Is having a firewall rules in place enough since this is the current version of squid supported?

Did you actually read the CVE??

"The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax."

All this means is that a funny packet can crash squid.  If you want to protect against this via firewall rules, simply block all tcp 80/443 traffic.  You won't be able to use the web at all, but you will be safe from having your squid crashed if you happen to hit the figurative lottery and somehow stumble upon this…

Also, enabling the option Suppress Squid Version enough to hide the squid version?

Probably.  Test it and see:

http://www.lagado.com/proxy-test

You should suppress squid version, turn off VIA headers, and delete the X-Forwarder header.

Sorry for the late reply I did end up making a Gmail alias with the ports that go above my other rules which seems to work.

Do you actually have a 3rd interface (after WAN and LAN) that you have labelled DMZ?  It isn't there for everyone by default.

Squid is a caching proxy.  Squidguard is an URL filter that requires squid.  Squid by itself does not block content except for in the most primitive way.

On the frontend you chose mode:'http/https(offloading)' however behind the 443 port you dont have the offloading checkbox set. Should probably check that.
Then also when enabling that make sure to configure certificates to use at the bottom of the frontend.

If ClamAV has not reported virus AKA no statistics yet, when it report/block a virus it shows up ;)

Thank you for your answers :)

Nobody can even begin to help you with more details.

You can start off by explaining what you mean by "it doesn't work".

This look more like a pfBlocker issue to me.

Not yet no time currently.
Just exploring my options but will definitly try it.
Thanks!

Squid is a caching proxy.  Squidguard is an URL filter.  Squidguard requires squid.  Squid uses authentication to allow/deny access while squidguard uses it for grouping purposes.

Added This to Firewall LAN rules whatsapp now passes the proxy.


Hi Marcello,
I installed Pfsense version 2.4.3  it works now SquidAnalyzer.
Programs I installed in the system
Squid
SquidGuard
in squidanalyzer TOP DENIED empty

Fixed keytab, got Kerberos. But cpu load is very high. Where i must paste “KRB5RCACHETYPE=none export KRB5RCACHETYPE” in /usr/local/pkg/squid.inc, to disable cache ?

Hello Milan,
here is a tip for you.

use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it.
Also, you will need squidguard to make your AD group search.
You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page)
Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY.

hope that helps you.

Fabricio.

Hi Michael,

I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

my .pem file has privatekey + cert +certCA, still haproxy fails:

parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

I'm runnig a v1.5 haproxy, what was the version you used?

thanks,

Ricardo