Squid vs HTTPS Everywhere to protect HTTP (port 80) connections



  • I've really tried to secure my browsing recently. Using Firefox with the privacy extensions, VPN, DNS over TLS, etc. I'm using HTTPS Everywhere, but when the warning comes up that a HTTPS site isn't available and the HTTP site could very well be fake, I usually don't connect.

    I gave up on Squid a while back. I didn't want to use it on HTTPS sites, breaking the SSL connection. Thus, Squid was only working on HTTP sites and those are few and far between these days. I feel like I've done all I can for HTTPS safety, but completely exposed on HTTP. I thought, what about Squid? I could use ClamAV. The proxy caching would be just a bonus. If I'm just looking for added safety, is Squid worth it? As this is a Squid forum, you'll probably all say "Just shut up and deploy it already!"

    HTTPS Everywhere doesn't really protect your HTTP connections, it just tries to keep you on HTTPS. Is ClamAV enough safety or am I better off staying off HTTP sites (and losing that part of the web)?

    I haven't used Squid for years, so maybe someone has something to add here. Or, again, maybe this is a no-brainer.



  • Squid is almost useless these days other than as a base for squidguard or ClamAV.



  • Thanks for that feedback (and being the only one).

    For weeks, I decided the extra load on my firewall was not worth having an antivirus on a handful of http sites. Then, more and more http sites were popping up, every time I have to decide if I take the chance or move on.

    I finally decided to install Squid, simply for the HTTP transparent proxy and ClamAV.

    I now have some burning questions.

    1. Did I make a mistake? Is it even worth installing Squid for ClamAV?

    2. Should I just enable ClamAV w/o the HTTP transparent proxy? Is that even possible??

    3. Without getting into too much detail, what is the 'leanest' way to use Squid to scan 'http' sites for viruses?

    Thanks in advance! I'm sure there are probably others that are just as curious... (maybe?)



  • I personally don't agree with putting an AV on the firewall at all. Client-based solutions are better IMO. I'm in a business environment so I use squid as a base for squidguard URL-filtering only. No caching and no ClamAV slowing everything down.

    I think if you concern yourself too much with locking everything down, it doesn't really help your security significantly but it does cause you a lot of problems.

    Transparent proxy is also the cause of a lot of problems. I use explicit mode along with WPAD so that clients can autodiscover it on their own, and I don't need to fuss with certificates.



  • and for programs that cannot be configured to use a proxy you can also have Transparent proxy turned on and SSL Man In the Middle Filtering set to SPLICE ALL.

    Also use DNS over TLS with pfSense
    https://www.netgate.com/blog/dns-over-tls-with-pfsense.html



  • I have no interest in MITM proxy which essentially breaks SSL, making all but pointless. (Sorry to be blunt).

    I've decided to uninstall Squid. A comment hit home to me. Installing another application, putting my firewall packets through ANOTHER application, simply for a (secondary) virus scan. Not worth it. (As far as I know), (knocking on my wood shelf), I haven't had an issue with a virus since I can remember. I'm not saying it's a risk. I'm very aware of the need for a good virus scanner, but to add another layer to my firewall? Nah.

    Squid is officially retired in my book.