After playing with it some more, I determined that the only extra
rules I need are:
always_direct deny all
never_direct allow all
After doing this, when the upstream M86 / R3000 content filter proxy
blocks access to a site, trying to get to it through squid using https
just results in a blank page in Firefox, or "can't display the
webpage" for IE, which is what I am expecting.
All pfsense firewall rules can be removed other than a single one: LAN
block any address/port to any WAN address/port. This rule blocks all
direct Internet access by clients, but does not prevent squid itself
on pfSense from being able to access the external parent proxy on the
WAN side.
It must have both always_direct and never_direct in there. With only
the "never_direct allow all" and not "always_direct deny all", the
local squid still retrieves content directly, if the upstream content
filtering parent deliberately "misses/denies" 10 retrieval attempts in
a row.
,
(For googlers of this issue, the actual spelling in the log files is
"temporary", not "temporarily" .... which looks like a spelling error
to me..)
"Temporary disabling (Not Found) digest from"
"Temporary disabling (...) digest"
,
Received on Wed Oct 05 2011 - 00:30:58 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 05 2011 - 12:00:02 MDT