@DaddyGo Thanks I will the second option. May be I will have to something more on Linux, but I will. best regards Kiran

@trilobite said in Proxy: content filtering, IP/DNS filtering, TLS 1.3: I know there is a lot in the Netgate forums but I find much is quite outdated. Because, as you already discovered : the MITM concepts is entering it's final, ending phase. It's getting really hard. It's not only you who tries to enforce privacy. The entire browser - network - server setup goes that way. It's actually you who wants this happening. For all of us. And good rules do not permit exceptions ;) Also : OpenDNS might have some good (never perfect) results as you off-load the tedious and ongoing filtering work to others. And yeah, they will say 'no' if your DNS filtered network was asking for 'p0rn.xxx' domain name. And now they know. Up to you to trust them. If you do not want others to see what you do, then it will be you and your network, which means you'll have to invest in hardware - like a dedicated proxy machine for best results - and lots of your time, which will be an on going battle, as the net and it's tricks and rules change all the time. It might be easier to take control the device your kids are using. PS : Actually happy that mine are over 25.

I had the same problem. Turned off ClamAV in Squid and problem solved.

For android you may have to manually set the proxy for it. Proxy auto config had issues with android.

@rnholvast so how it may work together.. ??? I mean... 3129 port set by default in PFS and port 2128 set in firefox ???

Take a good look at what's getting blocked in your log files, it's easy to break google products because of their spyware/tracking integration.

@PiBa Adding HTTP/1.0\r\nHost:\ hostname to http check brought the backend up. The whole chain then worked. I needed to add the hostname to the http check to get it to work. Thanx for the help.

Can anyone give transparent recommendation what is better to use via squid proxy TLS or SSL ??? and how to set up firefox browser act accordingly? if squid settings tab telling me that squid uses SSL why should I keep TLS active then?

So match the URL and use http-request deny in the frontend. https://www.haproxy.com/blog/introduction-to-haproxy-acls/ [image: 1600614723325-screen-shot-2020-09-20-at-11.09.44-am.png] [image: 1600614739526-screen-shot-2020-09-20-at-11.09.52-am.png]

Hi, Caching https pages is close to impossible these days. People want secure connections, the ones that can not be intercepted by no body. Don't you ? "No body" includes you. Before you start thinking about proxying https pages, go have a Youtube tour, and see what https really is. Also look up what HSTS is, while you're at it. Btw : http pages, very popular in the past, can be cached easily. When all your network clients trust your proxy, then some https can be cached, but sites using HSTS will still be a no-go. And of course, HSTS was unknown some years ago, pretty standard these days. No joke : if you manage to make it work, you be the most richest man that ever lived (or the first on the "Most wanted" list ...).