Squid 6.5 !! Nov 6th

greenlight · Nov 20, 2023, 8:54 AM

@JonathanLee i know and now i'm using other sites. My point is that squid with HTTPS was not useful enough. MITM is not successful and squid can still cause problems in some installations.

JonathanLee · Nov 20, 2023, 6:38 PM

@greenlight Yes for some however, for others it is still a GREAT cyber security tool. I will most likely follow the vendor where Squid is still supported thus jump to OpenSense. Within Pfblocking you can also see the writing on the wall. The Squid tool set really needs to be part of a system for me. End of story. That was the number one reason I selected Netgate appliances in the first place. I don't need to be told repeatedly Squid doesn't work I flat know it does. It is an advanced configuration and most users don't want to spend the time setting it up. Squid worked perfectly for me, always did.

🔒 Log in to view

michmoor · Nov 20, 2023, 6:49 PM

@JonathanLee said in Squid 6.5 !! Nov 6th:

I don't need to be told repeatedly Squid doesn't work I flat know it does. It is an advanced configuration and most users don't want to spend the time setting it up. Squid worked perfectly for me, always did.

What you are saying is perfectly reasonable. Squid is an advanced type of setup and configuration. But the reality is that enterprise vendors such as Fortinet or Palo use a customized version of Squid that is built to be easy for the admin to use but also because a lot of the advanced tools of those firewalls require the ssl sessions to be broken in order to do the deep packet analysis.

I say all this to say that anyone who says Squid is out of style or not relevant simply doesn't work in the industries i am in. Fintech specifically, MITM is used quite often. Squid on pfSense never really got the love that was needed to make it a better tool (read all the open redmines for examples). I also dont expect Netgate devs to spend time customizing this tool either so now we are in a situation where there is no proxy support and no way of having customized filtering options.
Certain..ahem....Youtube personalities that are very fond of pfSense and see no fault in it, are screaming "protect the endpoint" and although its true, the more accurate way of handling security is to do things in depth. I absolutely want my firewall breaking TLS sessions to inspect packets. I absolutely want my endpoint protection to catch what my firewall didnt.

mcury · Nov 21, 2023, 12:03 AM

I understand what you guys are saying, I thought about this for a long time..

Fortinet and etc, they have teams and robots to categorize websites, they have their own URL categorization, this is expensive to maintain and update. If you report a website that is wrongly categorized, the team will check and work to fix that in a few hours, it never exceeds one day.
Do you guys want a service like that ? Well, you need to pay for it.

Now, when speaking about Squid/Squidguard, if you plan to deploy it for 10 customers, prepare for a lot of trouble because, splice all method is going away, yes, encrypted SNI headers are becoming a reality and the only option you will have is to bump everything (MITM) and you guys know how that can be...
You have to worry about websites as financial, governamental, social media, windows updates, messaging apps and etc....

Now think, you have deployed Squid for 10 customers, can you handle the storm of problems that this will bring ?
If you think that you can tune everything for everyone, and you can handle every problem that appears, even the small ones such as an image in a site don't opening, go ahead and install Squid, but I would say, do it in another device due to the security risks already mentioned.

Now, when speaking about pfblockerNG DNSBL, it is much easier to maintain than Squid, you can tune it much more easily and block everything you want, but it also has problems.
DoH, DOT and QUIC, these can be a problem but as I see it, you wcan work around that but you will be leaving performance on the table because the world is moving forward, protocols are evolving.

So, as I see it, if you want to perform URL filtering based on categories, with everything working and be able to deploy it for a customers without being overwhelmed by problems ? Do it at the end point, this will save you so much trouble and performance and will be so much better.. Or, pay for it, have you guys heard about Zorus project ?

JonathanLee · Nov 21, 2023, 5:47 AM

@michmoor

I am once again lost in the awesome mountain of power that is big tech. To have such tools ripped away under the context of vulnerabilities, is counterintuitive to end user based cybersecurity.

lg1980 · Nov 28, 2023, 3:03 AM

Hello,

For anyone interested, I compiled the Squid update for version 6.5 (pfSense 2.7.1) as per the release of the Squid project and made it available here:

https://pkg.pf2ad.com/pfsense/2.7.1/amd64/All/squid-6.5.pkg

How am I going to maintain the pf2ad project (https://pf2ad.com) and for customers who use it want to continue. I will maintain the update and repository for Squid and Squidguard (updating any version/changes).

In the installation script I have already prepared the check and update for the latest version of Squid.

Regards,

Luiz Costa

JonathanLee · Nov 28, 2023, 3:17 AM

@lg1980 I am so happy bro!!! This is amazing. Epic, epicness. Take that spyware!!!! Booyeahhhhh

Thank you

jc1976 · Nov 28, 2023, 8:59 PM

@lg1980

Luiz,

I just got home last night from the holiday to see this..

