pfsense proxy
-
Good afternoon, if anyone can help me with two problems, I have it configured as a transparent proxy, only squid, I did not install guard because squid is already solving the blocking problems that we have Enable SSL filtering. active and working all computers have the certificate the first doubt is when I put in splice all google especially gmail every now and then I get errors and it doesn't go in I have to keep pressing f5 or change browsers to get it working again, this happens with all browsers generally f5 often comes back intermittent problem this happens on all computers we have around 60 when I put it in Splice Whitelist, Bump Otherwise it works normally without this problem but the banks give the problem I have to put the computers that access the bank manager by bypass, how to solve this problem and another when I try to unlock google drive it unlocks youtube would I also have to do something to make google drive free and youtube not
-
With SSL intercept you need to mark some items as splice only still you do this with it set to custom under advanced in Squid
This is mine as an example. acl splice only is always splice like smart phones etc... NoSSLIntercept is a regex text file I have saved in the path /usr/local/pkg/url.nobump this has a big list of websites I cannot MITM SSL intercept like banks emails other websites.
^.*conviva\.com.* This is Tubi license\.adrise\.tv.* TUBI c2r\.ts\.cdn\.office\.net MS OFFICE ^.*cdn\.office\.net MS OFFICE ^.*bitdefender\.net MS BITDEFENDER config\.teams\.microsoft\.com MS TEAMS ^.*.azure-devices\.net MS Domain OFFICE substrate\.office\.com.* OFFICE hulu\.playback\.edge\.bamgrid\.com HULU assetshuluimcom-a\.akamaihd\.net CDN hulu\.sc\.omtrdc\.net HULU infinity-c33\.youboranqs01\.com Steaming beacons\.extremereach\.io something I needed for something ^.*tubi\.video tubi a-fds\.youborafds01\.com steaming tubi youboranqs01\.com tubi amzpvxrayasset-a\.akamaihd\.net CDNYour list will grow as needed what mine is are items I have to set to splice and stop inspecting them and do not cache them. I trust them I use them all the time sites. Banks websites etc should be in here email office Gmail sites like that. Sites you do not go to all the time should be inspected.
This take a long time to configure it. Once it is done it works great.
I set the system to peek first to look at the get request if it's a request from a private ip seen in my acl splice only src It is set to splice it, if it's not check the URLs now to splice, after I stare as step2 and bump after. (stare has a default bump after but I hard set it) The other commented out lines I have for always bump but they are disabled
acl splice_only src 192.168.1.6 #Nick iPhone acl splice_only src 192.168.1.7 #Jon Android acl splice_only src 192.168.1.8 #Tasha iPhone acl splice_only src 192.168.1.10 #Jon iPhone acl splice_only src 192.168.1.11 #Amazon Fire acl splice_only src 192.168.1.15 #Tasha HP acl splice_only src 192.168.1.16 #iPad acl NoSSLIntercept ssl :: server_name_regex -i "/usr/local/pkg/url.nobump" ssl_bump peek step1 ssl_bump splice splice_only ssl_bump splice NoSSLIntercept ssl_bump stare step2 ssl_bump bump step3 #acl SSLIntercept ssl :: server_name_regex -i "/usr/local/pkg/url.bump" #ssl_bump bump SSLIntercept -
Another issue I have seen is on ISP that only use ipv4 squid can get mixed up at times with ipv6,
to fix this issue I have custom DNS unbound resolver settings..
You have to start with server: this enables it to save the custom area without it this will never save. I only have IPV4 so I set it to do ipv4 and prefer it and disable ipv6 and do not use the AAAA records, they are always ipv6.
server: do-ip4: yes prefer-ip4: yes do-ip6: no prefer-ip6: no private-address: ::/0 dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0 -
@JonathanLee said in pfsense proxy:
Another issue I have seen is on ISP that only use ipv4 squid can get mixed up at times with ipv6,
to fix this issue I have custom DNS unbound resolver settings..
You have to start with server: this enables it to save the custom area without it this will never save. I only have IPV4 so I set it to do ipv4 and prefer it and disable ipv6 and do not use the AAAA records, they are always ipv6.
server: do-ip4: yes prefer-ip4: yes do-ip6: no prefer-ip6: no private-address: ::/0 dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0Thank you, I'm testing
-
@dieggocampos I had so many issues with ipv6 and Google trying to force it on me, my isp is ipv4 only so I had to manually disable it.
