Saturday, February 07, 2009

Howto: Installing Squid Proxy in pfSense

Setup a Squid Transparent Proxy using pfSense

What is Pfsense?
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

What is Squid?
Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic.

Tutorial:

This howto describes how to install and configure Squid using pfSense.
1.Firstly, you need to install pfSense. See documentation here.
2.After you have installed pfSense, you need to access pfSense webGUI using your Pfsense IP address, e.g: http://192.168.1.4/ . Enter username and password for your pfSense webGUI and you should see this window (Status -> System). This is where we start.
3.Now go to the System tab and choose the Packages. Scroll down to the squid package and then you can install by clicking + (Add) button on the right of that package.
4.Now, you are installing Squid package into your pfSense.After installation finished, you can start configuring your Squid proxy server.
5.Now, go to Services -> Proxy server tab. After that, it will show you General Setting tab for Squid. You need to set Proxy interface, Allow users on interface, Transparent Proxy, Log store directory, Proxy port and other settings. Hit the Save button at the end of the page to save your proxy setting.
6.Then, go to Cache Management tab. You need to set Hard disk cache size, Hard disk cache location, Memory cache size, Minimum object size, Maximum object size, and other setting that you want to set. Hit the Save button.
7.Lastly, you need to set Access Control for Proxy server. Hit Save button to save configuration.
8.Now, you have finished installing and configuring Squid transparent proxy using pfSense. Your Squid proxy server is ready to be used.


Setup a VideoCache on pfSense

This howto covers the process of installing videocache on pfSense. Now, you have already installed Squid proxy on pfSense.
1.Firstly, you need to install Python.
•Use Shell terminal or ssh to PFsense and use the following command:
# pkg_add -r python
•Install the additional needed libraries.
# pkg_add -r py25-bsddb
# pkg_add -r py25-gdbm
# pkg_add -r py25-sqlite3
# pkg_add -r py25-tkinter


2.After that, install URLGrabber.
•Download the latest version of urlgrabber from URLGrabber Download Archive.
# fetch http:/linux.duke.edu/projects/urlgrabber/download/urlgrabber-x.x.x.tar.gz
# tar -xzf urlgrabber-x.x.x.tar.gz
# cd urlgrabber-x.x.x
# python setup.py bdist_rpm
# python setup.py install


3.Then, install Iniparse.
Download the latest version of python-iniparse from Iniparse Project Website.
# fetch http:/iniparse.googlecode.com/files/iniparse-x.x.x.tar.gz
# tar -xzf iniparse-x.x.x.tar.gz
# cd iniparse-x.x.x
# python setup.py bdist_rpm
# python setup.py install


4.Then, install VideoCache.
# fetch http:/cachevideos.com/sites/default/files/pub/videocache/videocache
/x.x.tar.gz
# tar -xvzf videocache-x.x.tar.gz
# python setup.py install


5.Configure VideoCache
•Using VI edit the /etc/videocache.conf file and edit the following options in the
file.
-proxy: Set the IP address and port on which squid is listening on PFsense.
-cache_host: The IP address of PFsense.
6.Configure Squid
Now add the following lines to /usr/local/pkg/squid.inc after acl.

# --BEGIN-- videocache config for squid
url_rewrite_program /usr/bin/python /usr/share/videocache/videocache.py
url_rewrite_children 10
acl videocache_allow_url url_regex -i \.youtube\.com\/get_video
acl videocache_allow_url url_regex -i \.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?
\.googlevideo\.com\/videoplayback
acl videocache_allow_url url_regex -i \.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?
\.googlevideo\.com\/get_video
acl videocache_allow_url url_regex -i proxy\-[0-9][0-9]\.dailymotion\.com\/
acl videocache_allow_url url_regex -i [a-z0-9][0-9a-z][0-9a-z]?[0-9a-z]?[0-9a-
z]?\.xtube\.com\/(.*)flv
acl videocache_allow_url url_regex -i bitcast\.vimeo\.com\/vimeo\/videos\/
acl videocache_allow_url url_regex -i va\.wrzuta\.pl\/wa[0-9][0-9][0-9][0-9]?
acl videocache_allow_url url_regex -i \.files\.youporn\.com\/(.*)\/flv\/
acl videocache_allow_url url_regex -i \.msn\.com\.edgesuite\.net\/(.*)\.flv
acl videocache_allow_dom dstdomain v.mccont.com vp.video.google.com dl.redtube.com
acl videocache_deny_url url_regex -i http:\/\/[a-z][a-z]\.youtube\.com http:\/
\/www\.youtube\.com
url_rewrite_access deny videocache_deny_url
url_rewrite_access allow videocache_allow_url
url_rewrite_access allow videocache_allow_dom
redirector_bypass on
# --END-- videocache config for squid


• Save and restart squid service and you have videocache running on your PFsense.
P/s: You need to disable the https option in the General Setup Settings.

14 comments:

Mihai said...

Hi John,

I ran into some problems trying to make it work.

