Certificate issue after starts squid proxy
-
@fmoragas said in Certificate issue after starts squid proxy:
mostly cellphones
You want to have some billy bob users cell phone that connects to your wifi trust your proxy cert - automatically? Yeah not going to happen..
If you could do something like that - it would be a huge security issue..
-
@johnpoz said in Certificate issue after starts squid proxy:
You want to have some billy bob users cell phone that connects to your wifi trust your proxy cert - automatically? Yeah not going to happen..
If you could do something like that - it would be a huge security issue..
I do not know if i was clear.
I would like internal devices, connected to my structure. once the transparent proxy was configured, they installed and updated the certificate automatically.
I understand that cell phone control can be much more complex. But is there any way to bypass their connection? -
@fmoragas said in Certificate issue after starts squid proxy:
I would like internal devices, connected to my structure. once the transparent proxy was configured, they installed and updated the certificate automatically.
To load certificates on devices you control then you need to either do it manually or do it using GPO (assuming Windows infrastructure),.
-
@michmoor ^ yup, for stuff like iphones you could use the "mobile device management (MDM)"
For android I am not sure..
-
Is it possible to allow browsing, even for machines that do not have the certificate installed?
I tried to do this, using the "Bypass Proxy for These Source IPs" field, but I ended up losing the real-time statcs. -
@fmoragas I would be remiss if i don't bring up that Squid will no longer be available after the next pfSense update.
https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software
-
@michmoor
Thanks for the info.Do you know if there are any other similar resources available?
-
@fmoragas
Im familiar with two alternatives.- Stand up a local proxy on the LAN and redirect clients to that
- Dont use a proxy but instead DNSBL
-
@fmoragas said in Certificate issue after starts squid proxy:
Is it possible to allow browsing, even for machines that do not have the certificate installed?
I tried to do this, using the "Bypass Proxy for These Source IPs" field, but I ended up losing the real-time statcs.Yes if those IPs bypass the proxy then you will see no stats from them. You only see stats from traffic that is proxied.
It would be better to use a non-transparent proxy so that all clients have to add the proxy to their config. Most client devices will then allow connections to it without adding a cert.
The other option is to use peek/slice to view the SNI data for connections which doesn't require a cert. That gives only domain level data though and will likely stop working at some point with the advent of encrypted SNI.
Steve
-
@stephenw10
Bypass Proxy part of the config is only applicable to transparent proxy config anyway i believe
The only caveat about using transparent mode is that it will break connectivity as documented by a few of us here: https://redmine.pfsense.org/issues/14390
So its highly recommended to use it as an explicit proxy otherwise Squid will break the majority of the outbound flows in transparent mode which otherwise works well enough. -
@michmoor said in Certificate issue after starts squid proxy:
https://redmine.pfsense.org/issues/14390
It does depend on what you're connecting to but yeah the 409 error can be painful.
