 I want to do a quick video about squid proxy here, and not about how to set it up, but of some of the issues and why I'm not a big fan of squid proxy. And I know for any of these issues, there's a series of workarounds you can do to get things working with it, but that's kind of my point and why I don't really recommend running it. The only time maybe you want to run squid proxy is on some type of edge case where you have a really slow internet connection and you really want to cache a few things because it is unreasonable because you have a one-meg connection for whatever situation and you want to be able to cache some type of files that are able to be cached with squid proxy, which not 100% of everything is automatically, and distribute it amongst a network of computers. There's generally better ways to do it than using squid proxy, but if in an edge case, maybe you want to use it, but once again, I'm going to leave you a couple links here. Here is a pretty basic, but does work as I went through the steps and checked and pretty straightforward. This will get squid proxy set up. It's done with an older version of PF Sense, but the rules haven't really changed for doing it. And this is one of the important parts and one of the headaches with squid proxy is if you want to man in the middle everything to intercept all the SSL traffic because most things are SSL. Step six, install CACert to the client computers. Well we can cross out computers and put phones and every other device that needs it, which of course then starts eliminating devices that don't support installing a third party certificate to be able to make this work. So I kind of want to cover a couple things about squid proxy. So first, here it is, you can see their website. Something I find interesting, and maybe it's just they don't keep things as up to date, but if you click on your blog here, last time that was update was July of 2016. So not frequent updates, full of some weird ads, whatever. I don't have ad blocking turned on obviously. But my bigger concern really comes down to this, TLS 1.3. Now if you haven't heard of TLS 1.3, it's only a recent release, but it offers some enhanced security features including perfect forward secrecy. And what that means is first we have our TLS layer, then there is a perfect forward secrecy layer within TLS 1.3 inside the handshake, which creates an ephemeral key, which means the session, although you can record the session and if you have the SSL key decrypted later, there's a secondary level of encryption that would break that. This also from reading I've done causes all kinds of problems with squid proxy and a lot of other commercial proxies. Matter of fact, I believe a couple of the larger companies that produce commercial proxies had some complaints about the implementation because they didn't want that feature in there because it, well, it breaks their proxies. I was, like I said, I was told or basically read a few people who have wrote some stuff of there's ways to do it, ways to break the man in the middle, but not easy, not simple to implement. So there's all kinds of, you know, little things that go around with this. So I'll leave you linked here to the whole TLS 1.3 and some of that as well. But this is the other concern I have. So right here is my Firefox on SSL Labs where you can see what your client supports. And this client does support 1.3 and so does Google Chrome. They move the window out of the way and here's Google Chrome, user, user Asian Sports TLS 1.3. So great. Google Chrome supports it. Firefox supports it. Now let's go over to this computer, my Windows 10 on Zen I've used this before. This is now behind the squid proxy and I've went and set this up. I've installed the trust certificate. It's Windows 10, more commonly what people are using. It's a different process to install the trust certificate to get the SSL man in the middle to work. But I'll show you here, if we go here, we look at certificate issued by LTS Lawrence Technology Services. So you can see that it's that certificate because it is going through the squid proxy, which by the way is here and I'll show you the CA in here. There's the LTS services, yeah, squid proxy. You know, standard generic configuration set up to be transparent with that system behind there. Nothing, not a big deal. But you can see what it does, TLS 1.2. Now this is part of how man in the middle works. When you man in the middle something, see it does not support 1.3 here, even though it does on there. You now have created this extra layer of trust that you have to set up with the man in the middle device to make it all work. But if squid doesn't support that or the proxy itself does not support that, you end up breaking the encryption or lowering it down. I know TLS 1.3 is not widely ruled out, but it's a matter of time before it is. So that's definitely going to be a concern. So as far as making your internet faster, most people have some type of broadband. I mean, like I said, there's education exceptions, but the only time squid proxy makes your internet faster per se is to cache objects for multiple computers. Your browser already has a cache. So if you have that edge case where I need all these browsers, you're just going to go to the same website all the time and I want them to cache it. I don't want the individual browser to cache it. I want a proxy server to cache it. Well, then you can set this up to do that and then you're offloading a cache task to there. But at the same time, because it doesn't support 1.3, there's that. And right away, I found that Internet Explorer does work, broke 1.3. I'm sorry, Internet Explorer, but Microsoft Edge is still Internet Explorer to me. I know it's not, but that's what we all think. But one of the things I noticed is the new Firefox, even though the other machines on here have it by installing that, Firefox apparently ignores the root store, so you have to then go another certificate in. Now this is going to be a problem you run into if you run a squid proxy is if there's other services that don't look at the root store inside this machine, you also have another problem with squid of breaking more things. This is just like I said, one of the reasons I'm not super keen on squid, so people keep asking me to a video on it and break it all down. And I know what they're asking is not just the video, they followed some basic instruction. It's all the little edge problems that come with it. And I just don't care to solve them because I don't use this in any commercial deployments. You know, people always ask, well, what do you use for filtering? First, for most of your home users, I'm going to recommend DNS filtering. I've talked about this with PF Blocker and DNS thingy, I've got videos on both of them, great ways to, you know, sinkhole things with a DNS