I'm using pfsense 1.2.2 with squid 2.6.21_08 and squidguard 1.3-2 in transparent mode

I had to use pkg_add pointing to the new location of repositories.
The system was trying to grab them from ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/*****

# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/python.tbz

•Install the additional needed libraries.
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-bsddb.tbz
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-gdbm.tbz
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-sqlite3.tbz
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-tkinter.tbz
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-urlgrabber.tbz
# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/py25-iniparse.tbz

videocache moved here now
http://videocache.codeplex.com/

I configured the /etc/videocache.conf and squid.inc to have the extra acl lines

Rebooted the pfsense just to be safe. The service came out fine.
I'm watching some youtube videos but I don't see them in the /var/spool/videocache/youtube directory.
The /var/log/videocache show nothing. I mean no entries or files are created.

I tried removing the squidguard from the redirector stance and rebooted but still no video copied in the /var/spool/videocache/youtube directory and no logs.

Mishou

Johncrackernet said...

Please refer:
http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy

http://doc.pfsense.org/index.php/Setup_VideoCache_with_Squid

fishanisha said...

Hi, thanks for the subject, it s interesting.
I have a problem, when accessing to system/packages , i cant find any package n i have an error message about conecting to pfsense.com .. is it internet the only problem i have ?? or i have to install the package of snort manually first?
m using pfsense on Wmware, how can i configure it so it connects to internet.

Anonymous said...

Can anyone recommend the robust RMM utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central event management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Can anyone recommend the well-priced Script Deployment tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central configuration management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

[url=http://www.blingforfun.com]hip hop jewelry[/url],[url=http://www.blingforfun.com/pendants/cat_9.html]hip hop pendants[/url],hip hop watches,[url=http://blingforfun.com/belts/cat_18.html]bling bling[/url] ,hip hop,[url=http://blingforfun.com/chains/cat_7.html]hip hop chains[/url],hip hop bling,[url=http://blingforfun.com/chains/cat_7.html]iced out chains[/url],[url=http://www.blingforfun.com/chains/cat_7.html]wholesale chains[/url]
hip hop jewelry
wholesale hip hop watches
hip hop rings

Anonymous said...

[url=http://tinyurl.com/y9qxher][img]http://i069.radikal.ru/1001/35/75e72b218708.jpg[/img][/url]



Related keywords:
order Tramadol for over night delivery
Tramadol 180 tablets free fedex
Tramadol in drug screens
buy Tramadol without a prescription
picture of Tramadol pill
Tramadol next day delivery
buy cheap Tramadol online no prescription
Tramadol mailorder
[url=http://www.zazzle.com/AlexanderBlack]cheap Tramadol delivery fedex [/url]
[url=http://seobraincenter.ru]http://seobraincenter.ru[/url]
no rx Tramadol cod delivery
medicine Tramadol
online prescription Tramadol
Tramadol online saturday delivery
legal Tramadol
Tramadol with suboxone
Tramadol alltram ingredients

Anonymous said...

[url=http://tinyurl.com/getvpn][b]Click here to get VPN service![/b][/url]

[b]Anonymous surfing[/b]
Using our service you'll be fully anonymous in the Internet. Hide your IP address, and nobody will know that strange visitor from Germany ( Great Britain, Estonia and so ), is you.

[b]Full access to network[/b]
You can use any services, access any sites and use any software with us. BitTorrent, Skype, Facebook, MySpace, Twitter, Pocker .. we have no restrictions.

[b]Traffic protection[/b]
Don't worry, from this moment all you data will be protected using 256 bit Blowfish encryption algorithm. Nobody can access your internet data.

[b]Wide variety of countries[/b]
You can choose one of over twenty high speed servers located in different parts of the world, from South America coast to islands in Indian Ocean.

Related keywords:
anonymous surfing review
proxy server vpn
anonymous secure surfing
proxy vpn
anonymous vpn free
internet explorer vpn
vpn dial up
ssl vpn
Traffic protection
anonymous surfing freeware
anonymous surfing software
vtunnel
anonymous surfing vpn
best anonymous browser
surf the web anonymous
best anonymous surfing
anonymizer anonymous surfing review
firefox anonymous surfing
Virtual Private Networks
Free Vpn Client Software
anonymous surfing software
[url=http://dasbmw.ru] anonymous surfing software[/url]
[url=http://seobraincenter.ru] anonymous proxy[/url]
[url=http://carlwebster.com/members/Alexander-Pwnz.aspx]Buy Cheap Zoloft[/url]

max chock said...

hi,

I'm running pfsense 2.0 beta. I wondering why I can't find squid under the packages list? Is that means it has been install by default?

Thanks for helping.
Max.

Cris said...

HI friends, this information is very interesting, I would like read more information about this topic, thanks for sharing. homes for sale in costa rica

javieth said...

In addressing the router enables wireless networking connection, really amazing what Technology has changed these days. I like meeting new things. This is why i have come to this blog, I find it very interesting.This is like
costa rica investment opportunities really interesting too.

Imitrex said...

costa rica best investment

Liz said...

Hello .. firstly I would like to send greetings to all readers. After this, I recognize the content so interesting about this article. For me personally I liked all the information. I would like to know of cases like this more often. In my personal experience I might mention a book called Generic Viagra in this book that I mentioned have very interesting topics, and also you have much to do with the main theme of this article.

Squidblacklist said...

We are the worlds leading publisher of Squid 'Native ACL' formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

We hope to serve you,

--
Signed,

Benjamin E. Nichols
http://www.squidblacklist.org