How to configure Squid in pfSense to work with ProxyInspector

All articles

If you want to monitor employee web/internet usage via pfSense using ProxyInspector you may use Squid package. Additionally usage of Squid will give you:
  • HTTP caching and faster page load
  • HTTPS inspection 

This article describes how to install and configure the Squid package to work with ProxyInspector.

Creating a root certificate

In the control panel, go to the System | Cert. Manager | CAs, click the Add button, and create a new root certificate. This certificate must be installed on users computers in the Trusted Root Certification Authorities section, you can download it by clicking on the Export CA button:

Installing Squid package in pfSense

Go to the System | Package Manager | Available Packages, enter in the Search term field: squid, and install the squid package:

Configuring Squid package parameters in pfSense

Go to the Services | Squid Proxy Server and enable the following options:

  • In Squid General Settings section - Enable Squid Proxy;
  • In Transparent Proxy Settings section - Transparent HTTP Proxy;
  • In SSL Man In the Middle Filtering section - HTTPS/SSL Interception, select earlier created root certificate (CA parameter);
  • In Logging Settings section - Enable Access Logging.

How to access Squid / pfSense log files via SSH

In the System | Advanced | Secure Shell section you need to enable the Secure Shell Server option. Now you can download log files using the SCP protocol. By default, the Squid log files are located in the /var/squid/logs/ directory, to use SSH/SCP we use the 'Admin' user password, however, we need to specify 'root' as username.

For SCP access, you can use any program that supports this protocol, for Windows it can be WinSCP, PSCP from PuTTY package, SCP from CygWin package, etc. Command line for SCP.EXE from CygWin: 

SCP.exe root@*.log*

command line for PSCP.exe:
PSCP.exe [-pw password] root@*.log*

A dot at the end means loading into the current directory. In PSCP, you can specify a password, which allows you to fully automate the downloading of the log files, but leakage of this password can lead to serious problems.   

By default, in pfSense Squid package log files are created in the squid format. This format can be used (in ProxyInspector in the server properties choose the format - squid), but it has a significant drawback - there is no information about the parameters of the HTTP-request and the HTTP-referrer. This does not allow you to fully use the capabilities of ProxyInspector (reports on search phrases and viewed videos, CrystalWeb technology), fortunately this format can be changed.

Using custom log file format in pfSense Squid package

In the Services | Squid Proxy Server section you need to disable the option Logging Settings - Enable Access Logging, then click Show Advanced Options button at the bottom of the pages and add the following lines:
logformat squidmimemod %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rp %>st "%{Referer}>h"
access_log /var/squid/logs/access.log squidmimemod
logfile_rotate 90

In ProxyInspector, you need to create a server with type Squid, enter the path to the downloaded log files, then click the Parse logformat button and in the window that appears enter:
 logformat squidmimemod %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rp %>st "%{Referer}>h"

Now you can save the server settings and import the log files.

Tags: Squid, pfSense, log files, ProxyInspector, https