in an effort to better fix/set up squid and the github information for others to use, I need some help understanding stuff



  • okay, so, the bottom line here is the following, @aGeekhere brought to my attention over on the github for refresh patterns, that nvidia driver updates are not being cached properly, and in my attempts to figure out why, and whats not happening correctly, I seem to have noticed that squid on my end is NOT properly doing its job to the degree that I had thought it was doing, in other words, even with squid set up in transparent mode, to intercept ssl traffic and allow to decrypt whats going where for ad blocking (pihole and pfblockerng eventually) I discovered that its not working AT ALL for my android phones, I have either internet without caching at all to speak of, or I have no internet at all with it set up to connect to squid

    wpad is set up, both on pfsense, in the dhcp server its got the config for dhcp parameter 252 pointing to wpad, and I even have my local piholes set up for the host over ride of wpad.localhost.localdomain (or mine specifically being .home.lan) including a pfsense host override

    things are not working as expected, at all, and far from it, so, in my attempts to find whats not working right, I broke shit even more (shocking I know)

    so now I'm left with an utter feeling of no idea what the hell I'm doing wrong, and in my infinite desire to fix this shit, I realize I know less than I originally thought I did

    case in point: what the hell is the difference between ssl bump, and ssl splice, among other things, I'm realizing I know less about this than I had originally been aware of, and trust me, I knew that I'd not known enough to feel comfortable already before this moment of clarity

    SO, does anybody have anything they could send my way to try and understand this more, OTHER THAN THE DEFAULT SQUID DOCUMENTATION!? looking that stuff over, its like I am trying to speak to an alien, in English, that does not even have the ability to verbally communicate, given they are a gaseous mass! I DON'T KNOW WHAT THE HECK I AM READING...I feel like it was written, by a man, stoned off his ass, with alcohol poisoning, 48 hours after his body was sent to the mortuary!

    short version summary!

    I don't know what I'm doing wrong, and I want to understand more on how this whole system operates at a specific level per each configuration aspect, so that I can be sure that my attempted fix going forward does what I want it to do, and I seek some help in learning more about these aspects!



  • The reality will help you here.

    Squid - and it's 'caching' usage - is something of the past, when all the traffic came over in clear text, everything was visible and you could act on everything.
    These times are over, for several years now.
    Web browsers and web servers are set up so they can give the end user the ultimate guarantee that they have a private connection. Billions of hours development went into that concept. No more spying, stealing, analysing, and other disputable activities. https or SSL connections (like VPN connections) can't really be taken apart - except maybe if you make changes on all the devices that are connected to your network.

    A network admin these days, is working like the post office. They transport the letters, they're not opening them (any more).

    I can understand that 'proxies' might be useful, because I do share the company network with strangers ("non trusted" clients). Which makes me some how responsible for their Internet usage. A client could be look for the nuke launch codes on the Internet, and "they" will come nock on my door.
    I gave up a 'checking' a long time ago. Most people that have things to hide use a VPN anyway.

    @High_Voltage said in in an effort to better fix/set up squid and the github information for others to use, I need some help understanding stuff:

    case in point: what the hell is the difference between ssl bump, and ssl splice, among other things

    Welcome to the club : https://forum.netgate.com/topic/155265/squid-s-new-sslbump-peek-and-splice-for-https-caching/2 (posted yesterday).



  • But if you are using HTTPS/SSL Interception doesn't that allow for decrypting so squidguard/E2guardia can filter the content? If so why can't that content be cached?



  • As soon as you have access to the full, decrypted data stream it's most probably possible to cache everything.

    But :
    The, for example, ccs style sheet file, can have a unique name - and won't be re used ever again, so it will get reloaded anyway.
    The file creation date can be set to 'now' so the browser will request a fresh copy, even if the content didn't change at all.
    etc etc .