I'm looking for help modifying the stock squid config file, within the GUI I can bypass the proxy completely (HTTP + HTTPS) for certain LAN IP's; however this will also stop them from accessing the cached HTTP data. I don't want this rather I want the IP addresses in the range of 192.168.1.2 - 192.168.1.200 to be excluded from HTTPS caching but still being able to access/cache with the HTTP proxy. I don't know how to modify the standard configuration files to allow this, PFSense will bypass(HTTP + HTTPS) any IP I add to "Bypass Proxy for These Source IPs". I specified these IP's as DHCP just for a bit of context since my personal devices 192.168.1.200-192.168.1.254 are statically assigned devices which I was going to deploy the CA's on, I wanted to avoid having to deploy CA's to every single device which makes up my DHCP range. It won't be fun having to install CA's on someones device every time a guest asks me for my WiFi password. Regarding SSL I made a mistake on this I just offhandedly generalized all HTTPS stuff as "SSL" since I'm just used to people saying TLS/SSL when they refer to HTTPS. I'm running the HTTP proxy in transparent mode and I've included the current configuration I'm using for reference, could you walk me through how I would go about modifying the configuration file. I'm not to familiar with squid terminology so could you please explain it to me like I'm 5 (ELI5). I don't know how to structure the directives and ACL's to allow this since the GUI menu uses a a "blanket" configuration for whatever you input, I need help with specifying the custom options. # This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 http_port 127.0.0.1:3128 intercept icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 1 debug_options rotate=1 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/24 forwarded_for delete via off httpd_suppress_version_string on uri_whitespace strip cache_mem 2048 MB maximum_object_size_in_memory 20480 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 256 MB cache_dir aufs /var/squid/cache 36864 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Custom options before auth # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc > Send squid-users mailing list submissions to > squid-users@xxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-request@xxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > squid-users-owner@xxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Re: Bypassing SSL Man In the Middle Filtering For Certain LAN > IP's (Amos Jeffries) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 30 Jun 2019 18:36:19 +1200 > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Bypassing SSL Man In the Middle Filtering > For Certain LAN IP's > Message-ID: <6e721121-1569-4b6c-21f0-6429d763c5ae@xxxxxxxxxxxxx> > Content-Type: text/plain; charset=utf-8 > > On 30/06/19 2:32 pm, Mike Golf wrote: > > Hi All, > > > > I've setup a squid proxy server on my PFSense router, is there any way > > of bypassing HTTPS/SSL filtering for certain LAN IP's. > > HTTPS is not normally filtered at all. So for that to be happening > something must be forcing it - all you have to do is *not* force the > filtering or MITM to happen. > > * remove any rules in your NAT or routes directing port 443 to the proxy. > > * remove any https_port in the proxy for receiving that intercepted traffic > > * remove any SSL-Bump config for handling intercepted port 443 traffic > or decrypting CONNECT tunnels. > > With that all done you will at most be left with clients using the proxy > in forward-proxy capacity to open CONNECT tunnels. > > > > I have IP > > addresses 192.168.1.0-192.168.1.200 allocated through DHCP and I want > > these devices to bypass SSL interception but not the standard HTTP proxy. > > Consider how are those clients using the proxy in the first place? Their > method of IP assignment has nothing to do with it. > > > > > > Since most modern sites use HTTPS by default HTTP caching isn't that > > effective anymore, > > That is a deceptive statement, more false than most think. But > irrelevant since what you are wanting will prevent HTTPS caching entirely. > > > > however I want my personal devices to use the SSL > > proxy > > Note that SSL protocols both v2 and v3 are obsolete. > > Are you asking for: > a) a TLS explicit proxy, or > b) a TLS interception proxy, or > c) a forward-proxy for relaying HTTPS ? > > > >so I can get the fastest possible browsing experience without > > having to install certificate authorities on my guests devices which use > > the DHCP range. > > > > A proxy is not going to do anything in regards to speed for those clients. > > The only way which you can improve speed with a proxy is by caching of > HTTPS content - by avoiding all the re-encrypt delays on every request > that can be made a HIT. But that requires those cert installations you > are trying to avoid. > > > Amos > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 58, Issue 31 > ******************************************* > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
