@michmoor Have considered, but not tried Squid in pfSense, what's the problem you referred to?

@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3

ensi is dead but long live ech, that could be problematic I would bet..

But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;)

I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot.

I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface.

And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

So generation 2 proxy technology can help if its built right...

Did anyone manage to get these ports working on pf+ 24.03?

I just came across the deprecation warnings.. Good thing I'm still on 23.09...

Also, can we somehow verify what we're installing?

I don't really feel confident adding an unknown repo to my firewall, which contains all pfsense packages, just to install the Squid one.

@lg1980, and all others reading the thread, I hope you can understand why I'm questioning all this work.

Squid is a very specific package used mainly for monitoring outbound traffic. From the perspective of a malicious threat actor, it's obvious how hiding a backdoor in such a package can prove to be highly beneficial, especially now since Netgate is deprecating their port of package, making all Squid users scramble for solutions so their appliance doesn't fall behind on updates.

What I'm trying to say, having full build instructions, and being able to reproduce those locally, would greatly boost my confidence in using packages from a fellow "internet forum user".

In our current state of affairs of having no "official Squid package port", the only true way of securely upgrading Squid, as far as I can see, would be by being able to inspect the source changes, while also being able to build the package locally from source, and installing it manually.

Hence I assume that the entire pfsense Squid community would be extremely grateful if @lg1980 could share instructions on how to do so!

@mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity

Screenshot 2023-12-16 at 8.38.44 AM.png

@mcury

Thanks all I see is WAN blocks now !! YES!!! THANK YOU

Screenshot 2023-10-21 at 1.07.06 PM.png

@mcury Thanks for the information

@JonathanLee said in StoreID and Squid "helper program":

Does anyone work with Store ID?

Unfortunately no, I didn't.. splice all with cache disabled for me.
Squid/Squidguard was just to filter SNI header..

@jimp thanks for looking into this. I will use that URL for future items. I did not know about that other URL until today.

Добрый
@ao_kalachev
В баг-репорт смотрели ? Может там чего есть на эту тему.

@JonathanLee Thanks Jonathan!

@karimhaydar31 said in connection is not private when using Chrome:

X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

The certificate is valid, but not co-signed by one of the major players, like Verisign etc. see here for a list.

The thing is, your browser only accepts (and stays silent) certificates if they were co or toot signed by one of the authorities that are on 'the list' (in your device).
You could actually empty this list, and your browser would not even trust https://www.micirostf.com any more.

So, the easiest thing to do, is : export the certificate that is being used by the Webconfigurator, and import it into you browser / OS.
Now, your browser / OS it trust it, and no more errors. That's all it takes !

You could also get your hands on a certificate that is trusted out of the box.
A trusted certificate is free.
Example : if these are your general settings :

5f251b0a-5c89-4ab6-aec6-556829c21c72-image.png

and you actually own, or rent the some-domain.tld domain name, you could obtain certificate for *.some-domain.tld for free.
The pfSense package "acme" is all about that functionality.
Again : the certificate will be free, the domain name will cost some money.