack3

Configure Squid:

So now you have your packages installed it’s now time to enable squid, but before we do that we need to configure some squid options:

1.) Go to Services > Proxy Server
2.) Select the interface that squid listens on, by default your LAN interface is selected.
3.) Change the port that squid listens on, by default this is port 3128 and the most common ports is 3128 and 8080.
4.) Ensure that Allow users on interface is selected.
5.) If you don’t want to use proxy authentication then you can select Transparent HTTP Proxy. If you don’t configure squid in transparent mode
then you will need to manually configure the proxy settings in your browser, or create a WPAD for your DHCP Server to push your settings
automatically, as well as configure users and authentication.
6.) If you find that Squid is having issues resolving websites then you can add alternative DNS servers separated by semi-colons in the Use Alternate
      DNS-Servers for the proxy-server field.
7) If you are going to be using LightSquid for reports than you will have to enable logging by checking the Enable Logging box
8) Once you click on the Save button at the bottom of the page Squid will save your settings and start the Squid service.
squid4

At this point in time squid should work and start processing web requests but there are a few things you may look at to try and make  squid more efficient along with configuring authentication in the event that you chose to not use the transparent proxy option.

Squid Tweak:

First we will take a look at the local cache settings. The only thing you really need to adjust here is the Hard Disk Cache Settings and the Memory Cache Settings, below is a example of how I have changed things:

squid2

So let me take a moment just to explain some of the items on this page that are more relevant:

  •  Hard Disk Cache size (in MB) is the amount of space that the proxy is allowed to use for cached pages.
  • Maximum Object size (in KB) is the maximum size of an object that gets put in cache, anything larger will be ignored and will be fetched every time it is needed, set to a small size if you want speed or to a larger size if you want to save on bandwidth.
  • Memory Cache Size (in MB) is the maximum amount of memory that is used for cached object kept in memory for faster retrieval.

You can set these to any values that you want depending on the disk space and physical memory on your system that is available for squid to use, but keep in mind that squid uses roughly 10MB of physical memory per 1GB of disk space that is used for caching. So essentially you need to ensure that there is enough physical memory to handle both the amount of memory used for disk cache as well as the memory cache.

Here is a quick example:

say you have a 100GB hard drive space and 1GB physical RAM available to squid, you wont be able to use the whole 100GB of HDD space for the disk cache as it would require the entire 1GB of RAM.
so the easiest way to work out how things should be to allocate the Memory Cache Size (remembering it may not exceed 50% of the available memory) and then work out how much memory is available for the drive cache.
i.e. if we allocate 256MB of RAM to the memory cache then the maximum amount of drive space you can assign to the drive cache would be  74.4GB or 76334MB (as 1026 MB = 1GB)
simple put :
1000 (1GB RAM)
–  256  (256MB Memory Cache)
=744 / 10 = 74.4 GB

For a more advanced tweak you can even set the vfs read max setting from the default value of 32 under system Tunables  under the Advanced System settings to increase the UFS read ahead speeds on your drive (this is the amount of bytes your system will read ahead on your drive when pulling data), but be careful with the this setting as setting to high will make your system unstable, i normally set it to a value of 128 to be safe
squid3

Squid Authentication:

if you decided to leave the Transparent Proxy setting off you will need to configure squid authentication, there are 5 options to choose from:

  1. None – no authentication is used, similar to transparent mode.
  2. Local – Usernames and Passwords are configured under the Users tab.
  3. LDAP – users and passwords are pulled from a LDAP server or Active Directory server for authentication
  4. RADIUS – Users and Passwords are pulled from a Radius server either on another server or on a the local free-radius configuration on the pfSense Server
  5. NT domain – for use with a Server 2000 AD and earlier NT domains form earlier NT servers

Local authentication is the simplest to setup, apart from None as that requires no setup, and is simple as setting the Authentication method to local and then adding users via the Users tab.

If you want to use LDAP authentication you can change your settings to match the image below:
squid6

replacing “ldapserver.example.com” with your LDAP server host name or IP address,
set the LDAP version to match your LDAP server version (2 or 3),
replace the DN entries with your entries (USER=your username, USERS=the container name,EXAMPLE=domain).
if you would like to manage users’ acces via a Group you may use the following in the LDAP search filter:
(&(memberOf=CN=Group Name,CN=Users,DC=example,DC=com)(sAMAccountName=%s))

To use RADIUS you can change the authentication server to point to your radius server and then enter the radius secret at the bottom of the page.

remember to click SAVE  to save any changes and restart squid after making any changes and clicking on another tab.

