Infamous /409 issue

vlurk

@JonathanLee Yes. You can configure this parameter from the GUI:

This field will set the dns_nameservers config directive in squid.conf.

I use 127.0.0.1 (Unbound), and all my clients point to the same DNS server.

JonathanLee

@vlurk o yeah that's already in the GUI

What about. ..

client_persistent_connections on
client_persistent_connections off

"Squid uses persistent connections (when allowed). You can use
this option to disable persistent connections with clients."

http://www.squid-cache.org/Doc/config/client_persistent_connections

Maybe this could help I must have read every single squid option to find something

I also have certificate adaption disabled I leave the certificates as the are and have it set to not check. The other ways had issues for me for some reason.

I am just throwing ideas out now for testing. I had no idea squid has so many other configuration options.

http://www.squid-cache.org/Doc/config/sslproxy_cert_error/

They have a certificate SSL based error conditional statement for ACL use that is domain specific I found.

http://www.squid-cache.org/Doc/config/happy_eyeballs_connect_gap/

http://www.squid-cache.org/Doc/config/happy_eyeballs_connect_timeout/

Maybe...

happy_eyeballs_connect_gab ??

Or

happy_eyeballs_connect_timeout

"Happy Eyeballs is an algorithm published by the IETF that makes dual-stack applications more responsive to users by attempting to connect using both IPv4 and IPv6 at the same time, thus minimizing common problems experienced by users with imperfect IPv6 connections or setups."

michmoor

@JonathanLee

Updating this thread for everyone..

Uninstall Squid Proxy. As i long suspected by the lack of movement in any of the redmines, Netgate has decided to deprecate Squid Proxy.
I consider this a really good thing.....

But if there is a need to MITM something i dont know of any open source alternatives other than looking at other security vendor firewalls which have custom but supported proxy configuration

https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

JonathanLee

@michmoor Like Lightbeam, and many other tools that worked very well it seems soon after you can no longer use them.

I wonder what alternatives there are ?

I for one will stay with 23.09 just to use Squid. Dang :( It's sad I spent years getting this to actually work.

JonathanLee

What is the next official Netgate product that will continue to support a proxy with SSL intercept that can be purchased? Now that this is being twightlighted?

What version should I upgrade too for proxy cacheing abilities? I have a SG-2100 currently. Should users move to Palo Alto?