Is there an easier way to secure squid3 proxy clients?

bnangle

Hi Everyone,

I am very new to pfSense but I have been playing around with it and with Squid at home and was wondering if there is an easier way to secure the proxy clients? When I run the SSL Labs client test at https://www.ssllabs.com/ssltest/viewMyClient.html with the default squid configuration and SSL proxying the results are not very pretty. However when I replace the top 30 or so lines in my squid.conf file (with the lines below) I achieve what I think are great results results, but whenever there is a change made to Squid via the WebGUI it reverts back to being insecure until I manually update the squid.conf file and restart the process.

Is there a way to somehow include the following lines on any changes to my instance of Squid so that it will always start with the following options?

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.1.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 25
sslproxy_options NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE
sslproxy_cipher ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH
sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/

I am using Squid3 version 0.2.8 on pfsense version 2.2.3 and order to use the "dhparams=/etc/ssl/dhparam2048.pem" option I had to run the following via the shell "openssl dhparam -out dhparams.pem 2048", sorry if everyone already knows this, I am very new to all this but I am learning a ton!

Thanks in advance!

KOM

What do you mean by "not very pretty"?  I'm running 2.2.2 with squid3 and squidguard 1.5.1.  The page you linked to seems to work well enough for me in that it says I have good protocol support and am not vulnerable to any of their attacks.  Usually when people talk about proxy and security, they're talking about leaking machine names, internal IP addresses, proxy presence, version etc etc.  This seems to be more about your browser security.

bnangle

Thanks for the response KOM!

Not very pretty was a probably a little over the top, when I run the link the ciphers listed below show as supported unless I have updated the Squid config file. I have tested the browsers without Squid and the ciphers below don't show up,  does this mean they can be ignored since the browsers don't support them?

TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  WEAK
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)  WEAK
TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)  WEAK
TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)  WEAK
TLS_RSA_WITH_RC4_128_SHA (0x5)  WEAK
TLS_RSA_WITH_RC4_128_MD5 (0x4)  WEAK
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)  WEAK
TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12)  WEAK
TLS_RSA_WITH_DES_CBC_SHA (0x9)  WEAK
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)  INSECURE
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11)  INSECURE
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)  INSECURE
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)  INSECURE
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)  INSECURE

KOM

No idea, I'm not a cryptologist

bnangle

No worries, thanks much for your help, I will continue to play around and see what I can find out, have a good one!