hey there, were you able to do this?

So match the URL and use http-request deny in the frontend.

https://www.haproxy.com/blog/introduction-to-haproxy-acls/

Hi,

Caching https pages is close to impossible these days.
People want secure connections, the ones that can not be intercepted by no body.
Don't you ?
"No body" includes you.

Before you start thinking about proxying https pages, go have a Youtube tour, and see what https really is. Also look up what HSTS is, while you're at it.

Btw : http pages, very popular in the past, can be cached easily.
When all your network clients trust your proxy, then some https can be cached, but sites using HSTS will still be a no-go. And of course, HSTS was unknown some years ago, pretty standard these days.

No joke : if you manage to make it work, you be the most richest man that ever lived (or the first on the "Most wanted" list ...).

@mare said in Adding Certificate Authority for SquidGuard MITM:

I get the error message that the certificate is self-signed.

That might help, because Chrome is always smart ...hmmmm.... from version 58, the self-signed certificate must have the right domain name in the SAN...

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate

Hi, I'm not expert about Pfsense, but the Target Categories are filled by you. Or, are you talking about the black lists? In that case, you can decompress and open with a notepad every list.

Yeah haproxy would be better choice for sure. And with 2.5 and the update to openssl 1.1.1 you should be able to update to tls 1.3 even.

@nandoiin
The log log-unixsocket and logfiles are managed by the syslog service. As such how big the logfiles are made is controlled in the generic pfSense logging settings. Though if your really interested in the logs for longer periods you should probably log them to a remote syslog server.

Update,

Fixed the problem had to do some tweaking on the NextCloud Server also on the other Servers.

Tweak on Nextcloud Server
'overwriteprotocol' => 'https',

also had to change upload File Size.

@nikpony said in Cannot operate with transparent option:

DNS Forwarding or Resolve?

I definitely recommend the Unbound resolver

@aGeekhere said in Squid's new SslBump Peek and Splice for https caching?:

maybe QoS3

If the server, some proxy device and the client (browser) all install the needed modules ....
It would become one hack of a standard before such a thing gets implemented.
Typically, this will be needing 3 admins implementing software on their side,as end users often don't know what a 'proxy' is.

@High_Voltage said in Squid's new SslBump Peek and Splice for https caching?:

to scan with clamav the data in the ssl transmission, NOT just to cache it.

That would be my main reason to centralize (== cache ?) downstream data. As far as I know, only 'mails' are handled like this these days. That is, if you run your own mail server (like running some proxy). This takes down a huge security issue already.

Btw : You're happy, you control all your devices.
Those you don't : they go into the non trusted network. When these need access to local trusted resources like NAS : it will be a case by case consideration.

@aGeekhere said in squid blocking things I want to access (access denied for inter-LAN devices):

you can get the refresh patten here https://github.com/mmd123/squid-cache-dynamic_refresh-list/pulls

I know, I'm the one that made that repo xD

No, the problem is I forgot it needs to be run in custom MITM mode to actually work with caching things properly, and by the time I realized that last night it was like 2am, so I went to sleep, I'll be back to work on it later today @aGeekhere

@Derelict

i think not tested yet but on the toDo list
that the problem was that apache log format was not changed.

so that either the gui option nor the advanced option
was processed by apache
so next step is to check if its workin without advanced setting.
keep you posted NP

Anyone out there, tried to get the upload logs with actual file size?

using any method?, please let me know

Some services or programs has connection issues when using a transparent proxy.
So to solve this you use:
WPAD to auto setup manual proxy
Transparent proxy to catch the rest
https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3/189

https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3

Not sure if I did anything, but this randomly started working for me again. Only thing I can think of that changed is Transparent ClientIP is turned off now.

@Kenneth_H
The "aclcrt_SharedOffload" seems to require a subdomain specified..
Have you checked both boxes for the automatic SNI / and SNI-Alternative-name checks.? Or perhaps just remove both those check-boxes that l probably work..

@xuti on web, even on this forum and on YouTube is plenty of how to about this. Sorry but I can't help you to learn this, no have time.

@johnpoz okay... I feel so stupid!

I created a new frontend, selected shared frontend and it works now.
Thanks for your help!