Any security issues with running pound and privoxy on my pfsense box?
-
I'm pretty sure the pfsense gui for squid doesn't offer it, at least I don't see the option. Also just read squid is a "horrible" reverse proxy. I was reading a post earlier where somebody was asking for a method of doing exactly what you're doing.
http://forum.pfsense.org/index.php/topic,33488.0.htmlVery cool that it's able to read the http headers, that does greatly simplify everything when you have separate web servers. Using apache I do the same thing, but it's all hosted under that 1 box, which I know doesn't fit every scenario.
Pound sounds like it would be a really awesome package for pfsense.
http://www.apsis.ch/pound
As this has peaked my interest lol, looking around the forums pfsense runs lighttpd which supports reverse proxy. (which you may already know, this is all new to me :-) )
http://forum.pfsense.org/index.php/topic,16761.0.htmloke doke pfsense does have a reverse proxy package through "modsecurity." Supports HTTP and HTTPS.
"Proxy Server with mod_security"and last but not least, varnish is supported on the beta x64 version.
-
@heavy1metal:
As this has peaked my interest lol, looking around the forums pfsense runs lighttpd which supports reverse proxy. (which you may already know, this is all new to me :-) )
http://forum.pfsense.org/index.php/topic,16761.0.htmloke doke pfsense does have a reverse proxy package through "modsecurity." Supports HTTP and HTTPS.
"Proxy Server with mod_security"and last but not least, varnish is supported on the beta x64 version.
I installed the package 'Proxy Server with mod_secuirty' a while ago but I couldn't get it to run on my box.. Never found a how-to on the forum, mod security website didn't seem very helpful either.
I've heard of varnish but didn't know there is package for it on the x64 version. I'm running an atom processor so I think I can install x64 version on it but haven't tried. Haven't played with 64 OSs yet because of hardware and drivers. I could be wrong but I believe varnish doesn't support SSL.
I can write a quick how-to if you like. I dont know how to use all the advance settings, just to get it to re-direct traffic to the boxes I want, SSL and setup a wildcard to my IIS6 box(which i use the http headers like you do on apache)
pound would be a great package for pfsense I think. Its really lightweight from what I can tell. Doesn't even need to access the harddrive after its running.
-
A write up would be awesome, everywhere I've read talks about re-compiling the kernal with it bundled in somehow. I read your other post about NAT'ing the ports for the mail server etc.. if you do this, could you let me know if there are any latency issues? I've read somewhere in the past that by adding a NAT vs just opening the port can cause a delay (more so when you have higher volumes).
-
Its a FreeBSD port so no compiling needed.
I used a mixed of command line and WinSCP to get this done:
from the command line type:
pkg_add -r poundNow create this file with 0644 permissions, i did by using WinSCP:
/usr/local/etc/pound.cfgI can't help create your pound.cfg as it unique to everyone setups but you can use mine as a base
###################################################################### ## global options: User "nobody" Group "nobody" RootJail "/var/jail/pound/" ## Logging: (goes to syslog by default) ## 0 no logging ## 1 normal ## 2 extended ## 3 Apache-style (common log format) LogLevel 1 LogFacility deamon ## check backend every X secs: Alive 30 ## use hardware-accelleration card supported by openssl(1): #SSLEngine "" ###################################################################### ## listen, redirect and ... to: ## HTTP Listener ListenHTTP Address 127.0.0.1 Port 9080 LogLevel 0 End ## HTTPS Listener ListenHTTPS Address 127.0.0.1 Port 9443 Cert "/var/jail/pound/host.domain.net.pem" LogLevel 0 End Service HeadRequire "Host: ted5000.host.domain.net" BackEnd Address 192.168.0.x Port 80 End End Service HeadRequire "Host: nasbox.host.domain.net" BackEnd Address 192.168.0.x Port 80 End End Service HeadRequire "Host: mrtg.host.domain.net" BackEnd Address 192.168.0.x Port 9191 End End Service HeadRequire "Host:.*host.domain.net.*" BackEnd Address 192.168.0.x Port 80 End EndYou can comment out the RootJail but I configured it for added security. If you do want to use it make sure you create the below folders(they dont have to be /var/jail, but should be somewhere within /var).My permissions for the folders are 0755. If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work. Also copying the localtime file over ensures pound will log based on your timezone and not GMT
mkdir /var/jail mkdir /var/jail/pound mkdir /var/jail/pound/dev mkdir /var/jail/pound/etc mknod /var/jail/pound/dev/urandom c 1 9 cp /etc/localtime /var/jail/pound/etc/localtimeFor testing I would change the HTTP/HTTPS Listener LogLevel to 1. But change it back to 0 unless you want to see logs for every web page/image that is access(Use your web server logging for this, and make sure it can accept 'x-forwarded-for' because that's where the client IP will be at)
Create your NAT/Firewall rules base(Or see first post for a picture):
NAT:WAN TCP * * WAN address 80 (HTTP) 127.0.0.1 9080 HTTP pound redirect WAN TCP * * WAN address 443 (HTTPS) 127.0.0.1 9443 HTTPS pound redirectFirewall:
IPv4 TCP * * 127.0.0.1 9080 * none NAT HTTP pound redirect IPv4 TCP * * 127.0.0.1 9443 * none NAT HTTPS pound redirectTo start pound from the command line:
/usr/local/etc/rc.d/pound forcestartTo have to auto start on reboot. Add this to your config.xml under the system section:
<shellcmd>/usr/local/etc/rc.d/pound forcestart</shellcmd>I think that's it…These were the steps I did to get it running... Hope it helps!
-
@heavy1metal:
A write up would be awesome, everywhere I've read talks about re-compiling the kernal with it bundled in somehow. I read your other post about NAT'ing the ports for the mail server etc.. if you do this, could you let me know if there are any latency issues? I've read somewhere in the past that by adding a NAT vs just opening the port can cause a delay (more so when you have higher volumes).
I only have an internal SMTP server. The internet doesn't have inbound access to it so I dont know if there are any latency issues with NAT.
-
@heavy1metal:
If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work.
Hi heavy1metal, I'd like to use SSL in the future, can you explain to me exactly how can I create the pound/dev/urandom file? Thanks for all.
Sincerely,
Emanuele Bruno. -
@heavy1metal:
If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work.
Hi heavy1metal, I'd like to use SSL in the future, can you explain to me exactly how can I create the pound/dev/urandom file? Thanks for all.
Sincerely,
Emanuele Bruno.Did you read my how-to? its in it, http://forum.pfsense.org/index.php/topic,33566.msg174126.html#msg174126
-
Cino where can I grab the template package for pound?
thx
-
Cino where can I grab the template package for pound?
thx
What do you mean by template package? There is no pfsense package for pound… This is a command-line install/how-to I did... You can take my how-to and create a package if you want. I don't know how to but will be looking into it but don't wait on me to build a package, could take a year or may never happen as I'm not a programmer.
-
where did you get the "pound" package for the "pkg_add -r pound"
thx
-
where did you get the "pound" package for the "pkg_add -r pound"
thx
From freebsd ports, it will go here to grab the port:
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/pound.tbz -
Cino,
I am having the same issue getting modsecurity to work and thinking about using your solution with pound. Just wanted to see if you have tried anything else to get modsecurity to work?
Thanks,
Jake -
i haven't tried modsecurity in months..