Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    squid + Lightsquid

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 771 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VOLCANA
      last edited by

      Hi everyone.

      I am using the PFSense 2.6 version. I am currently managing two separate local networks of a public institution through a single Pfsense. Friends, the system works smoothly, but when it comes to receiving a web report like the topic title, i have a few questions.

       First of all, Squid and Lightsquid package were installed and necessary configurations were made.
 When I look at the Squid Monitor \ Realtime section, I get an output like the following;

      PFSENSE Squid Monitor.png

      As can be seen here, the "Address" section appears to be the format that is not suitable for web addresses. The reason for this is that the system sets as "http". Because I think you can't solve the current "https" web addresses like this. Therefore, I get the same content in the Lightsquid report.

      To solve this, the Squid Prox's "SSL Man In The Middle Filtering" feature should be activated and a certificate should be created in the "System/Certificate Manager/CAS" section

      And by creating a sub -certificate connected to this certificate, it must be transferred to the certificates in the Windows interface used. Or can be transferred to some browsers.

      Here's the problem for me.
      I will need to move the certificate created by hand to all machines. If I don't do this, there is a problem with the network because "HTTPS" is activated. In other words, the user's browsers face safety problems.

      Is it possible to automatically distribute the certificate I have created to the network through Pfsense? Since the network is on a large scale, I want to do it on Pfsense without server Active Directory.

      So I will create a certificate for "HTTPS" on PFSense, and users who want to get out of the web via Proxy will automatically attract this certificate.

      I know I'm expanding, I take refuge in your forgiveness. Kind regards

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        No, there is no way to automatically distribute a cert in order to MITM users connections. That would break https.
        What you can do is force users to use a proxy specifically and then you don't need the cert on all clients. And you can use a WPAD file to automatically inform clients about the proxy. Though hosts must be configured to look for it.

        https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html

        Steve

        V 1 Reply Last reply Reply Quote 0
        • V
          VOLCANA @stephenw10
          last edited by

          @stephenw10

          thank you

          I was looking at WPAD right now. i hope everything will be fine

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.