• Squid non-transparent blocks VPN address

    8
    0 Votes
    8 Posts
    806 Views
    T

    So, i did the changes and it worked.

    Thanks a lot man!

  • Certificat Front End/ Back End

    6
    0 Votes
    6 Posts
    660 Views
    johnpozJ

    No I don't.. MITM is breaking the designed security of ssl/tls. Which is meant to be end-end client to server. And sure doesn't meet PCI compliance for example..

    Just ask the internet what they think about MITM - which is what Kazakhstan gov is doing ;)
    https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/

    If your goal is "spying" then sure its a great idea!

    Is your goal to spy on you users - you know intercept their back logins, medial record access, etc. There technical reasons why you would offload the ssl connection to a different box - security would not be one of them. Other than say the end server doesn't support or can not run https, so you offload that sort of thing.

    At any point you intercept the stream and decode it (so you can view it).. .How does that make the end user feel more secure?

    Is your backend not secure? If what you want is to offload the ssl to something else, and put your server behind a reverse proxy ok sure.. Its your server - but what is the pointy of ssl to the backend then - unless your backend is not secure? But yes you can do what your describing -- I do it for my plex server actually? and my ombi server (I just offload the ssl to the ha proxy) the connection to the backend is just then http. With my plex, since behind a cloudflare reverse proxy, and then my ha proxy to be able to share the 443 port it is technically doing mitm... But its just easier - its using whatever cert plex is serving up, etc. And its my server sort of thing.. So the reasons its being done is pure technical in the case of plex.

    While the case of ombi in my case its more secure because now the traffic is encrypted over the public internet via ssl, but not on my backend because my backend is secure and the ombi system doesn't have native ssl support, etc.

    I didn't not put i a reverse proxy and do mitm on it because its "more" secure then just direct connections to the server - I did the mitm to be able to share the 443 port with other services, etc.

  • Squid proxy changing default routes breaks browsing

    7
    0 Votes
    7 Posts
    1k Views
    KOMK

    For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

  • Squid Reverse Proxy Issues

    1
    0 Votes
    1 Posts
    325 Views
    No one has replied
  • HAproxy: right way to redirect old domain?

    9
    0 Votes
    9 Posts
    1k Views
    S

    thread is obsolete now (at least for us): moved the containers to an external host and solved the forwarding within traefik. thanks all ...

  • Squid started but not filter

    4
    0 Votes
    4 Posts
    441 Views
    KOMK

    Deleting squid logs will have no effect on how it works. If you delete logs and then restart squid, it will create a new log and continue.

    Perhaps if you take the time to explain your problem and show your settings?....

  • HAProxy and WebConfigurator HTTP/2 DDoS CVEs

    7
    0 Votes
    7 Posts
    702 Views
    dragoangelD

    Additionally Squid is affected another DoS CVE:
    CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.

  • proxy server is refusing connections - ICAP Error when Antivirus Enabled

    13
    0 Votes
    13 Posts
    4k Views
    4

    @kiokoman below was the solution

    add Loopback to the Proxy Interfaces X-Forwarded Header Mode - Transparent (was - on previously)

    and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work!

    ACls - Allowed Subnet still needs to have the subnet plus the localhost
    192.168.0.0/24
    127.0.0.1/32

    another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router.
    Not enough to restart the service, or the same ICAP error will occur.

  • HAproxy Setup Help Needed

    Moved
    6
    0 Votes
    6 Posts
    974 Views
    DerelictD

    Mixing two tickets. Sorry.

    Well, you do it. Start small based on the information available, get one frontend and one backend working and go from there.

  • JavaScript XMLHttpRequest (XHR) - TCP_DENIED/403 HIER_NONE/- text/html

    4
    0 Votes
    4 Posts
    1k Views
    KOMK

    Figure out who is using all the bandwidth & how and then start limiting them somehow. Is this a family home? Roommates? A business? If it's streaming video or torrents (which make up the two of the biggest culprits) then good luck with squid. I decided to start paying an extra $20/m to move to an unlimited account for just this reason.

  • Long Request Times

    3
    0 Votes
    3 Posts
    436 Views
    kklouzalK

    I was unable to access any HTTPS until "Resolve DNS IPv4 First" was enabled.

    Thank you, yes 'squidclient -h 127.0.0.1 -p 3128 mgr:info' is an invaluable resource. So many requests go through with no hassle that the Median Service Times look relatively normal.

  • Manual for fastest browsing setup.

    5
    0 Votes
    5 Posts
    475 Views
    johnpozJ

    His point is caching of http or https traffic in the hope of speeding it up for local access is pretty pointless. Unless your doing mitm on your https, there is nothing to cache. And http is pretty much gone anyway - and even if just http, its dynamic generated sites.. There is really nothing to actually cache.

    The browser caches stuff anyway that can be cached - since its on the end of the https tunnel..

    Other than filtering traffic, there isn't much to thinking your going to cache all that much data with your proxy these days.

    Its not like the client is going to be downloading the 20KB logo image of some website 100 times a day.. The browser will cache that, etc.

  • deny Internet connection for LAN

    12
    0 Votes
    12 Posts
    833 Views
    KOMK

    Go to Diagnostics - States and reset your states. Existing states are not affected by a block rule change.

  • Steam Caching

    8
    0 Votes
    8 Posts
    2k Views
    X

    @hcurren Why not configure the IP of the docker machine as DNS server for the DHCP pool?

  • Load balancing and SSL certs

    Moved
    3
    0 Votes
    3 Posts
    338 Views
    DerelictD

    @nateliv Stay away from the Load Balancer because:

    https://redmine.pfsense.org/issues/9386

    If you must have your load balancer on pfSense, HAProxy is the way forward. You can put one certificate on the front end and it can load balance X backends.

  • squid proxy blocking soundhound searches

    6
    0 Votes
    6 Posts
    624 Views
    A

    Which device has the issue? PC, android or iPhone?

  • HaProxy Postfix ssl offloading

    4
    0 Votes
    4 Posts
    3k Views
    P

    @rainbowHash said in HaProxy Postfix ssl offloading:

    where to configure the haproxy backend on Pfsense to enable the send-proxy option

    You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.

  • Possibility Antivirus Gdata?

    3
    0 Votes
    3 Posts
    330 Views
    K

    Thanks i was just wondering

  • How to enter these redirects in Squidguard

    7
    0 Votes
    7 Posts
    3k Views
    A

    not for https sites as far as i know. does duckduckgo have a dns safe mode?

  • Squid not saving cache to disk

    6
    0 Votes
    6 Posts
    1k Views
    M

    @kiokoman Thanks!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.