Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 6.5 !! Nov 6th

    Scheduled Pinned Locked Moved Cache/Proxy
    squid updatebug fixesupstream fix
    82 Posts 12 Posters 19.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee @Michele Trotta
      last edited by

      @Michele-Trotta check this out…

      IMG_0114.png

      https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

      You might have a certificate issue

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • M
        Michele Trotta
        last edited by

        Hi,

        I added a new certificate and assigned it to squid.

        3f79fd53-ee8d-4e0a-b7a3-4412cf48b57a-immagine.png

        the result is always the same
        c5bccb08-0fde-4cf9-a02b-6ee4bd51db0e-immagine.png

        where 172.17.78.81 is proxy

        and on client

        86f58f93-5fe0-41c3-a3a4-0f7dd005a558-immagine.png

        What other tests can I do?

        Thank you

        JonathanLeeJ 2 Replies Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @Michele Trotta
          last edited by

          @Michele-Trotta

          Try to change settings in this area and see if the error goes away..

          Screenshot 2024-01-24 at 07.57.55.png

          Also try to make the SSL certificate with OpenSSL in command line and import that one into pfSense so its made with Squids application

          "Step 1. Configuring the root Certificate Authority (rootCA)
          This is probably the part that is most confusing for people and why their setups have failed, Squid need to have a CA assigned to it so that it is able to decrypt parts of the HTTPS header so that it can determine what to do whit that traffic, otherwise all traffic is passed.

          I used the built-in openssl tool of pfSense to generate this rootCA, for this you need to ssh in to your firewall or connect to it over console, when at the console menu select option 8 Shell, when you are at the shell prompt you need to manually edit the openssl to give you the necessary prompts and questions for you to configure the rootCA

          vi /etc/ssl/openssl.cnf

          under the [ REQ ] option change the following line from: prompt=no to prompt=yes
          under the [ V3_REQ ] option change the following line from: basicConstraints=CA:FALSE to basicConstraints=CA:TRUE
          Then save and quit (to save and quit vi editor use :wq!).
          Now we would make a known location in the filesystem to save our rootCA and key file as they need to be imported into pfSense GUI at a later stage, I like to use /tmp for any temporary files

          Command:
          mkdir /tmp/Proxyfiles

          Now move to the folder you created whit:
          cd /tmp/Proxyfiles

          When you are in this folder you are ready to start the openssl tool and start to create your rootCA, you start whit generating your KEY file by running the command:

          openssl genrsa -out myProxykey.key 2048

          This will create an rsa key file named myProxykey.key that we use to sign our rootCA whit in the next command for generating the pem file for the rootCA
          Create a pem file signed whit key using command:

          openssl req -x509 -new -nodes -key myProxykey.key -sha256 -days 365 -out myProxyca.pem

          This will prompt you to answer some questions to generate the needed pem file in my case it is as below, you need to change this for where you are

          US []:NO - Country code
          Somewhere []:Oslo - State or province
          Somecity []:Oslo - Your city or town
          CompanyName []:IT-Monkey - Name of your company or business, "make something up if you are a home user"
          Organizational Unit Name (eg, section) []:IT-Department - What part of the company issued the cert, can also be left blank
          Common Name (eg, YOUR name) []:Admin - Your name or identity in the company
          Email Address []:admin@it-monkey.local - Your contact email

          At this point you should have 2 files in your /tmp/Proxyfiles directory

          myProxyca.pem
          myProxykey.key

          This can be double checked whit command:

          ls -la

          If both are there then you are ready to download them and exit the shell environment and continue to the GUI of pfSense, if not you need to look over any error or try again.

          To download these files I like to use WinSCP as its fast to navigate and find the files you want to move you can also do this from pfSense Diagnostic -> Command Prompt option and select the file path of:

          /tmp/Proxyfiles/myProxyca.pem
          /tmp/Proxyfiles/myProxykey.key

          In the download box, this is somewhat slower to navigate but works just fine.