server, which means no client installation, just make sure that the PF senses your DNS. And then if you want to go a step further and block the use of other DNS servers, I've talked about that in other videos, and do DNS filtering, HTTPS filtering because you're messing with security certificates, it has a lot of potential issues. The other issues you run into is any other apps you may be running, or if you have Linux, now you're adding more things to that trust certificate. To me, once you start messing with that, you're causing trouble. Now, in the commercial environment, we do currently use in here in 2018, a product from SolarWinds for web filtering. And I will tell you, even though it is a commercially supported product, and it does work quite well, every now and then we run into problems, winter security updates to sites or banking websites, because they use certificate pinning and they don't like any certificate pinned in the middle. They look for specifically a certificate and some type of matching from a plug-in, and they don't like winter's proxies. They actually are actively looking for them because proxies are sometimes a way that hackers get in by proxying your connection. This has actually been a way people have attacked systems before to try and gain access to SSL. So even though you're not attacking it, the fact that you have put something man in the middle, some security tools, then this was a bank authentication tool to be more specific. It did not like the fact that that was installed, and we had to uninstall it on that computer because that tool simply will not work with any type of proxy. Matter of fact, it will not work with an antivirus that proxies the connections either. So that being said, when you start messing with all this, some of these apps, because security is becoming a bigger, bigger concern, especially in the finance industries, things like squid proxy can cause just massive amounts of tech support headaches for you, which is why we just don't run this in any production environments. Like I said, there might be an edge case. Currently, we have none anymore, and I used to run this forever ago, URL filtering with squid. I mean, this is something long time ago, back in the earlier days of the internet, when it came out, it was a great tool to use for solving these types of problems. So this is just kind of my thoughts on it, and why, despite people requesting all the time videos on this stuff that I don't bother with one of the squid proxy, and I much more prefer DNS filtering. It's either DNS filtering or some of the commercially supported products that can work with these large vendors to get workarounds when you have a support issue. If not, you have to figure out a way to get that one computer around it on a network so for troubleshooting purposes. And of course, all your IOT devices and things like that, they just break under squid proxy because you can't add those extra certificates to them, so you have to create another network that's unfiltered again for them, and you can see where this is going and how this becomes complicated very quickly. So that's my thoughts on squid proxy. Play around with it if you feel like it. I'll leave you a link. And like I said, this step by step does work, but I don't really, like I said, it doesn't seem to help that much. You're seeing yours going to be less troubled by using DNS filtering. You can use, like I said, look for my videos, I have one of DNS thingy, which is a paid subscription service, but does support PF Sense and has a really good rule list or you can use PF Blocker and the new version if you watch a video that previously is coming out. So it's their interface and everything's getting better. I've also done a video on a piehole. So there's other options out there that work really well. Alright, hopefully this was helpful or maybe infuriating. I don't know. I'll let you guys decide. But that's kind of my answer in squid proxy. Do I know how to set up? Yeah, have I set up in the past? Yeah, years ago. Do I really recommend it? Not all that much. And yes, I know there's workarounds. Yes, I know you could just put the proxy port in. There's lots of other things you can read up on how to set this up. But it's really, it's just one of those things. Like I said, it seems to always create little issues when we've tried to use it. So I skip using it. So yeah, one less comment for those of you that are clearly going to point this out. Yes, I know it says activate windows go to settings activate windows. This is because of forking snapshots on a virtual machine. When you do this, we create the snapshot and roll it back it reactivates I don't activate the snapshot weird thing that it does this though when you do the clone of it, it makes you do this and roll it back I do this when I set these demos because I didn't want the certificate permanently installed in my windows 10 machine that I set on the other side of this firewall. So I snapshot it and roll the back once for the video. I don't know where that falls in Microsoft licensing. Someone says you can't snake take snapshots. Someone says you can. I don't see it all that clear. I own the license to the windows machine. So I yeah, if anyone knows the actual rules and can link to it not stated but linked to it. I'm interested if there's a rule on how virtual machines because I'm not creating multiple copies. I'm creating snapshots and rolling them back when you roll them back and roll them forward a couple times. It just makes you reactivate and reactivates fine. So curious on that one. If someone knows about Microsoft's rules regarding that so I'm not using a multiple instances. It's just snapshots of it and then when you roll them back it breaks. Thanks. Thanks for watching. If you like this video, go ahead and click the thumbs up. Leave us some feedback below to let us know any details what you like and didn't like as well because we love hearing the feedback or if you just want to say thanks, leave a comment. If you wanted to be notified of new videos as they come out, go ahead and subscribe and the bell icon that lets YouTube know that you're interested in notifications. Hopefully they send them as we've learned with YouTube. Anyways, if you want to contract us for consulting services, you go ahead and hit launch systems.com and you can reach out to us for all the projects that we can do and help you. We work with a lot of small businesses, IT companies, even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network. Also, if you want to help the channel in other ways, we have a Patreon. We have affiliate links. You'll find them in the description. You'll also find recommendations to other affiliate links and things you can sign up for on LawrenceSystems.com. Once again, thanks for watching and I'll see you in the next video.