Configure SquidGuard:

Before SquidGuard will start filtering web content you will need to either download and configure a blacklist or create your own Target Categories, once done you will then have to check the Enable box, hit Save and then apply to apply the changes and start the SquidGuard service.
guard1

To download or add a blacklist you can search the web for free blacklists and get the URL, I normally use the Shalla blacklists as they are kept up to date regularly and are free, click on the Blacklist tab and paste/type in the URL of the blacklist into the blacklist update field and click on download.
guard2

Once the blacklist download is completed you can then go back to the General Settings page and click save and apply after checking the enable box.

keeping in mind that the default access rule is deny on the ACLs so before you enable or apply these settings I would suggest setting your default access to allow on under the Common ACL tab along with perhaps configuring what you would like to block and allow by doing the following:

Configure BLACKLIST GROUPS – ALLOW OR DENY PROXY FILTER GROUPS

1.) Services > Proxy Filter

guard3

2.) To change blacklist categories select ‘Common ACL’

guard4

3.) Select ‘(click here)’ to display all of the blacklist category rules.

guard5

4.) Select ‘Allow’ or ‘Deny’ to block categories accordingly.

guard6

5.) Click ‘Save’ at the bottom of page when done.

save

6.) Select ‘General Settings’ > Save > Apply, to apply all changes made previously.

ALWAYS REMEMBER TO SAVE YOUR CHANGES TWICE – ONCE UNDER YOUR SUB MENU AND ONCE UNDER GENERAL SETTINGS THEN CLICK APPLY TO APPLY SAVED CHANGES.

save apply

PROXY FILTER – CUSTOM CATEGORIES / INDIVIDUAL RULES

1.) Services > Proxy filter

guard3

2.) Select ‘Target categories’ – This is where you will CREATE CUSTOM BLACKLISTS / WHITELISTS that you set under Services > Proxy filter > Common ACL’s > Target Rules.

Click the highlighted button to edit.

guard7

3.) Filter by domain / URL / regular expression. These can be used to Allow / Block depending on what you select for your custom category under Services > proxy filter > Common ACL > ‘click here’ menu.

guard8

Click save once you’ve edited as needed.

save

4.) Select ‘General Settings’ > Save > Apply, to apply all changes made previously.

ALWAYS REMEMBER TO SAVE YOUR CHANGES TWICE – ONCE UNDER YOUR SUB MENU AND ONCE UNDER GENERAL SETTINGS THEN CLICK APPLY TO APPLY SAVED CHANGES.

save apply

Now you should have a fully operational Web Proxy and Proxy Filter running and ready to go, basically depending on how you’ve decided to go about your configuration you should now have either speeding up your browsing experience or you are using less bandwidth, as well as blocked some sites from being accessed if you don’t want them to be (such as porn or even YouTube).

*NB: if you have decided to use transparent proxy then you need to be aware that secure sites (sites using HTTPS) are not being passed through the proxy or the proxy filter and pass though the firewall directly. If you want this feature you will need to configure squid with out transparent mode.

Configure LightSquid (optional):

So now that you have configured squid and have been using it for awhile you maybe want to start seeing how much bandwidth is actually being used by internet browsing or which site is being visited most or even which user is using the most bandwidth, well that’s when LightSquid comes in.

LightSquid is a light http driven report tool (unfortunately the reports aren’t exportable but still handy) that can be configured very easily for use on pfSense.

to configure/access LightSquid go to Status > Proxy Report

on the settings page you will only need to change a few settings:

  1. change the Language to your preferred language.
  2. select the IP resolve method, do not leave it on demo(the options are shown on the page).
  3. change the refresh schedule.
  4. click on the Refresh Full button to generate the report.

now to view your reports you just have to click on the LightSquid Report tab to access the reports that are generated.

**NB: for the reports to work you need to have enabled squid logging under the squid and kept the default log directory of “/var/squid/log”

Well that’s all for our Episode today, feel free to drop a comment if you have any further questions.

courtesy: http://www.theninjageek.co.za/blog/2013/06/06/the-pfsense-walkthrough-part-3-squid3-and-squidguard-proxy-filter/