pfSense and Squid going forward?
-
Hi.
I did a quick search and scan of topics relating to squid and pfSense to see if the question has maybe been asked or if it was maybe answered in one of the other topics mentioning Squid. I couldn't find any answers.
According to this link about netgate on squid deprecation squid is suppose to be removed from major releases after 2.7.1 because of unresolved security issues.
I installed pfSense 2.8 during the week and squid is still in the package list, so has these security issues been resolved if not why is squid still available in 2.8?
Thanks ...
Edit added a screenshot i forgot i took yesterday morning: (ignore the red line a friends reply as to what pfBlocker i should install)
-
The base Squid package was updated upstream so most of the security issues were fixed. However it's unsupported and is still expected to be removed at some point.
-
@stephenw10 please keep it. I absolutely love that package. I have been waiting on 23.05.01 until the status page is fixed so I can upgrade. All the security things where fixed and that was the main concern originally
-
@SlowITDown look at the version squid 7.3 ….
-
@stephenw10 said in pfSense and Squid going forward?:
The base Squid package was updated upstream so most of the security issues were fixed. However it's unsupported and is still expected to be removed at some point.
Thanks for the reply will keep that in mind.
The reason i was asking was we have a client that has a firewall in currently but the device is EOL and they are looking for something that:
1: can cache websites as they are limited to a 10mb/s line (call it a rural area)
2: can log what websites are surfed by what IP
3: Limit website access to certain times and block certain website (ie "all Adult Content")My "limited" experience with firewalls is you do that with squid and squid guard.
So if Squid is being removed i would have to figure out what the new tools are for such functions.
Thanks again for taking the time to reply.
-
@stephenw10 I know many of us have beat this drum to death in the forum, so take this as genuine and constructive feedback, but there are many of us who love PFSense who will have no choice but to walk away if/when Squid is finally dropped. (Probably to OpnSense as that is the closest analogue in feature set to PFSense for obvious reasons, and they are still officially supporting Squid)
I was quite surprised and very relieved to see it received a "stay of execution" shall we say, in 2.8.0, and in fact got some updates.
I had been quietly dreading the promised 2.8.0 release which would remove Squid because I would have had to immediately ramp up the search for an alternative and put plans in place to migrate which is not easy when it has become a core part of a network and the many and varied features and services of PFSense are relied on, which are hard to replicate in one device in many other products. Furthermore, upgrading from CE to Plus would not solve the problem for me as it was to be removed from Plus as well.
(In fact the constant "will they, won't they" fear regarding removal of Squid is the primary thing that has put me off going from CE to Plus, as I would be foolish to do so only to have a feature I rely entirely on removed from the paid version soon after paying for it)
All business networks above a certain size rely on proxy server functionality, so to remove it from an otherwise very powerful firewall leaves a gaping hole in functionality that would simply make PFSense a "no" for many networks. You can run an explicit proxy on another device but if you need transparent proxying as well (especially to support BYO devices) the proxy has to run directly on the firewall.
Sure, I get it - Squid is old code, and a lot of the traditional functionality of Squid (such as full URL inspection, content filtering, caching) is no longer usable or meaningful in a modern HTTPS everywhere world, making Squid somewhat obsolete as a project and about 80% of the configuration GUI for it in PFSense is now worthless, however SNI inspection and domain based blocking does still work for now, and that's all that's really available these days unless you want to go down the route of installing certificates on all clients and doing full certificate based interception and decryption, or forcing only explicit proxy use - which is another can of worms and which is not feasible with BYO devices.
To be honest, we don't need Squid and all its baggage specifically, all that's really needed these days is a lightweight proxy server (both transparent and explicit) which can apply domain based access controls using SNI, which integrates with some sort of category based domain lists - the latter functionality currently provided by SquidGuard.
Some say "just use PFBlocker" but this does not replicate the functionality when you have different VLAN's/subnets with different blocklist requirements, (for example Staff vs Students in a school, which is my situation) and ultimately, DNS based filtering cannot be made watertight in a complex environment because there are always ways for clients to defeat external DNS blocks.
All other major firewall vendors have some proxy server with SNI recognition and category based domain lists as a core feature - whether they're rolling their own code or quietly still using Squid/SquidGuard behind the scenes, which I know some do.
I'm all for replacing Squid/SquidGuard with a modern, lightweight proxy server that just performs these basic still feasible features, (transparent/explicit proxy, SNI inspection, category based domain name blocking) and would love to see this happen however I'm not aware of any current open source proxy projects that meet the requirements. Most ground up Squid replacements probably remain proprietary internal code of firewall vendors.
While Netgate may disagree or not see it as a priority, I think many of us believe that proxy server functionality is a core feature that any advanced firewall needs and should have so IMHO removing Squid without providing some kind of modern replacement is a problem for a lot of people that will see them leaving or not using PFSense in the first place.
