OpenSense on SG-2100
-
I still use DSL I have tons of hits, pages of them plus ClamAV blocks https items all the time for me. You can set the no cache tag to ignore in squid also if needed. Dynamic cache of Windows updates also.
-
@JonathanLee said in OpenSense on SG-2100:
You can set the no cache tag to ignore in squid also if needed.
But usually web sites set that "no-cache" tag for a valid reason, and the most common is some dynamic content on the page relies on a fresh copy of said content. So overrriding the "no-cache" tag can result in a non-functional or otherwise broken web page-- including some not-so-obvious breakage that might be significant.
Squid is generally considered as a technology whose time came and went about 10 years ago. And some argue it's even farther back than that. Go read some of the posts and debate in the Squid vulnerability thread over on the OPNsense forum.
-
If you absolutely have to have a proxy, you should setup a local proxy VM or system (or even a docker container) on a dedicated device instead of running it on your edge/firewall. You can still redirect traffic to it or configure clients to use it directly. I'd be surprised if it was doing as much for you as you think, especially on a 2100.
-
@bmeeks I think a value-add to the package is the MITM aspect. Unfortenly most if not all of the blocklists that were used for Squid are no longer or just not good when compared to commercial products.
Im of two minds about it.
Squid is an oldie but a goodie. It can still have some relevance today for page blocking or content control albeit in limited scope.If you have a proxy in the path, you cant bypass at all. DoH is a game of wack-a-mole. Easy to do but can be easily bypassed. -
@jimp
This was suggested on Reddit and i think its a good idea if one has the resources.
Squid with the unresolved CVEs is probably best sitting behind a firewall . I dunno. Just a thought. -
@JonathanLee said in OpenSense on SG-2100:
I want the web cache support for Squid is what I am after. I am going to be stuck in 23.05.01 land until the end of time.
23.09 includes Squid per the blog post.
re: cache, SSD is recommended for the disk writes on eMMC...
https://www.netgate.com/supported-pfsense-plus-packages
https://docs.netgate.com/pfsense/en/latest/troubleshooting/disk-lifetime.html -
SSD
@JonathanLee I see from one of your other posts you have a Max so never mind this comment. I like to post it when it comes up since many don't know about the recommendation list (which would help if it was in the docs, or linked from the docs; AFAIK it isn't).
-
Indeed Squid is in 23.09. I agree though, running a separate internal proxy is probably a better option.
-
@stephenw10
To be fair, commercial solutions like Cisco Umbrella or Zorus do a really better job at this whole proxy thing.
I know there isnβt a home lab or SMB pricing that makes sense which is really the pain point here for mostly everyone.
Also Iβm not aware of any commercial proxy to be used internally. Is BlueCoat still a thing? -
@michmoor what is bluecoat? I have Squid 6.6 running great in 24 minor issue the status page changed to non squidclient based. But other than that it has a lot of the CVEs fixed I am told itβs the latest and greatest.
-
If you want to proxy and filter all the traffic from/to a small country you call Bluecoat.
-
@stephenw10
SWG are the future. Its been the future? Its here now :)https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/
-
'SWG' seems like another acronym for what has been around for years. Maybe with a shinier front end glued onto it.
-
@stephenw10
lol oh for sure !