pfSense Transparent Squid Proxy, SSL Man In The Middle, Clam AntiVirus, and Windows Updates

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're gonna go over squid proxy and pfsense and what it can do for you and how to set it up to start off what it can do for you is actually save a lot of bandwidth if you have hundreds or maybe even thousands of users that are constantly accessing the same material from offsite pfSense can actually cache a lot of that content and deliver it locally how to set it up is pretty straightforward in the package manager I've already installed it you just go to system package manager and click available packages and it'll show up as an available package and you basically just click the install button confirm and it'll show up here as an installer package when you're finished the install is straightforward it's very easy to do it's just like any other pfSense package but before you can actually use it you have to configure the the proxy server so it'll show up under the services tab and you just click on squid proxy server and as you see I've already got mine installed and configured so a lot of my options are already set and I'm going to go through those with you but the first time you access this page this check box will be unchecked because it's not going to enable it until you configure it the first thing you're going to need to do before you configure any of these settings or any of these other tabs you have to configure the local cache for whatever reason during the install and pfSense it basically is designed in a way where before you can turn on the proxy server or change any settings on the general tab they want you to go to the local cache tab and basically just go over these settings here change anything that you want to change and click Save and that sort of writes the local cache config file once you do that then you can go ahead and modify any of these other tabs that you want to modify and then go ahead and enable the proxy server so go to the local cache tab first and just you know take a look at some of these settings if you do want to go ahead and make any changes go ahead and do it now I have set the hard disk cache size to about a gig just because this is for testing purposes it's not actually going to be used in in real life and ufs I believe is the default I left that you FS and also just so you know the local cache clearing is located here which could come in handy if you in the real world ever want to just you know completely blow out everything that's cached and have it start all over again this that's where you would do that okay I left pretty much all of this defaults I did change the maximum object size to 512 just for you know Windows updates and that type of thing some of the chunks may be a little bit bigger than then 4 Meg's so I thought it'd be a good idea and I read some documentation some other places on the Internet when it comes to Windows updates and squid and caching there's a lot of different opinions and setups that I found but I chose 5 512 Meg's as the maximum object size just because I do want to do the Windows updates in this example maximum object size and ram 512 and then I did go ahead and enable the cache dynamic content check box here and then the custom refresh patterns this is what I found recommended from squid and pfSense they actually recommend these refresh patterns here and I'll copy and paste these into the description and I'll just label them refresh patterns so that way if you're doing a pfsense install and you want to copy this exact set up then you can so you can just paste this right into the Refresh patterns and you'll be good to go so click save on that that'll take care of your local cash tab and you'll be ready to go to all the other tabs remote cash I didn't do anything their antivirus I did go ahead and enable that and left this default left that default I turned on Google Safe Browsing and I changed the clam AV database update to every hour I did force an update now so it goes ahead and and downloads those definitions now and definitely don't forget to change the regional clam AV database update mirror from none to whatever you need it to be whatever your region is you definitely want to choose your region and you see this little footnote here it is strongly recommended to choose a mirror and or configure your own mirrors manually below because the default clam AV database mirror performs extremely slow okay so if you leave this on none you're going to be downloading it from the default database and they basically are saying that that is not a good idea because it's too slow alright I don't think I put any Advanced Options in here I did not okay so make sure you click Save on this and that'll actually turn on the see I cap and integration with with claim AV so that's that's pretty cool a CLS I have nothing in a CLS here traffic management all that is 0 nothing there authentication and users nothing there and then real-time in sync real-time is just sort of a display of what's going on okay so we get to the general tab and this is where a lot of the options actually are that we're going to change so the first thing you're gonna do is check the box to enable squid proxy and make sure it keeps settings and data is checked and then choose the interfaces that you want the proxy to run on in this example I only have one interface that I want this to run on so it's gonna be LAN the default ports 3128 leave that alone ICP port we're not doing that so you can leave that allow users on the interface I checked that it may have been checked by default I can't remember I did enable this forced DNS ipv4 lookup first and it says use this if you're having problems accessing HTTP sites and I myself in the very little testing that I've done didn't really have any issues but I read a lot of people that were having intermittent issues staying connected to HTTPS