Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    explicit proxy & root cert question

    Cache/Proxy
    2
    4
    509
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jc1976
      last edited by

      I'm a bit confused on transparent vs explicit proxies.. i understand how i have to create and install a root cert on all devices going through a transparent proxy and i understand why..

      however i'm a bit fuzzy in my understanding if i were to set up an explicit proxy.
      if i don't need to install a root cert on the client PC/device, how is SSL handled between the client device and the proxy server? would i still receive the browser trust error?

      also, what about other apps that aren't web-browser based? if an app on my workstation that communicates with a web service over encrypted port 563 (for example), what happens there? does it still go through the proxy and the proxy communicates over 563?
      what if said app has it's own cert? does it matter any more?

      Thanks!

      JonathanLeeJ 1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @jc1976
        last edited by

        @jc1976

        I do both I have some devices set to transparent mode and others set to secure.

        You can create custom options on Squid to do this.

        What proxy are you using?

        Make sure to upvote

        J 1 Reply Last reply Reply Quote 0
        • J
          jc1976 @JonathanLee
          last edited by

          @JonathanLee

          i'm not using any proxy at the moment but it's a path that i definitely would like to go down.

          "I do both I have some devices set to transparent mode and others set to secure." what do you mean by "transparent mode" and "secure (mode?)"?

          i understand transparent proxy and about 75% of how it works.. it's the explicit proxy that i have a few questions about..

          what i would like to do is create 2 vlans (could use more but for the purpose of this discussion we'll stick with 2)

          1. TV's (Roku's in particular). i like having them behind pfblockerng and not having all the junk and ads popping up.. roku's don't have the provisioning to put in a proxy statement so i'd have to put them on their own vlan, but that's ok. i'm fine with this..

          2. for workstations/laptops/phones/etc.. this vlan is important because i have a couple of very important workstations on it.. laptops/phones i figure would be good as well because they're accessing the internet.. i have a media workstation that also downloads media from a usenet server. it's encrypted but i'd still prefer the downloaded files to be scanned just to be safe.

          i would like to proxy vlan2.. i would prefer to set up a wpad instance so that all devices get the config and it just "works" once connect to.. but i dunno how this works behind the proxy insofar as encryption is concerned.. is the traffic from the proxy to the device re-encrypted? i understand that it is in a transparent proxy setup, and certs have to be installed yadda yadda... but what about in an explicit proxy? is the traffic from the device encrypted to the explicit proxy?

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @jc1976
            last edited by JonathanLee

            @jc1976 for your question ... It works exactly like the proxy in a Palo Alto Firewall, same way certificates and all that is all I can say. Nothing out of the ordinary. Standard stuff.

            Make sure to upvote

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.