Hello all,
I’ve set up squid Transparent proxy and found out that some of my devices having troubles with it - PS Vue, Netflix, Arlo Cameras etc.
So the initial promise was if WF rule forces traffic thru this proxy then it’s a good thing for security, cashing etc.
I wonder in anybody is using it for home network and can bring up and good justification use case for using it.
Thx
hi,
Proxies and ssl are not the greatest of friends since the session between your device and the server is encrypted. Interrupting that encryption anywhere along the way will cause problems. while ssl is good for security it does make running caching servers painful as you have to have a cert installed on every machine behind the proxy and i dont know about you but i am not able to install it on things like blu-ray players, iot devices, and anything you dont own like a device that a guest owns. blocking secure sites is not a practical solution as most of the internet sits behind ssl. thanks to organizations like Let’s Encrypt, and browsers like Chrome and Firefox trying to deprecate HTTP in favor of HTTPS.
without directly saying it yes, but just saying no does not give you my thought process.
Don’t use it for HTTPS traffic, the so called “man in the middle” setup. It’s possible but not worth it as you will need to manually install your own cert on every network device so they trust it. Pain in the butt, and not even possible on some devices.
But for non encrypted traffic you may see some benefit. I personally use Squid Proxy and Squid Guard for non encrypted traffic.
The benefit of having a cache right on your network. If the content can be cached, it’s a lot faster to retrieve it from your pfSense box than pulling it from some server on the net somewhere.
If you want to read about using Squid with HTTPS (encrypted) traffic here’s a good article.
you may have seen this but this is @LTS_Tom thougts on the subject. just putting this here for other people reading this thread with same question
I need to watch it again, but I vaguely recall that that was the main reason I stopped using it.
Still trying to balance out ‘cost vs benefits’
That is always the question we must answer, good luck!
I will do a more in depth video about this soon, but a lot of the internet traffic has been moving to the QUIC protocol because it is faster due to being a more efficient protocol. To me knowledge no one has come up with a a way to cache this protocol as it work on UDP so proxies such as Squid suggest you block it. Blocking QUIC will make your connection slower for now and probably broken in the future if sites such as Google, Facebook, YouTube, etc… turn off the fall back to TCP when it is blocked.
https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol
If you’re just looking to block sites, Squid has a feature to filter TLS traffic based on the SNI information allowing you to block encrypted sites without needing to install certificates on client machines. Since the traffic doesn’t get decrypted on the firewall, it obviously doesn’t do you any good with caching. Also, this solution will likely not work in the future as newer versions of TLS encrypt the SNI extension.