sites so I thought why not we'll turn this on and see if it breaks anything and I haven't had any issues in the very limited testing that I've done with HTTPS sites with this enabled so you may want to you know try that or you know leave it disabled your mileage may vary you just sort of test it and see what works best for you I left disabled I see ICMP unchecked left that blank and now we're getting down to the transparent proxy settings and you can set this up transparently or you can not and you can configure all of your clients to connect through the proxy at the at the workstation or the client level if that's what you want to do I chose to do transparent that way I don't have to really change any settings on all the other clients that would be behind this proxy server so check that if that's what you want to do and again we're only running this on the LAN interface I left everything else blank so that takes care of HTTP traffic being transparently intercepted by the proxy server however most traffic as you probably know is no longer HTTP anything now is HTTPS just about whether you're just going to you know google.com to do a search that redirects you to HTTPS you know reddit everything it's not just encrypted traffic anymore if it's if it's just usernames and passwords it's pretty much everything that you're doing just with normal browsing is HTTP so we definitely want to also enable SSL filtering and that will take care of anything on port 443 and an SSL and we'll be able to capture that traffic as well and in cache that so I did change the man-in-the-middle mode to custom and I'll go over that in just a couple minutes when we get further down of why I did that again we're only running the proxy on the land proxy port I left blank which defaults to 31:29 leave this compatibility mode to modern the DHC sighs I left 2048 which is the default and the CA you'll just need to go to the certificate manager and generate a CA so that you can pick one here you can't leave it none or it won't work so you have to just create one CA in the certificate manager and pfSense which I'll show you how to do that so that you can select it here from this drop-down all right so I left this blank I didn't touch any of these settings here I did not enable access logging yet although you can turn this on and you can use things like light squid to actually monitor the access logs and give you a little report on sort of who's doing what and what the traffic looks like which we'll go over that probably in a different video so that was disabled leave all this blank I left all this just default and obviously if this was in a production environment you and you would want to come in here and actually make sure that all of this is correct for your setup so you remember I said the man in the middle mode was custom and the reason that is is because I needed do some custom things for windows updates to actually work through the proxy server so if you need to do custom SSL man-in-the-middle options the only way that your options here will be red as you see from here is if you choose custom all right so um or actually I think it tells you down here the only this says ignored unless SSL man-in-the-middle mode is set to custom okay so if we go up here and choose anything other than custom so let's say we do splice all or splice whitelist and bump the rest these options won't take effect all right so choose custom if you want to do custom options if you don't care about Windows updates and you don't care about being able to specify certain domains or hosts or IP addresses if you don't care about splicing some and bumping the others you just want to do an all-or-nothing approach then you could just choose to forego these custom options and just choose you know splice the whitelist and bump otherwise or splice all one reason that I had to do custom options is because it didn't in my testing it did not appear that if I added things to the whitelist that I wanted to be spliced that squid was actually splicing those connections it was still bumping those for whatever reason I'm not sure but basically what I've done in the custom options should be doable by selecting splice whitelist and bump otherwise you should be able to select this and then go to the ACLs and go down to the whitelist and put your host names there but for whatever reason if I saved that and you know choose that option it just didn't work the windows update domains we're still being bumped and the Windows Update servers these days do not play nice with that Windows 10 is not happy about that at all for obvious security reasons so you can't bump that SSL connection you need to splice it which is basically everything remains transparent it gets the real certificate from the Windows Update server and it thinks that everything is fine and for whatever reason that doesn't work so to get around that just choose custom here and again I will copy and paste my custom options here into the description so if you're following along and you want to do this exact setup then you can and of course if you do need to do any custom you know custom domains that you want to do you could just add them here so let's say we want to we've got another domain that we're like oh we don't want to bump that we want to splice that connection then you could say you know anything that's on the you know google.com domain we want to make sure that that is spliced and not bumped you could just add those domains here you can just keep adding line after line whatever you want if you want to take some of these out you can take some of these out alright so I actually don't want to do that so um and basically what this code means is this domain this domain this domain and this domain are all going to be spliced so that everything is transparent and the rest of the connections will be bumped okay so and I'll probably go over what the difference is between a