Hi there,
Again a question.
I put in place the squid proxy (transparent). It's working.
All firewall rules are in place and NAT rules the same.
Again, it's working if people add certificate (CA) in their browser.
The problem (problem in the way it's not working and I want to understand why so If I have the same with anither site I can figure (or not) this out).
I can't go to the discord site (channel). I have a page with the icon ... nothing else.
If I disable the NAT and firewall rules, all is ok.
If I re-enable (NAT and rules) and put ".discord.com" in the "ssl no bump sites" option (admin/forward proxy/general) it don't change anything.
If I try the admin/forward proxy/access control and put it on the "Whitelist" ... doesn't work either (I tried "*.discord.com" and ".discord.com"
Any idea?
thanks if you already solved this.
Best regards ... and sorry for my english ... I'm french speaking and not perfect in english !! :-)
When you open the website with a browser and turn on developer tools and look what URLs are being accessed, you will find a multitude of URLs, including:
discordapp.com
discord.gg
and maybe others. Any of those URLs / domains can enforce certificate pinning or CAA, so you would have to add all of those domains to your SSL bump sites.
You can also use the developer mode console to see which URLs cannot be loaded and add those step-by-step.
You see why I said that transparent proxying takes a lot of work, now, do you? Imagine doing that for any website you want to use....
Quote from: meyergru on October 15, 2025, 06:40:31 PMWhen you open the website with a browser and turn on developer tools and look what URLs are being accessed, you will find a multitude of URLs, including:
discordapp.com
discord.gg
and maybe others. Any of those URLs / domains can enforce certificate pinning or CAA, so you would have to add all of those domains to your SSL bump sites.
You can also use the developer mode console to see which URLs cannot be loaded and add those step-by-step.
You see why I said that transparent proxying takes a lot of work, now, do you? Imagine doing that for any website you want to use....
Hi,
Thanks ... didn't thought about that !
Yes, he, lot of work so.
As you say that, did you have some advice?
Not using the transparent proxy? If yes what to put in place? I want my network to be "hidden" as most as possible.
If you want that, you could use a VPN and hide your outbound traffic behind it. A transparent proxy could only be used in order to keep your children from using websites you do not want them to - however, that could be done with a locked-down PC as well.
Then again, most tracking and tracing happens via cookies and browser fingerprinting anyway, and if you use several websites, you will undoubtedly leave traces regardless of using a proxy or a VPN.
Also, think about if you use Google DNS (or any other, for that matter). Or the Firefox "safe browsing" feature. The latter presumable only transmits "metadata" (i.e. hashes) or the URLs you browse to. That way, nobody could ever know what URLs you have visited, right?
Wrong: If you had an index of all websites and URLs together with their hashes, you could just look the URL up from the hash. And how could anyone have such a list? Well, Google comes to mind... and guess who provides that service (for "free")?
In short: While you can provide full anonymity for specific purposes with an anonymizing browser over a VPN (even TOR has been compromised already), but do not even think about using the same browser for all your needs and expect not to be tracked. And BTW: you paid anonymously for that VPN, didn't you?
Hey,
I agreed what you said even if I'm not a "top level" specialist.
The network is a "not private" network, right now completely "open"
I want it "safe" and "most hidden as possible" (need it).
I hesitate between "vpn and proxy" or "just vpn" or "just proxy".
Finally I thought "just proxy" was nice (I don't need absolutely to block sites. I just block "adults" right now just to prevent download).
I also install proxy as antivirus (clamAV/C-ICAP) need it.
Right now I use opnsense/ACME client/C-ICAP+ClamAV/Crowsec/Intrusion detection/ZenArmor/Squid Proxy
If you have any other professional config I'm open ! (most hidden as possible, antivirus/malware).
And still impossible to have Discord working even with additional domain in the bump list ... may be I need SOCKS5 to have bidirectionnal talk ...
Thanks
Best regards