• 0 Votes
    18 Posts
    2k Views
    JonathanLeeJ
    This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )
  • 0 Votes
    10 Posts
    2k Views
    johnpozJ
    @JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3 ensi is dead but long live ech, that could be problematic I would bet.. But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;) I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot. I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface. And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.
  • New Squid 6.7 and Clamav 1.3.0

    Cache/Proxy squid upgrade proxy
    11
    8 Votes
    11 Posts
    2k Views
    T
    @lg1980 said in New Squid 6.7 and Clamav 1.3.0: https://git.labexposed.com/lgcosta/gists/src/branch/main/squid-6x Hi I hope you are doing well. I have reinstall pfsense OS ,i need to reconfigure squid Proxy, I am unable to download pakage from above github link.Can you share the new repo link.
  • DHCP Option 252, Option 42 Questions

    DHCP and DNS dhcp ntp wpad proxy
    5
    0 Votes
    5 Posts
    1k Views
    P
    @JonathanLee sorry if I wasn't clear. No, one URL should be enough
  • 0 Votes
    8 Posts
    4k Views
    M
    @viragomann I wish to do this using a proxy service that I have subscribe to however they provide a hostname and port so I don't think I can use the GW method here.
  • pfSense behind Traefik

    Firewalling rules proxy
    2
    0 Votes
    2 Posts
    1k Views
    ipeetablesI
    @atxcoder you need a Web Application Firewall (WAF) to do that, pfsense FW rules block at the ip layer. x-real-ip is application layer. The traffic is allowed because it came from 10.0.10.4.
  • 0 Votes
    2 Posts
    2k Views
    M
    @ma0f97 Has no one an idea?
  • Help please

    Cache/Proxy proxy blacklist squidguard
    1
    1 Votes
    1 Posts
    606 Views
    No one has replied
  • 0 Votes
    16 Posts
    3k Views
    N
    @rtw915 said in WAN optimization/acceleration: Now the SQL team needs me to find a way to improve SQL linked server transfer rates to synchronize transactions. This will bring you back to the initial wan accelerator solution. The only other possible solution is to redesing the db subsystem, utilizing some way of sql replication, taking into consideration propagation delays
  • 0 Votes
    6 Posts
    1k Views
    stephenw10S
    So you just need to redirect traffic to them in pfSense? You can just use port forwards for that. That's what Squid does if you set it to transparent mode. Steve
  • Wan -> pfsense -> Wan possible?

    Routing and Multi WAN wan squid proxy virtualbox
    1
    0 Votes
    1 Posts
    615 Views
    No one has replied
  • 0 Votes
    3 Posts
    1k Views
    L
    @lucasll había puesto el IP y puerto del kerio en Advanced - Miscellaneus del pfsense pero ya encontré la solución. Mi DNS superior no resolvía las direcciones fuera de la VPN. Utilicé un repositorio alternativo que el DNS era capaz de resolver.
  • 0 Votes
    5 Posts
    1k Views
    KOMK
    @norcarde A transparent proxy would solve your application problems, but they are a hassle to setup and can introduce their own problems.
  • Aplicaciones sin acceso a internet

    Español squid proxy pfsense
    3
    0 Votes
    3 Posts
    952 Views
    N
    @santi buen día. Ya revisé el log. Dónde obtuve la ip a la cual de está conectado, la agregue a la lista blanca, además, del puerto. Pero sigue sin funcionar .
  • 0 Votes
    8 Posts
    2k Views
    S
    @PiBa Good news, I got it to work! I did as you suggested and got a self signed certificate on the server using this guide. After that HAProxy is able to route traffic to the host. It even works with the Let's Encrypt wildcard cert I have through the ACME package, so there's no cert errors getting to the site. Thank you for the help again.
  • 0 Votes
    1 Posts
    622 Views
    No one has replied
  • 0 Votes
    1 Posts
    497 Views
    No one has replied
  • install treafik on pfsense

    Cache/Proxy proxy haproxy traefik
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Setting reversed proxy

    Cache/Proxy proxy haproxy
    39
    0 Votes
    39 Posts
    8k Views
    V
    @jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )
  • 0 Votes
    6 Posts
    2k Views
    L
    @juanmaximoti Como conseguiu liberar?