Messages

I have had a bit of a rough ride with squid. It started off with breaking all websites, which I resolved one at a time.

As still breaks some sites I come across.

I recently found that the content I want cached is on the .io and .net so lucky for me I had sslNoBump the entire .com and fixed everything I was having problems with.

Only problem now is I want to cache maybe 2 .com domains.

I have used chatgpt to help but not sure it's correct. It's basically got me to edit the templates in opnsense as editing the main squid conf resets on a reboot.

So I have seen that adding entries into the template works and they stay after a reboot.

But I am soooo lost. I want to add a forced bumpssl for example nvidia.com This is a snippet of the squid.conf

Can someone help how to properly write what I need.

Fyi. The ".com" for the sslNoBump is configured via the GUI. It must be called via a text file perhaps as I don't see it below.

Code Select Expand

acl bump_domains ssl::server_name_regex -i nvidia.com


# setup ssl bump acl's

acl bump_step1 at_step SslBump1

acl bump_step2 at_step SslBump2

acl bump_step3 at_step SslBump3

acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/no>



# configure bump

ssl_bump peek bump_step1 all

ssl_bump peek bump_step2 bump_nobumpsites

ssl_bump splice bump_step3 bump_nobumpsites

ssl_bump stare bump_step2

ssl_bump bump bump_step3



sslproxy_cert_error deny all



acl ftp proto FTP

http_access allow ftp


I have tried many different ways chatgpt has shown but all seem to fail.

Code Select Expand

acl bump_nvidia ssl::server_name_regex -i \.?(nvidia\.com)$
When I edit the line to

Code Select Expand

acl bump_domains ssl::server_name_regex -i .nvidia.com
It won't fail to launch squid but it won't cache the NVIDIA files.

Essentially I want to choose to have all websites bypass my proxy except the ones I choose.

Can I get some help how to accomplish this.

Can I request Squid plugin have a field to add custom lines, or a way to adjust expiry of items in the cache.

things like big videos, exe files and archives, I would like to have my cache accessible without updates for at last 30 days..
I have tried adding these lines but they delete after router reboot.

refresh_pattern \.exe$ 1440 90% 43200
refresh_pattern \.zip$ 1440 90% 43200
refresh_pattern \.7z$ 1440 90% 43200
refresh_pattern \.rar$ 1440 90% 43200
refresh_pattern \.mp4$ 1440 90% 43200
refresh_pattern \.mkv$ 1440 90% 43200

I may be doing this wrong and would appreciate alternative options.
It appears my cache seems to redownload items at speed for only approx 12-24 hours.even after reboots so the proxy is working. I would like the files to download from cache for at least 30 days.

Hello fellow Opn Users,

I have experimented and finally feel I am winning with the HTTPS battle so some services which just stopped are now working due to a new rule I created.
The Nat Proxy port forward rule has all traffic flowing to 127.0.0.1 to the proxy server.
I had issues with things like back blaze and other services.

I have created a new Rule under NAT port forward and moved it above the http and https proxy rule and added a few ports in an alias to make it skip/ignore the http(s) proxy rule.
I understand it processes the rules top to bottom, and for the most it has worked for me.

I have limited knowledge in advanced networking and routing and I have a question.
I am concerned that I am port forwarding from anywhere to anywhere I am scared I am potentially allowing bad actors into my network due to this port forwarding rule.
I understand if someone wants in, they will get in!! but I want to at least have a safe / normal network and dont know if I have created a HUGE sign saying come on in!

Please take a look at the attached image to see configuration of the rule for which I want to know if my fears are warranted or not.
otherwise quickly answered? as my rule is on the LAN interface, having the port forward rule on LAN not WAN a reason for this to be safe?

Thank you,
Shaun.

Thanks for the reply bud,

At the moment the source has item
"LAN net"

Do I replace that, as I don't have option to add to "LAN Nat" in the source field. Only a single item

Cheers.
Shaun

Hello,

I have spent some time trying to let through our foxtel box but the squid is blocking it.

Can I grab some help regarding how can I completely bypass a local IP address 192.168.0.183 from the Nat Rules and the Firewall rules.

Currently there is the http and https rules and only them.
It's port forwarding everything through the squid proxy and I am dumb as I tried various new rules pointing the address above trying to get it access.

Can someone advise which items to edit and if priority must be a factor. (Where the rule sits)

Essentially I just need 192.168.0.183 to work as normally. But as mentioned the port redirection to 127.x.x.x is where I am stuck.

I don't know what to do.

P.s. I also added that local IP address in proxy access list to ban it. Didn't help

Cheers
Shaun.

Hello,

I'm new to opnsense.

I installed the squid proxy

I have http and https enabled, I also have used auto config for Nat->port forwarding for the redirects to the squid.

When I disable the redirects for https all is ok. If I enable the redirect, my wifi goes down for mobile phones.. (My phone's so longer have internet and starts using 4G mobile data)

My wifi is two TPlink omada APs and the controller is software based running on a home PC.

To restore internet and wifi on phones I need to turn off the https NAT port forwarder.


Thanks,
Tox.