Caching https pages is close to impossible these days.
People want secure connections, the ones that can not be intercepted by no body.
Don't you ?
"No body" includes you.
Before you start thinking about proxying https pages, go have a Youtube tour, and see what https really is. Also look up what HSTS is, while you're at it.
Btw : http pages, very popular in the past, can be cached easily.
When all your network clients trust your proxy, then some https can be cached, but sites using HSTS will still be a no-go. And of course, HSTS was unknown some years ago, pretty standard these days.
No joke : if you manage to make it work, you be the most richest man that ever lived (or the first on the "Most wanted" list ...).
The log log-unixsocket and logfiles are managed by the syslog service. As such how big the logfiles are made is controlled in the generic pfSense logging settings. Though if your really interested in the logs for longer periods you should probably log them to a remote syslog server.
If the server, some proxy device and the client (browser) all install the needed modules ....
It would become one hack of a standard before such a thing gets implemented.
Typically, this will be needing 3 admins implementing software on their side,as end users often don't know what a 'proxy' is.
to scan with clamav the data in the ssl transmission, NOT just to cache it.
That would be my main reason to centralize (== cache ?) downstream data. As far as I know, only 'mails' are handled like this these days. That is, if you run your own mail server (like running some proxy). This takes down a huge security issue already.
Btw : You're happy, you control all your devices.
Those you don't : they go into the non trusted network. When these need access to local trusted resources like NAS : it will be a case by case consideration.
No, the problem is I forgot it needs to be run in custom MITM mode to actually work with caching things properly, and by the time I realized that last night it was like 2am, so I went to sleep, I'll be back to work on it later today @aGeekhere
The "aclcrt_SharedOffload" seems to require a subdomain specified..
Have you checked both boxes for the automatic SNI / and SNI-Alternative-name checks.? Or perhaps just remove both those check-boxes that l probably work..
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.