          Now as you have these files on your desktop or computer you need to open them in a text editor, I prefer Notepad++ as it's able to adjust the formatting layout of the text but any text editor will work as you will need to copy paste the information in these files to fields in the pfSense GUI.
          Navigate to System -> Cert. Manager -> CA's
          Here you want to add a new CA

          Descriptive name: SquidCA
          Method: Import an existing Certificate Authority
          Certificate data: Copy \ Paste the info from myProxyca.pem file
          Certificate Private Key: Copy \ Paste the info from myProxykey.key file
          Save and apply
          "

          Ref:
          https://forum.it-monkey.net/index.php?topic=23.0

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee
            last edited by

            How as this compiled ? With Clang? I want to compile one for me I am using the arm processor

            Make sure to upvote

            1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @Michele Trotta
              last edited by

              @Michele-Trotta what is the IP address of your firewall is it 172.17.78.81?

              Is that cider network included in the allow use of proxy area under access control list in Squid?

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              • J
                jc1976
                last edited by

                can the proxy portion of this be handled by haproxy instead of squid?
                if squid is gonna be such a pain about this then...?

                all of my research said it can absolutely be done. you won't get the inline virus scanning of clamav but i'd think you could piggy-back another device running linux and clamav (or any antivirus package) to perform the scanning we want before sending it on to the requesting client on the backend..

                yes?/no?

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @jc1976
                  last edited by

                  @jc1976 If you want to run another device you can also run squid on another device haproxy can't do web caching or certificated ssl inspecting

                  Make sure to upvote

                  J 1 Reply Last reply Reply Quote 0
                  • M
                    Michele Trotta
                    last edited by

                    Hi everyone,
                    I also created new certificates with openssl but with the same results posted yesterday :-(

                    Pfsense is installed on a traditional test server with IP address 172.17.78.81 where Squid+Squidguard has been configured and with few firewall controls.

                    What other tests can I do?

                    Thank you

                    L 1 Reply Last reply Reply Quote 0
                    • L
                      lg1980 @Michele Trotta
                      last edited by

                      @Michele-Trotta said in Squid 6.5 !! Nov 6th:

                      Hi everyone,
                      I also created new certificates with openssl but with the same results posted yesterday :-(

                      Pfsense is installed on a traditional test server with IP address 172.17.78.81 where Squid+Squidguard has been configured and with few firewall controls.

                      What other tests can I do?

                      Thank you

                      Hello Michele, Hello Everyone !

                      I've been following the conversations but I just haven't had time to respond. At least say "hi" here now to say that.

                      As soon as I have time, I will do more tests regarding these reports and try find the fixes/solutions.

                      Very thanks for this report @Michele-Trotta

                      @JonathanLee
                      I am having problems with dependency packages compiling against the available public repositories. Without knowing exactly the tunings used in ARM environments (which are closed in the Netgate repository), I find it difficult to find a solution.

                      With more time, I will study the environment a little more.

                      Thanks!

                      1 Reply Last reply Reply Quote 2
                      • J
                        jc1976 @JonathanLee
                        last edited by jc1976

                        @JonathanLee

                        i'm not concerned about web caching.. really, with internet speeds the way they are, unless you're running dial-up, not having it is not a deal-breaker..

                        regarding haproxy not being able to do cert ssl inspection; again, that might not necessarily be a deal breaker. if i'm wrong correct me, but from what i've read/researched/etc.. it can decrypt and re-encrypt ssl/tls certs.. so, in a transparent proxy scenario, when https traffic comes in from the wan, it would be decrypted, FULLY inspected by suricata/snort and then it could either be re-encrypted and sent onward to the clients on the lan side, or sent through another device that's inline for antivirust scanning, either clamav, or anything else at that point.. a lot of commercial AV packages are available for linux, so you could run a simple linux machine.. yes, it adds complexity, but it also adds flexibility by not being limited to a pfsense package that may or may not be available down the road.

                        It's great that people are devoted to keeping the package going, but what happens when they grow tired of it? keeping those packages going takes a TON of time and effort. What will happen when BBCan decides he can no longer be the sole developer of pfblockerng for example? from what i've read there are only a few people working on keeping squid afloat. unless they get a cash infusion with more devs to reinvigorate the project, it seems like it's days might be numbered..
                        i HOPE i'm wrong.

                        1 Reply Last reply Reply Quote 1
                        • L
                          lg1980
                          last edited by

                          https://forum.netgate.com/topic/186331/new-squid-6-7-and-clamav-1-3-0

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.