@nadmax said in [SOLVED] pfSense / Squid vs Untangle - SSL inspection: I installed E2 Guardian last night - I must say it is a very complete package so there is a bit of a learning curve involved. Way more advanced than the Squid equivalent. Nevertheless, I achieved the results I wanted in about 30 minutes - it works exactly as per my expectations. I still have a lot of tuning to do but I have no doubt that I've found what I was looking for. Thanks! No problem at all! Glad I could help! :) If you have any questions, feel free to shoot them through into the E2 Guardian thread and we'll be more than happy to assist!

You can still do some filtering on HTTPS without the MITM. On E2 Guardian, I have multiple groups setup, some which have MITM enabled and some such as in your case that are for Guest Wi-Fi where I can't properly sneak in the CA. On Squid I believe this is referred to as Bump and Splice all. For my guest Wi-Fi setups, I just use the non-MITM method. This is where the proxy is able to see the domain name without the resource path at the end in order to decide if a website should be let through or not. MITM would obviously allow the proxy to look at the entire URL with the resource path and make a informed decision as to whether or not to allow a website through. I prefer it way more than DNS level filtering as it's more flexible. You can set it up for specific users while others can browse those sites just fine. If you've got sometime, I recommend you give E2 Guardian a shot. It worked out a lot better than Squid in my use case and it has the added benefit of actual phrase filtering.

scratch that, clam av uses its FQDN, which is allowed to pass the clam av white list.

@tazmo I have Pfsense with HAProxy installed in it .can u guide how to do load balance between two AWS EC2 Web server Instance with SSL. Even i have SSL purchased from the 3rd party tool.

@albtech See if this website can help WPAD PAC Proxy Configuration

@periko said in Squid negative speed increase: ng the proxy? Did u use auth? This squid server serve about 1200 to 1500 Users. I don't use auth, no error found, dns google work normal.

Hi guys! I understand that the solution to the current problem does not exist?

All i can say, most possibly its your configuration.

@dotslashniks I think you should still be able to see LAN addresses under the Status/Traffic Graph/. Make sure the Interface selected is LAN. I personally don't find the traffic graph extremely useful. Try installing the ntopng package. It's a great package for checking traffic. Look it up on YouTube, there are great tutorials on what it can do.

@piba said in HAProxy - Log host name: @aeleus Use the 'Advanced pass thru' textbox to put that config setting into ? Thanks, Piba! That works.

A client has to explicitly know it's using DNS over TLS, it isn't as simple as forwarding 53 to 853. Running that on 53 may just confuse clients. Even so I'm not sure HAProxy can be used to present a certificate and work with DNS over TLS. Maybe as a simple TCP frontend to a real DNS over TLS backend like Unbound. But if you want something local to answer on 53 and then send the requests out to an upstream DNS over TLS server, then the DNS Resolver on pfSense can handle that. It can also act directly as a DNS over TLS server. It's possible to do with the custom options for DNS Resolver but there are native GUI controls for it in 2.4.4.

any help in this regard ?

@piba said in HAProxy 0.59_7 not working with SSL. :(: it does seem that backend-exch80_ipvANY isnt 'up' yet.. Have you checked what the stats page says in LastChk column That's the next thing I have to fix on the server side it seems. The server reports a 503 server when I do HTTP to it. I think in the past I had it setup to redirect to HTTPs but after CU10 it might have broke. So no worries right now. 443 works, so does the webserver on 443 and 80. autodiscover is on the same server as OWA so it too is broke on 80.

@PiBa Yes, I can at least access the macOS Server portal / Profile Manager externally now. SCEP device enrollment isn't working externally for me, though it is internally. I'm not sure how important that is--I think that's (mostly) an enroll once kind of deal. It looks like someone else beat me to experiencing this trouble, and found at least a sledge hammer style workaround. ;-) Thanks for all your help!

Hi, This is something that has to be implemented into the mail server. Every mail server. Thus impossible. Sending and retrieving mails is being done using SSL connections more and more often, so pfSense can't "see" in the data stream that it is an "email". And even if you pulled it off, people stopped using their fat mail client, to browse to their web mail, and then download or upload the attachment. All this will be done over https;//, leaving you out of the game completely. Read also, for example, https://security.stackexchange.com/questions/14120/open-source-tool-to-block-email-attachments edit : if you have people on your network(s) that are capable of downloading (or sending) unknown, potentially dangerous files as attachments, then you throw them on a captive portal and Wifi , using AP's with client isolating activated (== no more local network sharing) and if there is more then one AP, also enforce sharing among these AP's. Only then people (clients, visitors) can mess up badly, and only have their device being fckd up without exposing others on your local net(s).

Ooohh. I see. Thank you, Periko