Hi Michael,

I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

my .pem file has privatekey + cert +certCA, still haproxy fails:

parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

I'm runnig a v1.5 haproxy, what was the version you used?

thanks,

Ricardo

Try this screencast

http://sys-squad.com/licao/259

It's in Portuguese but I think it will help.

I strongly recommend e2guardian v5 under pfSense 2.4

I'd utilize pfBlockerNG for blocking domains via its DNSBL (or IP for that matter). It's much faster and better. What's your network size, how many clients are there?

http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

Your server timeout is 2 minutes for the webapp, and a connect timeout shouldn't really be above 10 seconds, if it takes 10 seconds to get a working tcp connection there is some serious network issues even when accessing a server over the internet..
As for dropping established connections there could be different factors causing that.. Configuring the syslog on the haproxy settings tab(perhaps to the local syslog unixsocket) and enabling 'detailed logs' on the frontend should help tell if the client or server breaks the connection or a timeout is hit perhaps..
In case of doubt also run also capture the packets on both wan and lan side of haproxy to check with wireshark which side traffic gets interrupted.

if you use splice all it does not bump at all. Which CA du you see on your client. Every host should turn up as signed by your ca if bumbing is applied. Whitelist/Blacklist of squid does NOT apply to SSL at all. As I wrote before in another thread Splice Whitelist is defect too.

If possible post resulting squid.conf here and a screenshot of what goes wrong. Press F12 in your browser to see 'security' details. Or try with openssl s_client -connect to see certificate and ssl details.

ssl bump is not for the faint harted though. a lot of problems on the horizon. hpkp, tls 1.3, missing intermediate certificates, incompatible ciphers etc etc to mention some. some experience with tls required I would say.

@demux:

Hi.

We are going to use a central ICAP-enabled AV scanner that runs on a dedicated machine.  We do not want to use clamav (neither locally nor remote).
From looking at the various GUI settings I cannot find an easy way to configure squid to use another ICAP path except the one to the local clamav (c-icap).
Is there a setting that I am missing or is there another way to set this up in a simple way (means without overriding the GUI config manually).
I know that we could do that using a parent proxy setup, but we believe that taking the ICAP approach is faster and with less overhead - and makes more sense with regard to structure.
(At the moment I cannot say which engine we are going to use as this is not yet finally decided.  But a written requirement is that we can talk to it using ICAP because of pfsense.)

Where is the best place to configure another ICAP machine?

Thanks for your help!
demux.

I'm looking for the same thing. I would like to have a GUI menu where i can specify the external ICAP Server IP address, reqmode/respmode and port.
I suppose this could be easily done by developers.

For now the best way i've found to config these parameters is by using the "Diagnostics –> Edit File" functionality to edit these two files:

/usr/local/pkg/squid_antivirus.inc /usr/local/etc/squid/squid.conf

Just edit the following lines using the correct IP/port/etc...and restart squid:

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response adaptation_access service_resp allow all

I hope someone more expert than me can find a simpler way or maybe some developer can introduce this feature :)

Thanks

Hello.
I have done 2 target categories (social sites & job sites)
User(A)  group will get only social access, user(B)  group will get only job access.
In user(A)  group one ip will get both sites access. So i create that ip in another group & allows both categories.
But its no working.
Please help me about this issue.
(SORRY 🙏 FOR MY BAD ENGLISH)

@cplmayo:

Got it working today, firewall rule was blocking the traffic. Knew it would be something stupid that I missed.

Hello, im running in the exact same issue, could you so kind and share which firewall rule was blocking the traffic?

Have you selected the 'default backend' in the frontend? Or use a 'use backend' action.?

@jimp:

As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

Yes, thanks for confirming that about squidguard. I'm considering switching to suricata, anyway.

You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

If I get hit by a truck, a couple of other sysadmins are authorized to access pfSense. And while we configure logging to minimize noise, we /never/ turn it off. We actually use our logs.

Excelente, sirvio para 2.4.2

Excellent, it works on 2.4.2

proposed workaround (works for me):

(create a dir /usr/local/extra/certs/, put cert files there) (I put any addition into /usr/local/extra)
certinstall script (which should be run e.g. on startup or manually:

This can easily be integrated into the squid package (and the certs could be entered via the web interface)

#!/usr/local/bin/php-cgi -f
        $CERTBASE = "/usr/local/extra/certs/";
        $CERTSTORE = "/usr/local/share/certs/";
        $cafiles = glob($CERTBASE."*.{pem,crt}", GLOB_BRACE);
        foreach ($cafiles as $cafile)
        {
                $cas = file($cafile);
                $cert = 0;
                foreach ($cas as $ca) {
                                if (preg_match("/–BEGIN CERTIFICATE--/", $ca)) {
                                                $cert = 1;
                                }
                                if ($cert == 1) {
                                                $crt .= $ca;
                                }
                                if (preg_match("/-END CERTIFICATE-/", $ca)) {
                                                file_put_contents("/tmp/cert.pem", $crt, LOCK_EX);
                                                $cert_hash = array();
                                                exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash);
                                                if (! file_exists ($CERTSTORE . $cert_hash[0] . ".0"))
                                                {
                                                        file_put_contents($CERTSTORE . $cert_hash[0] . ".0", $crt, LOCK_EX);
                                                }
                                                $crt = "";
                                                $cert = 0;
                                }
                }
        }
        unlink("/tmp/cert.pem");
?>

Answered my own question, posting solution here to close the loop: Apparently older versions of the Squid Reverse Proxy package had issues with this. With the current version, you just need to enable the HTTP Reverse Proxy so that it writes the correct cache_peer entries in squid.conf. Then you can create your web servers and set their Protocol to HTTP, and Squid will properly proxy them, SSL terminating at your pfSense. Externally you are presented with the site as HTTPS and your configured pfSense SSL certificate, even though the internal server is actually plain old HTTP port 80 (or whatever port)

Hope this helps someone!

Hello,

i have exactly the same problem. how can be this solved? I wold like to split interface by purpose.
Now reverze proxy is catched on all virtual ip and wan ip.

Jan

hsts does not hinder you bumping tls traffic, it just forces the client to use tls instead of plain text. you have to have your ca in place on your client devices. I would recommend

1. setting up a ca in pfsense (you don't necessarily have to have the private key on the pfsense box and I recommend againt it, it is you last resort if you private keys of you sub cas are leaked at some point)
2. setting up a sub ca for ssl bumping
3. exporting the ca certificate of the top ca (just the cert)
4. selecting the right ca in the squid config
5. configure bumping as i describe over here https://forum.pfsense.org/index.php?topic=135178.0
6. put on the whitelist what you desire
7. install ca on the client. that should generally be done by your endpoint management solution (active directory gpo, kaspersky endpoint security, you name it). if you want to manually install the ca make sure you put it into the /SYSTEM'S/ Trusted Root Certifaction Authorities else it won't work.
8. here you go (push f12 in your browser to verify your certs are being generated by your bumping ca.