• My proxy not block youtube some computers

    2
    0 Votes
    2 Posts
    473 Views
    KOMK
    There must be a domain involved that you aren't blocking. If you see them watching YouTube, check Squid's access log to see where they actually are going.
  • SquidGuard Error Page - Redirects to the IP not the SSL Domain

    Moved
    2
    0 Votes
    2 Posts
    268 Views
    stephenw10S
    Hmm, you could try using the url mode redirect method. Or maybe one of the other redirect methods. Steve
  • squid + squidguard blocking an app

    2
    0 Votes
    2 Posts
    477 Views
    KOMK
    Those are probably CDNs hosting the videos, and you may end up playing whack-a-mole trying to whitelist them all. Either allow IP addresses globally, or create an ACL for just your wife and allow them there.
  • (54) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE)

    1
    0 Votes
    1 Posts
    269 Views
    No one has replied
  • How to block Google search keyword

    3
    0 Votes
    3 Posts
    310 Views
    A
    you can also force google and bing into safe mode
  • Squid Reverse proxy error with https

    1
    0 Votes
    1 Posts
    518 Views
    No one has replied
  • Squidguard Https block page not showing

    Moved squidguard
    14
    0 Votes
    14 Posts
    5k Views
    stephenw10S
    We did a hangout walk though on this. It explains everything you need to know: https://youtu.be/xm_wEezrWf4 Steve
  • Pfsense+Mikrotik+Squid

    Moved
    2
    0 Votes
    2 Posts
    519 Views
    stephenw10S
    How is any of that configured? What are those IP addresses? What's working/not working? Steve
  • HTTPS Filtering + Splice All gives certificate issues

    7
    0 Votes
    7 Posts
    5k Views
    S
    @gwaitsi No. I just gave up on it. There was another package being developed that I tinkered with for a bit but it never showed up in the repo so I never moved to it. Any SSL intercept is a MITM attack. It works in our client's Sonicwall units without issue (except for the DOJ) by just a checkbox. I'd put so much time into trying to get this working I just gave up. I didn't realize it'd been 2 years since I last tried getting this working.
  • Squid non-transparent blocks VPN address

    8
    0 Votes
    8 Posts
    918 Views
    T
    So, i did the changes and it worked. Thanks a lot man!
  • Certificat Front End/ Back End

    6
    0 Votes
    6 Posts
    755 Views
    johnpozJ
    No I don't.. MITM is breaking the designed security of ssl/tls. Which is meant to be end-end client to server. And sure doesn't meet PCI compliance for example.. Just ask the internet what they think about MITM - which is what Kazakhstan gov is doing ;) https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ If your goal is "spying" then sure its a great idea! Is your goal to spy on you users - you know intercept their back logins, medial record access, etc. There technical reasons why you would offload the ssl connection to a different box - security would not be one of them. Other than say the end server doesn't support or can not run https, so you offload that sort of thing. At any point you intercept the stream and decode it (so you can view it).. .How does that make the end user feel more secure? Is your backend not secure? If what you want is to offload the ssl to something else, and put your server behind a reverse proxy ok sure.. Its your server - but what is the pointy of ssl to the backend then - unless your backend is not secure? But yes you can do what your describing -- I do it for my plex server actually? and my ombi server (I just offload the ssl to the ha proxy) the connection to the backend is just then http. With my plex, since behind a cloudflare reverse proxy, and then my ha proxy to be able to share the 443 port it is technically doing mitm... But its just easier - its using whatever cert plex is serving up, etc. And its my server sort of thing.. So the reasons its being done is pure technical in the case of plex. While the case of ombi in my case its more secure because now the traffic is encrypted over the public internet via ssl, but not on my backend because my backend is secure and the ombi system doesn't have native ssl support, etc. I didn't not put i a reverse proxy and do mitm on it because its "more" secure then just direct connections to the server - I did the mitm to be able to share the 443 port with other services, etc.
  • Squid proxy changing default routes breaks browsing

    7
    0 Votes
    7 Posts
    1k Views
    KOMK
    For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.
  • Squid Reverse Proxy Issues

    1
    0 Votes
    1 Posts
    344 Views
    No one has replied
  • HAproxy: right way to redirect old domain?

    9
    0 Votes
    9 Posts
    1k Views
    S
    thread is obsolete now (at least for us): moved the containers to an external host and solved the forwarding within traefik. thanks all ...
  • Squid started but not filter

    4
    0 Votes
    4 Posts
    503 Views
    KOMK
    Deleting squid logs will have no effect on how it works. If you delete logs and then restart squid, it will create a new log and continue. Perhaps if you take the time to explain your problem and show your settings?....
  • HAProxy and WebConfigurator HTTP/2 DDoS CVEs

    7
    0 Votes
    7 Posts
    718 Views
    dragoangelD
    Additionally Squid is affected another DoS CVE: CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.
  • proxy server is refusing connections - ICAP Error when Antivirus Enabled

    13
    0 Votes
    13 Posts
    4k Views
    4
    @kiokoman below was the solution add Loopback to the Proxy Interfaces X-Forwarded Header Mode - Transparent (was - on previously) and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work! ACls - Allowed Subnet still needs to have the subnet plus the localhost 192.168.0.0/24 127.0.0.1/32 another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router. Not enough to restart the service, or the same ICAP error will occur.
  • HAproxy Setup Help Needed

    Moved
    6
    0 Votes
    6 Posts
    1k Views
    DerelictD
    Mixing two tickets. Sorry. Well, you do it. Start small based on the information available, get one frontend and one backend working and go from there.
  • JavaScript XMLHttpRequest (XHR) - TCP_DENIED/403 HIER_NONE/- text/html

    4
    0 Votes
    4 Posts
    1k Views
    KOMK
    Figure out who is using all the bandwidth & how and then start limiting them somehow. Is this a family home? Roommates? A business? If it's streaming video or torrents (which make up the two of the biggest culprits) then good luck with squid. I decided to start paying an extra $20/m to move to an unlimited account for just this reason.
  • Long Request Times

    3
    0 Votes
    3 Posts
    475 Views
    kklouzalK
    I was unable to access any HTTPS until "Resolve DNS IPv4 First" was enabled. Thank you, yes 'squidclient -h 127.0.0.1 -p 3128 mgr:info' is an invaluable resource. So many requests go through with no hassle that the Median Service Times look relatively normal.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.