I can't thank you enough!

i am in no way shape or form a firewall/security guru, however in my limited experience i absolute think pfsense is beyond incredible, and it's the independent devs such as bbcan (pfblockerng) and yourself that make this firewall so much better than the be companies ever could..

i'd rather donate to devs such as yourself and bbcan and anyone else who takes time out to contribute because they're devoted to the cause and love their craft than the folks at the big companies who sub-out the work to some sweat-shop halfway full of crappy programmers halfway around the globe all in the name of saving money..

Thanks again!

jc1976 · Nov 28, 2023, 9:13 PM

@lg1980

One question?
again, i'm a novice so..

how do we install the version of squid you compiled? i don't have any AD integration for my setup, so i'm only looking to update my installation to the latest.

Also, what is the order of updating/installation between squid and pfsense? i'm currently on pfsense 2.7CE. do i update squid to 6.5 first and then pfsense to 2.7.1?

Thanks!!

lg1980 · Nov 29, 2023, 1:59 AM

@jc1976 said in Squid 6.5 !! Nov 6th:

@lg1980

One question?
again, i'm a novice so..

how do we install the version of squid you compiled? i don't have any AD integration for my setup, so i'm only looking to update my installation to the latest.

Also, what is the order of updating/installation between squid and pfsense? i'm currently on pfsense 2.7CE. do i update squid to 6.5 first and then pfsense to 2.7.1?

Thanks!!

I made a little snippet to automate this:

https://gitlab.labexposed.com/-/snippets/14

1 - Update all pfsense and all packages, including squid
2 - Just run the command: "fetch -q -o - https://gitlab.labexposed.com/-/snippets/14/raw/main/update-squid.sh | sh"

Basically it will add the pf2ad repository and update squid, using this repository

I hope it helps !

Welcome !

Luiz Costa

jc1976 · Nov 29, 2023, 4:40 AM

@lg1980

i copied and pasted the command you gave me after ssh'ing

"fetch -q -o - https://gitlab.labexposed.com/-/snippets/14/raw/main/update-squid.sh | sh"

(without quotes) into my pfsense box as root and it gave me the following error:

ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pkg"
ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pkg"

the packages i have installed are as follows:

🔒 Log in to view

i'm still on 2.7.0 (stable).

Thanks!!

JonathanLee · Nov 29, 2023, 5:02 AM

@jc1976
Try this I had the same issue

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

jc1976 · Nov 29, 2023, 5:03 PM

@JonathanLee

cool, thanks! i'll try it when i get home.

should i bother uninstalling the old squid first?

what will it take to get this package put into the regular package manager? Luiz makes this look pretty effortless, why are the devs fighting the update?

JonathanLee · Nov 29, 2023, 5:11 PM

@jc1976 I don't know. I still have that lib error when I check for updates but I can check package updates now on commnd line. This command fixed my package issues.

pkg-static install -f -y pkg

jc1976 · Nov 30, 2023, 3:21 PM

@JonathanLee

what about for a fresh install? meaning, the whole firewall was reinstalled and now on version 2.7.1 stable and i want to do a fresh install of squid. run the same command to install the package Luiz created?

thanks!

JonathanLee · Dec 2, 2023, 1:40 AM

@jc1976 I have PfSense plus, if I did a reinstall it would lose Snort. That does not work in version 23.09 for my arm processor. With the updates I am locked out of the GUI. I opened a TAC support to get 23.05.01 firmware, but I realized it wouldn't fix the Snort package that has the core dump issues... Now it's like my Airport extreme it no longer gets updates. But the 23.05.01 version is perfect everything works. I love this version.

jc1976 · Dec 1, 2023, 6:24 PM

i had to do a fresh install of pfsense at work so we're on 2.7.1ce.

i take it that the squid installer first listed by Luiz is just an update? i ran the command that he had given us but nothing happened.

i'm a bit confused; if we can't install squid from the package manager because it's incompatible with 2.7.1 then how do we update it with the script?

lg1980 · Dec 2, 2023, 1:36 AM

@jc1976 said in Squid 6.5 !! Nov 6th:

i'm still on 2.7.0 (stable).

It's because of that. The binary I compiled is for version 2.7.1(already with the new OpenSSL version)

You have to update your pfsense first

thanks

lg1980 · Dec 2, 2023, 1:38 AM

@jc1976 said in Squid 6.5 !! Nov 6th:

@JonathanLee

what about for a fresh install? meaning, the whole firewall was reinstalled and now on version 2.7.1 stable and i want to do a fresh install of squid. run the same command to install the package Luiz created?

thanks!

Yes ! If you are running version 2.7.1 of pfsense and already have Squid installed, just run the command I sent to update the Squid package.

lg1980 · Dec 2, 2023, 1:40 AM

@JonathanLee said in Squid 6.5 !! Nov 6th:

@jc1976 I have PfSense plus, if I did a reinstall it would lose Snort. That does not work in version 23.09 for my arm processor. With the updates I am locked out of the GUI. I opened a TAC support to get 23.05.01 firmware, but I realized it wouldn't fix the Snort package that has the core dump issues... Now it's like my Airport extreme it no longer gets updates. But the 23.05.01 version is perfect everything works. I love this version.

In the plus version I have no idea how this is going.