We did a hangout walk though on this. It explains everything you need to know:
https://youtu.be/xm_wEezrWf4

Steve

How is any of that configured? What are those IP addresses? What's working/not working?

Steve

@gwaitsi

No. I just gave up on it. There was another package being developed that I tinkered with for a bit but it never showed up in the repo so I never moved to it. Any SSL intercept is a MITM attack. It works in our client's Sonicwall units without issue (except for the DOJ) by just a checkbox. I'd put so much time into trying to get this working I just gave up. I didn't realize it'd been 2 years since I last tried getting this working.

So, i did the changes and it worked.

Thanks a lot man!

No I don't.. MITM is breaking the designed security of ssl/tls. Which is meant to be end-end client to server. And sure doesn't meet PCI compliance for example..

Just ask the internet what they think about MITM - which is what Kazakhstan gov is doing ;)
https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/

If your goal is "spying" then sure its a great idea!

Is your goal to spy on you users - you know intercept their back logins, medial record access, etc. There technical reasons why you would offload the ssl connection to a different box - security would not be one of them. Other than say the end server doesn't support or can not run https, so you offload that sort of thing.

At any point you intercept the stream and decode it (so you can view it).. .How does that make the end user feel more secure?

Is your backend not secure? If what you want is to offload the ssl to something else, and put your server behind a reverse proxy ok sure.. Its your server - but what is the pointy of ssl to the backend then - unless your backend is not secure? But yes you can do what your describing -- I do it for my plex server actually? and my ombi server (I just offload the ssl to the ha proxy) the connection to the backend is just then http. With my plex, since behind a cloudflare reverse proxy, and then my ha proxy to be able to share the 443 port it is technically doing mitm... But its just easier - its using whatever cert plex is serving up, etc. And its my server sort of thing.. So the reasons its being done is pure technical in the case of plex.

While the case of ombi in my case its more secure because now the traffic is encrypted over the public internet via ssl, but not on my backend because my backend is secure and the ombi system doesn't have native ssl support, etc.

I didn't not put i a reverse proxy and do mitm on it because its "more" secure then just direct connections to the server - I did the mitm to be able to share the 443 port with other services, etc.

For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

thread is obsolete now (at least for us): moved the containers to an external host and solved the forwarding within traefik. thanks all ...

Deleting squid logs will have no effect on how it works. If you delete logs and then restart squid, it will create a new log and continue.

Perhaps if you take the time to explain your problem and show your settings?....

Additionally Squid is affected another DoS CVE:
CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.

@kiokoman below was the solution

add Loopback to the Proxy Interfaces X-Forwarded Header Mode - Transparent (was - on previously)

and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work!

ACls - Allowed Subnet still needs to have the subnet plus the localhost
192.168.0.0/24
127.0.0.1/32

another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
Not enough to restart the service, or the same ICAP error will occur.

Mixing two tickets. Sorry.

Well, you do it. Start small based on the information available, get one frontend and one backend working and go from there.

Figure out who is using all the bandwidth & how and then start limiting them somehow. Is this a family home? Roommates? A business? If it's streaming video or torrents (which make up the two of the biggest culprits) then good luck with squid. I decided to start paying an extra $20/m to move to an unlimited account for just this reason.

I was unable to access any HTTPS until "Resolve DNS IPv4 First" was enabled.

Thank you, yes 'squidclient -h 127.0.0.1 -p 3128 mgr:info' is an invaluable resource. So many requests go through with no hassle that the Median Service Times look relatively normal.

His point is caching of http or https traffic in the hope of speeding it up for local access is pretty pointless. Unless your doing mitm on your https, there is nothing to cache. And http is pretty much gone anyway - and even if just http, its dynamic generated sites.. There is really nothing to actually cache.

The browser caches stuff anyway that can be cached - since its on the end of the https tunnel..

Other than filtering traffic, there isn't much to thinking your going to cache all that much data with your proxy these days.

Its not like the client is going to be downloading the 20KB logo image of some website 100 times a day.. The browser will cache that, etc.

Go to Diagnostics - States and reset your states. Existing states are not affected by a block rule change.

@hcurren Why not configure the IP of the docker machine as DNS server for the DHCP pool?

@nateliv Stay away from the Load Balancer because:

https://redmine.pfsense.org/issues/9386

If you must have your load balancer on pfSense, HAProxy is the way forward. You can put one certificate on the front end and it can load balance X backends.

Which device has the issue? PC, android or iPhone?