Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid HTTPS/SSL question

    Scheduled Pinned Locked Moved Cache/Proxy
    20 Posts 4 Posters 18.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RickTosch
      last edited by

      Hi there,

      I hope my reply does not come across as a hijacking one.
      Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
      I guess I wont see much of a caching benefit?
      The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I guess I wont see much of a caching benefit?

        It depends.  Every environment is different.  Get it running as best you can and then monitor performance from the console after letting it run for a while.  Caching is a tricky art and there is no magic checkbox to tick.  Some deep-diving into squid's documentation and some Googling will get you going with refresh patterns and store_ids plus tweaked squid.conf options.

        I dislike AV on the firewall because it slows everything down and I don't believe the level of protection is equal to what's offered by the usual commercial companies.  Put your AV on the client and let the firewall route packets.

        1 Reply Last reply Reply Quote 0
        • R
          RickTosch
          last edited by

          @KOM:

          I dislike AV on the firewall because it slows everything down

          Thank you for the response.
          If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference?

          1 Reply Last reply Reply Quote 0
          • L
            LIGISTX
            last edited by

            @RickTosch:

            @KOM:

            I dislike AV on the firewall because it slows everything down

            Thank you for the response.
            If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference?

            I'm going to assume no. If the CPU still has to look at all the data even if it was a beast setup, I assume it will still slow it down. But, I personally am not sure of this at all lol.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              If I throw more resources at pfSense (CPU, RAM) because it's a VM, will it make a difference?

              If you can saturate your bandwidth and not have pfSense CPU break a sweat then you're probably good.

              1 Reply Last reply Reply Quote 0
              • L
                LIGISTX
                last edited by

                @KOM:

                @KOM Well, I am not sure why this jacked a bunch of stuff up, but I had the server down for the weekend (was working on the hardware), plugged it back in this afternoon and accidentally had the WAN plugged into the LAN which seems to have tripped a lot of stuff out, mostly snort which was blocking all sorta of connections. I cleared the block list (since nothing was previously blocked when I took the pfsense box down), but now squid is acting up on me. It will load a HTTP webpage the first time just fine, but if I try and reload it I get an error, "Connection to "IP ADDRESS" failed, The system returned (1) operation not permitted" error. I am fairly sure it all worked before I took the box down, and I even tried restoring my settings from a previous backup. Turning SQUID off results in no error, but the page not loading.

                Any ideas?

                1 Reply Last reply Reply Quote 0
                • L
                  LIGISTX
                  last edited by

                  Uninstalling Squid, after checking the do not save config button and a restart of the client and the pfsense box didn't fix it :/. I am clearly doing something totally wrong. I can ping say newegg.com through cmd though.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    I would have manually cleared the cache first.  Also check for anything in the System log and /var/squid/logs/cache.log.

                    1 Reply Last reply Reply Quote 0
                    • L
                      LIGISTX
                      last edited by

                      Well, I have since reinstalled Squid and cleared the cache, didn't help :/

                      I think the easiest thing will be to reinstall pfsense. I really don't know what I did wrong

                      Capture.PNG
                      Capture.PNG_thumb

                      1 Reply Last reply Reply Quote 0
                      • B
                        Binson_Buzz
                        last edited by

                        @RickTosch:

                        Hi there,

                        I hope my reply does not come across as a hijacking one.
                        Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
                        I guess I wont see much of a caching benefit?
                        The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too.

                        Can I ask please how you installed on Android?  I've installed my certificates, but when I disconnect from my wifi my devices 'connect' but on the devices they say they have no IP address.  They work with transparent HTTP but screw up when I add HTTPS, so I have to add them to the bypass filter.

                        Thanks in advance.

                        CPU: Intel Xeon E5-2683 V3 | MB: ASUS X-99-A II | Memory: Crucial 8x 8GB DDR4-2133
                        PSU: Corsair AX760 | Case: Define R5 Blackout Window
                        unRAID 6.3.2 VMs: pfSense, 3x Windows 10 Pro | Network: AOC-SGP-I2, 2x UniFi AP AC Pro

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.