Squid HTTPS/SSL question
-
why wouldn't it be of any benefit?
Because the general hit rate is very low. I mentioned in a previous post that I'm seeing 5-7% and that's on a corporate LAN with lots of users. It's not easy to cache the dynamic web these days. When you always get a miss on your cache, the extra time to do an object lookup starts to add up and you end up working slower for no real benefit. Now, your mileage may vary based on what sites you typically go to, how they are served, and what kind of refresh_pattern + other options magic you can figure out. Most people give up on Windows Updates and either go with a WSUS server or just give up trying to cache them. Windows 10 updates seem to be easier to cache. Linux updates are dead simple. Do some Googling for 'squid' and 'updates' to see the kind of problems people are having. It can be done from what I understand, but you will end up deep-diving into squid to get there.
http://www.squid-cache.org/
-
Hi there,
I hope my reply does not come across as a hijacking one.
Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
I guess I wont see much of a caching benefit?
The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too. -
I guess I wont see much of a caching benefit?
It depends. Every environment is different. Get it running as best you can and then monitor performance from the console after letting it run for a while. Caching is a tricky art and there is no magic checkbox to tick. Some deep-diving into squid's documentation and some Googling will get you going with refresh patterns and store_ids plus tweaked squid.conf options.
I dislike AV on the firewall because it slows everything down and I don't believe the level of protection is equal to what's offered by the usual commercial companies. Put your AV on the client and let the firewall route packets.
-
@KOM:
I dislike AV on the firewall because it slows everything down
Thank you for the response.
If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference? -
@KOM:
I dislike AV on the firewall because it slows everything down
Thank you for the response.
If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference?I'm going to assume no. If the CPU still has to look at all the data even if it was a beast setup, I assume it will still slow it down. But, I personally am not sure of this at all lol.
-
If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference?
If you can saturate your bandwidth and not have pfSense CPU break a sweat then you're probably good.
-
@KOM:
@KOM Well, I am not sure why this jacked a bunch of stuff up, but I had the server down for the weekend (was working on the hardware), plugged it back in this afternoon and accidentally had the WAN plugged into the LAN which seems to have tripped a lot of stuff out, mostly snort which was blocking all sorta of connections. I cleared the block list (since nothing was previously blocked when I took the pfsense box down), but now squid is acting up on me. It will load a HTTP webpage the first time just fine, but if I try and reload it I get an error, "Connection to "IP ADDRESS" failed, The system returned (1) operation not permitted" error. I am fairly sure it all worked before I took the box down, and I even tried restoring my settings from a previous backup. Turning SQUID off results in no error, but the page not loading.
Any ideas?
-
Uninstalling Squid, after checking the do not save config button and a restart of the client and the pfsense box didn't fix it :/. I am clearly doing something totally wrong. I can ping say newegg.com through cmd though.
-
I would have manually cleared the cache first. Also check for anything in the System log and /var/squid/logs/cache.log.
-
Well, I have since reinstalled Squid and cleared the cache, didn't help :/
I think the easiest thing will be to reinstall pfsense. I really don't know what I did wrong
-
Hi there,
I hope my reply does not come across as a hijacking one.
Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
I guess I wont see much of a caching benefit?
The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too.Can I ask please how you installed on Android? I've installed my certificates, but when I disconnect from my wifi my devices 'connect' but on the devices they say they have no IP address. They work with transparent HTTP but screw up when I add HTTPS, so I have to add them to the bypass filter.
Thanks in advance.