splice and a bump in a different video I don't really want to get too far off topic with this right now so click Save on here and that should enable the squid proxy it should have your your cache set up and your let's see what else was there oh the the antivirus should be working and what you can do to check and make sure everything is running is go check on the services and you should see all of these with a green check box ok so that lets you know that the service is actually running now let's quickly just jump over to the certificate manager and I'll show you how to generate that CA that we selected on the general the general tab so you just go to system cert manager and you see I've already got my you know created here but just make sure you're on the cia's tab click Add give it whatever name you want you just call it pfSense make sure that create an internal certificate authority is the method that's selected 2048 for the key length shot 256 for the digest algorithm and in the lifetime you can put whatever you want here 3650 is 10 years that sounds like a nice you know round number the common name put whatever you want here doesn't doesn't matter and you can leave all of the rest of the information blank however if you're doing this you know for real I recommend you actually come in and fill this information out so when you click on save it's gonna take you back to the list of CAS that you have installed on PF sense or that you've created on PF sense and as you see here's mine so when you go to the squid the general settings to select your CA whatever CAS you've created here will show up in that list and you just choose whichever one you want to use it is important that if you're going to use bumped connections to come here and click on this button that exports the CA which will you click on that it downloads the certificate which is a dot CRT file and you see Windows 10 is sort of freaking out about this it's like wait you know this could be harmful are you sure you want to keep this or do you want to discard it so just click on keep you know it's your own you know certificate so everything should be ok there and then what you want to do is install this to the trusted root certification Authority for the local machine and that basically tells Windows to trust this the CA from pfsense ok if you don't install this to your if you don't install this certificate authority at Rusted Root authority you're gonna have all kinds of SSL errors and you know the Chrome browser is going to complain and say hey there's a man-in-the-middle attack going on here something's not right so make sure that you install this on your Windows 10 machine now another thing to remember is if you have you know five or ten computers you can probably do this very easily just by you know installing this manually installing the certificate manually I mean if you have you know fifty machines a hundred you know five thousand machines you could very easily use you know Active Directory and group policy you know whatever method you want to deploy this so that your end-users don't get the error message and your certificate authority is actually pushed out as trusted to avoid all of those issues because the last thing you want to do in deploying the proxy servers is cause problems like this little thing right here this is what your users would see they would see whoa your connection is not secure there's something going on and as you can see we take a look at this the CA right here and it's or this certificate and it's just you know it's not trusted we could very easily download this CA and have it trusted to make this error message go away but we don't want to cause any you know major alarm for end-users all right so that's how you create the CA and like I said you'll go back to you'll obviously need to do that before you come into the general page here and select it and so yeah there's there's the CA squid or none and like I said don't choose none here if you're gonna use SSL filtering I don't think I know it won't work correctly and I believe that I read some documentation that say that says don't don't use none because it doesn't work at all I don't think the the proxy server will even run so that's pretty much it for the settings and one thing we can do to test and make sure that we're actually using the the proxy server here is go to a website that has an HTTPS connection check the certificate and we will see that it's actually issued by squid which is our pfSense CA so that's pretty cool that's not complaining and another thing we can do is go here and do Windows updates and we will just make sure that Windows updates are working and that the connection is being spliced correctly not being bumped because if like I said it's if it's being bumped then a Windows Update is going to fail here it's going to say you know some weird weird error message about how it can't connect to the server and anyway Windows updates are working and we're using the we're going through the proxy server so so yeah that's that's how you set up that's how you setup squid proxy in PS sense and like I said you can go to pretty much any website now and check the certificate and they're going to be issued by the the pfSense router so umm I think that's pretty much it like I said we'll go through another a couple videos maybe talking about how you can look at some of the access logs and how you can do some other cool things but if you have any other questions you know please ask in the comments and thanks for watching
Info
Channel: Rocket City Tech
Views: 31,570
Rating: undefined out of 5
Keywords: squid, proxy, clamav, antivirus, windows updates, pfsense, virtualbox, bump, splice, man in the middle, MITM, HTTPS, HTTP, cache, certificate authority, transparent
Id: 2hVZ5sZ-nNw
Channel Id: undefined
Length: 21min 27sec (1287 seconds)
Published: Sun Jan 06 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.