@mare said in Adding Certificate Authority for SquidGuard MITM: I get the error message that the certificate is self-signed. That might help, because Chrome is always smart ...hmmmm.... from version 58, the self-signed certificate must have the right domain name in the SAN... https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate

Hi, I'm not expert about Pfsense, but the Target Categories are filled by you. Or, are you talking about the black lists? In that case, you can decompress and open with a notepad every list.

Yeah haproxy would be better choice for sure. And with 2.5 and the update to openssl 1.1.1 you should be able to update to tls 1.3 even.

@nandoiin The log log-unixsocket and logfiles are managed by the syslog service. As such how big the logfiles are made is controlled in the generic pfSense logging settings. Though if your really interested in the logs for longer periods you should probably log them to a remote syslog server.

Update, Fixed the problem had to do some tweaking on the NextCloud Server also on the other Servers. Tweak on Nextcloud Server 'overwriteprotocol' => 'https', also had to change upload File Size.

@nikpony said in Cannot operate with transparent option: DNS Forwarding or Resolve? I definitely recommend the Unbound resolver

@aGeekhere said in Squid's new SslBump Peek and Splice for https caching?: maybe QoS3 If the server, some proxy device and the client (browser) all install the needed modules .... It would become one hack of a standard before such a thing gets implemented. Typically, this will be needing 3 admins implementing software on their side,as end users often don't know what a 'proxy' is. @High_Voltage said in Squid's new SslBump Peek and Splice for https caching?: to scan with clamav the data in the ssl transmission, NOT just to cache it. That would be my main reason to centralize (== cache ?) downstream data. As far as I know, only 'mails' are handled like this these days. That is, if you run your own mail server (like running some proxy). This takes down a huge security issue already. Btw : You're happy, you control all your devices. Those you don't : they go into the non trusted network. When these need access to local trusted resources like NAS : it will be a case by case consideration.

@aGeekhere said in squid blocking things I want to access (access denied for inter-LAN devices): you can get the refresh patten here https://github.com/mmd123/squid-cache-dynamic_refresh-list/pulls I know, I'm the one that made that repo xD No, the problem is I forgot it needs to be run in custom MITM mode to actually work with caching things properly, and by the time I realized that last night it was like 2am, so I went to sleep, I'll be back to work on it later today @aGeekhere

@Derelict i think not tested yet but on the toDo list that the problem was that apache log format was not changed. so that either the gui option nor the advanced option was processed by apache so next step is to check if its workin without advanced setting. keep you posted NP