We have used Squid proxy here and there over the years and yes, it is still very much relevant and useable today in 2023. But of course, as with most things in the IT world, it’s really going to depend on the use case. One of the turnoffs with Squid proxy I think is the project doesn’t seem to be actively supported anymore. The website is mostly abandoned (last blog post back in 2021) and the site is still running http..? Not sure what’s up with that but regardless, Squid proxy still works good. And while Squid is widely regarded as a caching proxy for the Web, our primary use for it has been for it’s web content filter capabilities (blocking websites). So in this blog, we will be talking from the perspective of using Squid as a web content filter.
Pair Squid Proxy up with SquidGuard and you got yourself a pretty decent web content filter going with some fine tuned control. Block by keyword, use blacklists and also do url/subdirectory filtering. An example of url filtering would be: I want to leave reasonableitservice.com accessible but want to block a subdirectory/specific page of the site such as reasonableitservice.com/blog. This can be accomplished with Squid Proxy and SquidGuard via ‘URL list’ filtering.
Another awesome thing about Squid proxy is it integrates very nicely with pfSense. You simply just install Squid proxy and SquidGuard from the pfsense package manager. Once installed, you may access Squid from services menu.
Challenges With Squid Proxy And Why It May Not Be A Good Fit For Everyone
You will want to run Squid in one of two modes, ‘Non-Transparent Mode with SSL Certificates’ (more complex to setup) & ‘Transparent Mode without SSL Certificates’ (easy to setup).
Now to get the most out of Squid Proxy web content filter, pair it up with SquidGuard and you will also need to use it in Non-Transparent Mode with SSL Certificates.
If you want to use this mode, you should disable transparent mode, enable SSL filtering and set the SSL/MITM mode to ‘splice whitelist, bump otherwise’ . These settings can be found under services>squid proxy server>general. You will also need to create a CA on pfSense, export it and then get it to all the endpoints you want to use the proxy and also configure proxy settings on each endpoint.
Advantages Of ‘Non-Transparent Mode with SSL Certificates’:
SSL Inspection: Installing SSL certificates on endpoints allows the proxy server to decrypt and inspect HTTPS traffic. This enables better content filtering, threat detection, and monitoring for security purposes. Selective Proxying: With manual proxy configurations, you can choose which devices or applications use the proxy. This gives you more control over what traffic is monitored or filtered. Bypass Options: Users can easily bypass the proxy for specific sites or services if needed.
Disadvantages Of ‘Non-Transparent Mode with SSL Certificates’:
Complex Setup: Manual proxy configuration on each endpoint can be more complex and time-consuming to set up, especially in larger environments. End-User Involvement: Users need to configure their devices to use the proxy, which might lead to support and compatibility challenges. Maintenance: Managing SSL certificates and proxy configurations across multiple devices could lead to ongoing maintenance and potential issues. Lastly and probably the biggest drawback: it’s not feasible (if even possible) to install the required cert on IOT devices (phones, tablets, ipads, mobile devices, etc).
Of course you can always use Squid in Transparent Mode without SSL Certificates
in which case you do not have to worry about dealing with certificates OR proxy configurations on endpoints. Of course like with anything, this type of config comes with it’s advantages and disadvantages. I will put it out there straight away, that if you are using this mode, you will not be able to filter https traffic with greater control, Example you will not be able to use url filtering for https traffic. Here is a more detailed break down of the pros and cons associated with this Squid mode:
Advantages Of ‘Transparent Mode without SSL Certificates’:
Ease of Setup: Transparent mode requires minimal client-side configuration. Users don’t need to manually configure their devices to use a proxy. Simplicity: Setting up transparent proxying is often simpler, as it doesn’t require end users to be involved in the configuration process. Effective Blocking: Transparent proxying can intercept and block traffic, both HTTP and HTTPS, without the need for SSL certificates on endpoints.
Disadvantages Of ‘Transparent Mode without SSL Certificates’:
Limited Control: Transparent proxying might lack fine-grained control over which traffic is proxied or not. All traffic that passes through the network is intercepted, which could lead to unintended consequences. SSL Inspection Challenges: Without SSL certificates on endpoints, SSL inspection becomes difficult. Transparent proxying can’t decrypt HTTPS traffic for content filtering or threat detection, which might be important for security reasons. Compatibility: Some applications or devices might not work seamlessly with a transparent proxy due to the way they handle proxy settings.
But What About Squid Proxy And TLS 1.3 Support?
We recently tested and Squid had no issue intercepting and filtering websites running TLS 1.3
Conclusion
Reference the video below to see how we typically utilize Squid Proxy + Squid Guard in pfsense. Overall, and despite some of it’s limitations, we are still fans of Squid Proxy and believe it can still prove valuable in certain use cases.
#is squid proxy dead in 2023?
#still using squid proxy in 2023?
#is squid proxy still good?
#is squid proxy eol
#how to use squid proxy and squid guard in pfsense
#blocking sub directories of a web site with Squid proxy
#can i block url paths with SquiGuard?
#how to block a url sub directory in Squid Proxy
#does squid proxy support TLS 1.3
#does squid proxy support TLS v1.3
#squid proxy TLS 1.3 support
#using squid proxy as a web content filter in 2023
#should i still be using squid proxy in 2023?
#should I still be suing squid proxy in 2024?
#how to setup squid proxy and squidguard in pfsense
#how to block url paths with squidguard
#how to block website sub directories with pfsense and squid
#how to block a specific page of a website and not block the whole website
#using squid guard with pfsense
#use squid proxy with pfsense
#is squid proxy in pfsense any good?
#difference between squidguard and squid proxy?
#does squid proxy support websites using tls v1.3?