Table of Contents
PFSense - Squid - Setup completely
Step 1. Configuring the root Certificate Authority (rootCA)
Navigate to System → Cert Manager.
Click the green Add button.
Populate:
- Descriptive Name: SquidCA.
- Method: Create an internal Certificate Authority. Leave at the default.
- Key length (bits): 2048. Leave at the default.
- Digest Algorith: sha256. Leave at the default.
- Lifetime (days): 3650.
- Common Name: internal-ca. Leave at the default.
- Country Code: JE.
- State or Province: Jersey.
- City: St. Helier
- Organization: ShareWiz.
- Organizational Unit: IT.
NOTE: Alternatively create the CA externally of pfSense.
openssl genrsa -out myProxyCA.key 2048
This will create an rsa key file named myProxyCA.key that we use to sign the pem file we will generate next.
Create a pem file signed with the key:
openssl req -x509 -new -nodes -key myProxyCA.key -sha256 -days 365 -out myProxyCA.pem
This will prompt you to answer some questions to generate the pem file:
Country Name (2 letter code) [AU]:**JE** State or Province Name (full name) [Some-State]:**Jersey** Locality Name (eg, city) []:**St. Helier** Organization Name (eg, company) [Internet Widgits Pty Ltd]:**ShareWiz** Organizational Unit Name (eg, section) []:**IT** Common Name (e.g. server FQDN or YOUR name) []:**sharewiz.net** Email Address []:
At this point you should have 2 files:
myProxyCA.pem myProxyCA.key
Import this CA into pfSense:
- Navigate to System → Cert Manager.
- Click the green Add button.
- Descriptive Name: SquidCA.
- Method: Import an existing Certificate Authority.
- Certificate data: Copy \ Paste the info from myProxyCA.pem file.
- Certificate Private Key (optional): Copy \ Paste the info from myProxyCA.key file.
- Serial for next certificate: 1.
- Save and apply.
Step 2. Configuration of Squid
Navigate to Services → Squid Proxy Server.
On the General Settings tab:
Squid General Settings
- Enable Squid Proxy: Checked.
- Keep Settings/Data: Checked.
- Proxy Interface(s): LAN & Loopback.
- Proxy Port: 3128. You can change this to a custom one if you like.
- Allow Users on Interface: Yes.
- Resolve DNS IPv4 First: Checked.
Transparent Proxy Settings:
- Transparent HTTP Proxy: Checked.
- Transparent Proxy Interface(s): LAN.
SSL Man In the Middle Filtering
- HTTPS/SSL Interception: Checked.
- SSL/MITM Mode: Splice All.
- SSL Intercept Interface(s): LAN.
- SSL Proxy Compatibility Mode: Modern.
- DHParams Key Size: 2048.
- CA: SquidCA. The Certificate Authority created earlier.
- Remote Cert Checks: Do not verify remote certificates.
- Certificate Adapt: Sets the “Not Before” (setvalidbefore).
Logging Settings
- Enable Access Logging: Checked.
- Log Store Directory: /var/squid/logs. The default.
- Rotate Logs: 7.
- Log Pages Denied by SquidGuard: Not checked.
Advanced Features
- Custom Options (SSL/MITM):
# YouTube acl serverIsYoutube ssl::server_name .ytimg.com #acl serverIsYoutube ssl::server_name .youtube.com # splice all the rest ssl_bump splice all
On the Local Cache tab:
Squid Cache General Settings
- Cache Replacement Policy: LFUDA.
- Low-Water Mark in %: 90.
- High-Water Mark in %: 95.
- Do Not Cache:
steampowered.com steamcommunity.com steamgames.com steamusercontent.com steamcontent.com steamstatic.com
- Enable Offline Mode: Not checked.
- External Cache Managers:
Squid Hard Disk Cache Settings
- Hard Disk Cache Size: 50000.
- Hard Disk Cache System: aufs.
- Level 1 Directories: 64.
- Hard Disk Cache Location: /var/squid/cache.
- Minimum Object Size: 0.
- Maximum Object Size: 2048.
Squid Memory Cache Settings
- Memory Cache Size: 3072.
- Maximum Object Size in RAM: 1024.
- Memory Replacement Policy: Heap GDSF.
Dynamic and Update Content
- Cache Dynamic Content: Checked.
- Custom refresh_patterns: SEE Squid Refresh Patterns Master List.
On the Antivirus tab:
ClamAV Anti-Virus Integration Using C-ICAP
- Enable AV: Checked.
- Client Forward Options: Send both client username and IP info (Default).
- Enable Manual Configuration: disabled.
- Redirect URL: <blank>.
- Google Safe Browsing: Checked.
- Exclude Audio/Video Streams: Checked.
- ClamAV Database Update: every one hour.
- Regional ClamAV Database Update Mirror: United Kingdom.
- Optional ClamAV Database Update Servers: <Blank>.
Step 3. Configuration of SquidGuard Proxy filter
Navigate to Services → SquidGuard Proxy filter.
On the General Settings tab:
General Options
- Enable: Checked.
LDAP Options
- Enable LDAP Filter: Not checked.
- LDAP DN: <Blank>
- LDAP DN Password: <Blank>.
- Strip NT domain name: Not checked.
- Strip Kerberos Realm: Not checked.
- LDAP Version: Version 3.
Logging Options
- Enable GUI log: Checked.
- Enable log: Checked.
- Enable log rotation: Checked.
Miscellaneous
- Clean Advertising: Checked.
Blacklist options
- Blacklist: Checked.
- Blacklist proxy: <Blank>.
- Blacklist URL: http://www.shallalist.de/Downloads/shallalist.tar.gz.