-
"Why Squid Should Stay – Major Upstream Progress in 6.x → 7.x
Over the past year, Squid development has seen a major resurgence, with substantial improvements in security, code modernization, protocol support, and platform compatibility. While it’s true Squid was relatively stagnant for several years, the recent pace of upstream changes demonstrates an active and forward-looking roadmap that directly addresses the concerns which led to discussions about removing the package.Key Reasons to Retain Squid in pfSense
1. Security and Stability Improvements
Numerous security-critical fixes have landed, including improved TLS handling, memory safety hardening, Kerberos and authentication robustness, and stricter ACL validation.
Y2038 readiness and proper timeout handling reduce long-term technical debt.
Upstream now proactively removes legacy code that previously posed maintenance risks (e.g., deprecated auth helpers, obsolete protocols, dead features).2. Aggressive Removal of Obsolete Components
Recent releases streamlined the codebase, cutting legacy baggage:
Removed Edge Side Include (ESI), Ident protocol, cachemgr.cgi, squidclient, old UFS/AUFS purge tools, and unused multicast/ICP features.
Eliminated deprecated APIs, dead code paths, and fragile maintenance hacks.3. Modernization and Portability
Fixes for OpenSSL v3+, GCC 13–15, and MinGW/Windows builds.
Updated SNMP counters, EDNS support for DNS, and improved IPv6 ACL matching.
Build system refreshes for modern toolchains (libtool/automake, pkg-config checks).4. Active Development and Frequent Releases
In just the last 12 months, Squid jumped from mid-6.x into the 7.x series with five significant releases:- 6.11 → 6.14 (Sep 2024 – Jun 2025): DNS reliability, Kerberos improvements, memory leak prevention, large upload handling, GCC build fixes, and better configuration clarity.
- 7.0.1 Pre-release (Feb 2025): Massive cleanup milestone – removal of outdated protocols, dozens of bug fixes, security improvements, Windows and MinGW portability fixes, logging improvements, and Y2038 handling.
- 7.0.2 (Jun 2025): Fixes for RESPMOD hangs, OpenSSL 3 support, Solaris and GCC portability, TLS-DH parameter handling, and SNMP corrections.
- 7.1 (Jul 2025): Latest release – includes getaddrinfo() IP duplication fix, removal of SMB/LANMAN auth helpers, additional documentation and code cleanups.
- These changes reflect consistent, upstream-driven effort—not a one-off patch drop.
The Reality: Squid Is Far from Dead
The upstream changelogs show hundreds of resolved issues, major feature pruning, and ongoing modernization efforts. This isn’t a dormant project anymore; it’s actively maintained with a clear trajectory toward security and protocol compliance in modern environments.
Why This Matters for pfSense
The main reason Squid was on the chopping block was lack of maintenance. That reason no longer applies. Squid is alive, modernizing, and actively improving security. Removing it now would be a step backward when upstream has done the heavy lifting to make it viable again.Recommendation: Keep Squid in pfSense, update it to the current 7.x series, and leverage the ongoing upstream momentum to provide users with a secure, modern caching/proxy solution.
Bottom line: Squid is not just maintained—it’s moving fast. This is the perfect time to keep it, not drop it.—pfSense can now provide its users with an up-to-date, secure, and stable caching/proxy solution without carrying legacy baggage.
Also here is the email that went out a couple days ago. I disagree about stating it's old code.. as Squid developers are also working on a solution to QUIC in the background currently.
"The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-7.1 release!This release is, we believe, stable enough for general production use.
We encourage all users of any previous major version of Squid to upgrade to it,
as well as users of beta version 7.0.X.It can be downloaded from GitHub, at
https://github.com/squid-cache/squid/releases/tag/SQUID_7_1Since version 6, Squid offers:
- better support for overlapping IP ranges and wildcard domains in acl
- countless security, portability, and documentation fixes
Since version 6, some previously deprecated features have been removed:
- Edge Side Includes (ESI)
- access to the cache manager using the cache_object:// scheme - use
http instead - the squdclient tool - use curl
http://<squid-address>/squid-internal-mgr/menu instead - the cachemgr.cgi tool
- the purge tool - use the http PURGE method instead
- Ident protocol support
- basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's
ntlm_auth instead
Further details can be found in the release notes and in the changelog
Please remember to run "squid -k parse" when testing the upgrade to a new
version of Squid. It will audit your configuration files and report
any identifiable issues the new release will have in your installation
before you "press go".If you encounter any issues with this release please file a bug report at
https://bugs.squid-cache.org/--
Francesco Chemolli
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users"Ref:
https://github.com/squid-cache/squid/releases -
@stephenw10 How do we get it supported ?? Maybe a bug bounty ?
I am doing a git clone right now and will do the Makefile and set it to 7.1.x and run the makes and commit and push it and open a pull request for the package it is still on 6.13. Again it has to be approved. But at least I tried.
-
https://github.com/pfsense/FreeBSD-ports/pull/1420
Merged I could not test it but it is in there with the make file now and the distinfo file
Let me know if you can test that out
Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way
