pfSense Transparent Squid Proxy, SSL Man In The Middle, Clam AntiVirus, and Windows Updates
USE AT YOUR OWN RISK: The following procedures may be illegal in some countries. Follow all local laws and regulations for your area. I am not responsible for any issues or damage you may cause.
This is how I setup squid, ClamAV, and splicing for Windows Updates on pfSense. We setup SSL/MITM bumping and splicing for HTTPS traffic as well. You will need to install your certificate created in pfSense as a trusted root certification authority on all clients using the proxy and bumped connections.
Below are custom options and refresh patterns that I used:
# My custom options in the SSL/MITM text box:
# Windows Update domains that should be spliced, not bumped
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump bump all
# My custom refresh_options on the Local Cache tab
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
#Also, a thank you to Aleksey Mochalin for this great additional info:
Thank you very much one more time for that video. It you want to restrict (bypass) ip addresses you can have next configuration:
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl localnet src 10.0.0.0/8 #local network
acl localnet src 192.168.0.0/16 #local network
acl localnet src 172.16.0.0/12 #local network
acl localnet src 2.2.2.2/32 #just for example
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump splice localnet # splice one more time
ssl_bump bump all
Thanks for watching!
rocketcitytech.tv
Видео pfSense Transparent Squid Proxy, SSL Man In The Middle, Clam AntiVirus, and Windows Updates канала Rocket City Tech
This is how I setup squid, ClamAV, and splicing for Windows Updates on pfSense. We setup SSL/MITM bumping and splicing for HTTPS traffic as well. You will need to install your certificate created in pfSense as a trusted root certification authority on all clients using the proxy and bumped connections.
Below are custom options and refresh patterns that I used:
# My custom options in the SSL/MITM text box:
# Windows Update domains that should be spliced, not bumped
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump bump all
# My custom refresh_options on the Local Cache tab
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
#Also, a thank you to Aleksey Mochalin for this great additional info:
Thank you very much one more time for that video. It you want to restrict (bypass) ip addresses you can have next configuration:
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl localnet src 10.0.0.0/8 #local network
acl localnet src 192.168.0.0/16 #local network
acl localnet src 172.16.0.0/12 #local network
acl localnet src 2.2.2.2/32 #just for example
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump splice localnet # splice one more time
ssl_bump bump all
Thanks for watching!
rocketcitytech.tv
Видео pfSense Transparent Squid Proxy, SSL Man In The Middle, Clam AntiVirus, and Windows Updates канала Rocket City Tech
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Tutorial: pfsense and pfBlockerNG Version 3Comment déployer Squid et Squidguard pfSense - Tuto Vidéoyour home router SUCKS!! (use pfSense instead)How To Configure A Transparent Proxy Using PFSenseWhy I Prefer DNS Blocking Over Squid Proxy Filtering in pfsenseTransparent HTTP+HTTPS Proxy with Squid and iptablespfSense + Windows Server + GNU/Linux - Filtrar Grupos AD mediante ACL con SquidGuard - Parte #6Tutorial:Internet Filtering / Site Blocking Using pfblocker DNSBL on pfsenseHow to Create a Proxy // Squid (HTTP) and SOCKSNew Features in pfSense Plus version 22.01 and pfSense CE version 2.6.0!Join Ubuntu 20.04 to Windows server 2019 Domain ControllerHow To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsenseVideo #11: Pfsense 2.4.3 Squid SquidGuard Modo Transparente Filtrado HTTP HTTPSEnable SSL for pfSense 2.4 - Quick & Easy!The Common pfsense Packages / Plugins We Use and WhyIntercepting HTTPS Traffic Using the Squid Proxy Service in pfSense | How To Cache HTTPS On SquidSquid, SquidGuard, and Lightsquid on pfSense 2.42020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packagespfsense Captive PortalSamba active directory domain controller installation (part 2 of 2)