====== PFSense - Squid - Setup completely ======

===== Step 1. Configuring the root Certificate Authority (rootCA) =====

Navigate to **System ->  Cert Manager**.

Click the green **Add** button.

Populate:

  * Descriptive Name:  **SquidCA**.
  * Method: **Create an internal Certificate Authority**.  Leave at the default.
  * Key length (bits):  **2048**.  Leave at the default.
  * Digest Algorith: **sha256**.  Leave at the default.
  * Lifetime (days):  **3650**.  
  * Common Name: **internal-ca**.  Leave at the default.
  * Country Code: **JE**.
  * State or Province: **Jersey**.
  * City: **St. Helier**
  * Organization: **ShareWiz**.
  * Organizational Unit: **IT**.


{{:pfsense:squid:pfsense_cert_manager_ca_create.png?800|}}


<WRAP info>
**NOTE:**  Alternatively create the CA externally of pfSense.

<code bash>
openssl genrsa -out myProxyCA.key 2048
</code>

This will create an rsa key file named myProxyCA.key that we use to sign the pem file we will generate next.

Create a pem file signed with the key:

<code bash>
openssl req -x509 -new -nodes -key myProxyCA.key -sha256 -days 365 -out myProxyCA.pem
</code>

This will prompt you to answer some questions to generate the pem file:

<code bash>
Country Name (2 letter code) [AU]:**JE**
State or Province Name (full name) [Some-State]:**Jersey**
Locality Name (eg, city) []:**St. Helier**
Organization Name (eg, company) [Internet Widgits Pty Ltd]:**ShareWiz**
Organizational Unit Name (eg, section) []:**IT**
Common Name (e.g. server FQDN or YOUR name) []:**sharewiz.net**
Email Address []:
</code>

At this point you should have 2 files:

<code bash>
myProxyCA.pem
myProxyCA.key
</code>

Import this CA into pfSense:

  * Navigate to **System ->  Cert Manager**.
  * Click the green **Add** button.
  * Descriptive Name:  **SquidCA**.
  * Method: **Import an existing Certificate Authority**.
  * Certificate data: **Copy \ Paste the info from myProxyCA.pem file**.
  * Certificate Private Key (optional): **Copy \ Paste the info from myProxyCA.key file**.
  * Serial for next certificate: **1**.
  * Save and apply.

{{:pfsense:squid:pfsense_cert_manager_ca_view.png?800|}}

</WRAP>


----

===== Step 2. Configuration of Squid =====

Navigate to **Services -> Squid Proxy Server**.

On the **General Settings** tab:

==== Squid General Settings ====

  * Enable Squid Proxy: **Checked**.
  * Keep Settings/Data: **Checked**.
  * Proxy Interface(s): **LAN & Loopback**.
  * Proxy Port: **3128**.  You can change this to a custom one if you like.
  * Allow Users on Interface: **Yes**.
  * Resolve DNS IPv4 First: **Checked**.

{{:pfsense:squid:pfsense_squid_general_settings.png?800|}}
==== Transparent Proxy Settings: ====

  * Transparent HTTP Proxy: **Checked**.
  * Transparent Proxy Interface(s): **LAN**.

{{:pfsense:squid:pfsense_squid_transparent_proxy_settings.png?800|}}
==== SSL Man In the Middle Filtering ====

  * HTTPS/SSL Interception: **Checked**.
  * SSL/MITM Mode: **Splice All**.
  * SSL Intercept Interface(s): **LAN**.
  * SSL Proxy Compatibility Mode: **Modern**.
  * DHParams Key Size: **2048**.
  * CA: **SquidCA**.  The Certificate Authority created earlier.
  * Remote Cert Checks: **Do not verify remote certificates**.
  * Certificate Adapt: **Sets the "Not Before" (setvalidbefore)**.


{{:pfsense:squid:pfsense_squid_ssl_man_in_the_middle_filtering.png?800|}}
==== Logging Settings ====

  * Enable Access Logging: **Checked**.
  * Log Store Directory: **/var/squid/logs**.  The default.
  * Rotate Logs: **7**.
  * Log Pages Denied by SquidGuard: **Not checked**.

{{:pfsense:squid:pfsense_squid_logging_settings.png?800|}}
==== Advanced Features ====

  * Custom Options (SSL/MITM): <code>
# YouTube
acl serverIsYoutube ssl::server_name .ytimg.com
#acl serverIsYoutube ssl::server_name .youtube.com

# splice all the rest
ssl_bump splice all
</code>


{{:pfsense:squid:pfsense_squid_advanced_features.png?800|}}

----


On the **Local Cache** tab:

==== Squid Cache General Settings ====

  * Cache Replacement Policy: **LFUDA**.
  * Low-Water Mark in %: **90**.
  * High-Water Mark in %: **95**.
  * Do Not Cache: <code>
steampowered.com
steamcommunity.com
steamgames.com
steamusercontent.com
steamcontent.com
steamstatic.com
</code>
  * Enable Offline Mode: **Not checked**.
  * External Cache Managers:

{{:pfsense:squid:pfsense_squid_cache_general_settings.png?800|}}

==== Squid Hard Disk Cache Settings ====

  * Hard Disk Cache Size: **50000**.
  * Hard Disk Cache System: **aufs**.
  * Level 1 Directories: **64**.
  * Hard Disk Cache Location: **/var/squid/cache**.
  * Minimum Object Size: **0**.
  * Maximum Object Size: **2048**.

{{:pfsense:squid:pfsense_squid_hard_disk_cache_settings.png?800|}}
==== Squid Memory Cache Settings ====

  * Memory Cache Size: **3072**.
  * Maximum Object Size in RAM: **1024**.
  * Memory Replacement Policy: **Heap GDSF**.


{{:pfsense:squid:pfsense_squid_memory_cache_settings.png?800|}}
==== Dynamic and Update Content ====

  * Cache Dynamic Content: **Checked**.
  * Custom refresh_patterns: SEE [[PFSense:Squid:Refresh Patterns:Squid Refresh Patterns Master List|Squid Refresh Patterns Master List]].

{{:pfsense:squid:pfsense_squid_dynamic_and_update_content.png?800|}}

----

On the **Antivirus** tab:

==== ClamAV Anti-Virus Integration Using C-ICAP ====

  * Enable AV: **Checked**.
  * Client Forward Options: **Send both client username and IP info (Default)**.
  * Enable Manual Configuration: **disabled**.
  * Redirect URL: **<blank>**.
  * Google Safe Browsing: **Checked**.
  * Exclude Audio/Video Streams: **Checked**.
  * ClamAV Database Update: **every one hour**.
  * Regional ClamAV Database Update Mirror: **United Kingdom**.
  * Optional ClamAV Database Update Servers: **<Blank>**.

{{:pfsense:squid:pfsense_squid_clamav_anti-virus_integration_using_c-icap.png?800|}}

----

===== Step 3. Configuration of SquidGuard Proxy filter =====

Navigate to **Services -> SquidGuard Proxy filter**.

On the **General Settings** tab:

==== General Options ====

  * Enable: **Checked**.

{{:pfsense:squid:pfsense_squidguard_general_options.png?800|}}

==== LDAP Options ====

  * Enable LDAP Filter: **Not checked**.
  * LDAP DN: **<Blank>**
  * LDAP DN Password: **<Blank>**.
  * Strip NT domain name: **Not checked**.
  * Strip Kerberos Realm: **Not checked**.
  * LDAP Version: **Version 3**.

{{:pfsense:squid:pfsense_squidguard_ldap_options.png?800|}}


==== Logging Options ====


  * Enable GUI log:  **Checked**.
  * Enable log:  **Checked**.
  * Enable log rotation:  **Checked**.

{{:pfsense:squid:pfsense_squidguard_logging_options.png?800|}}


==== Miscellaneous ====

  * Clean Advertising:  **Checked**.

{{:pfsense:squid:pfsense_squidguard_miscellaneous.png?800|}}


==== Blacklist options ====

  * Blacklist:  **Checked**.
  * Blacklist proxy: **<Blank>**.
  * Blacklist URL: **http://www.shallalist.de/Downloads/shallalist.tar.gz**.

{{:pfsense:squid:pfsense_squidguard_blacklist_options.png?800|}}

----