Feature - Next Gen features #460
Comments
|
Only "man in the middle" using squid is in our plans, but not scheduled yet. I don't think RPZ is in unbound at the moment, although I'm not sure, adding another dns like system to the base system probably isn't a very good idea without removing / cleaning something else there first. If you can code, you can take a look at our plugin system and development model: Patches on our squid module are also welcome, as long as they follow the guidelines. (No shell code in the php frontend/middleware, clean separation of concerns, detach frontend/backend to allow api usage). Help in testing is also very welcome. |
|
Hi Ad, Good to hear there are plans for working on SSL inspection. it should not be that hard to incluse AV scanning in the same path. i will look into that to see if i can be of any help. for the RPZ, I really think this is a great value to add to the firewall, also because it is a relatively easy thing to get working. only recuirement is to use a DNS server that supports it. Bind does. let me know what you think |
|
if you Need any help on squid and MITM just let me know...i allready have a squid instance with MITM at home... it would also be nice to impliment sth. like store-id deduplication with squid for Caching YouTube and Facebook etc. (i also have some ideas about that) |
|
Hi Langerma, sharing abaout the MITM would be great. Do you have it working transparently? |
|
I can give you my config stuff i use. |
|
That would be great. |
|
i use it on a dedicated server under freebsd 10 (squid3.5) with the flags i posted to franco |
|
where can i find it? |
|
the flags in opnsense methinks... :D https://github.com/opnsense/tools/blob/master/config/15.7/make.conf#L17-L18 |
|
i mean the config stuff :) |
|
i share it with you i allready have it on my github account |
|
https://github.com/langerma/squidconfig --> there is some unused stuff i have to clear out...will update it with a clearified Version in the next few weeks |
|
thank you very much |
|
afaik there are new options available to generate and inspect certs...but i have to take a look at it. |
|
do you mean the Dynamic SSL Certificate Generation ? |
|
No I am thinking about that one: Make bumping decisions after the origin server name is known, especially when intercepting SSL. Avoid bumping non-SSL traffic. |
|
langerma, did you also add some AV scanning to the decrypted traffic? For what usecase did you set this up? |
|
i did not add any av scanning but i am looking forward to add it. with this config and the perlscript you are also able to make use of deduplication which means cdn network stuff is only stored once. |
|
Ok cool, I'll look if i can get it working with AV scanning on the decrypted traffic. If it works i'll let you know |
|
nice! i have never played around with the av scanning stuff. |
|
maybe this document brings some improvement: http://marek.helion.pl/install/squid.html that peek and splice feature seems to be awesome stuff for transparent proxy. |
|
@fichtner - If we manually make changes to the squid.conf will it be completely overwritten by any changes made in the GUI or is the GUI only making modifications to the variables it uses? |
|
@oparoz there is a squid template that can be edited to retain manual changes, but these will be rewritten on firmware upgrades |
|
Thanks. I'll have to keep that in mind :) |
|
I will close this and opened a new ticket for sslbump feature in squid: #779 |
Feature Request:
Can we have some "Next Gen" features implemented:
or are those allready on the roadmap?
please let me know if i can help
The text was updated successfully, but these errors were encountered: