POODLE implications?
-
So PiBa you're saying it doesn't work with Squid as a reverse proxy ?
I tried to change lighttp conf, but still doesn't work.
I have 15 websites behind pfsense, what should I do? change to haproxy-devel package ?
Thx
-
It depends on what is handling the SSL.
If you have squid handling the SSL, you'll need to find a configuration change for it that will disable SSLv3.
If squid is passing the SSL through to the actual web server, then you'll need to disable SSLv3 there.
-
All server bellow are Ok with their configuration, test OK.
I assume that squid is handling the SSL, but I don't know how to disable it. think in "Squid Reverse HTTPS Settings" ?
Enable HTTPS reverse proxy is checked on my conf, but if I disable it, i can't access my website.
-
Dont know if this is useful?
http://www.squid-cache.org/Doc/config/http_port/
"TLS / SSL Options:
cert= Path to SSL certificate (PEM format).
key= Path to SSL private key file (PEM format)
if not specified, the certificate file is
assumed to be a combined certificate and
key file.version= The version of SSL/TLS supported
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
4 TLSv1.0 only
5 TLSv1.1 only
6 TLSv1.2 onlycipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
additional settings. If those settings are
omitted the ciphers may be silently ignored
by the OpenSSL library.options= Various SSL implementation options. The most important
being:
NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
strength to some attacks.
See OpenSSL SSL_CTX_set_options documentation for a
complete list of options.clientca= File containing the list of CAs to use when
requesting a client certificate.cafile= File containing additional CA certificates to
use when verifying client certificates. If unset
clientca will be used.capath= Directory containing additional CA certificates
and CRL lists to use when verifying client certificates.crlfile= File of additional CRL lists to use when verifying
the client certificate, in addition to CRLs stored in
the capath. Implies VERIFY_CRL flag below.dhparams= File containing DH parameters for temporary/ephemeral
DH key exchanges. See OpenSSL documentation for details
on how to create this file.
WARNING: EDH ciphers will be silently disabled if this
option is not set.sslflags= Various flags modifying the use of SSL:
DELAYED_AUTH
Don't request client certificates
immediately, but wait until acl processing
requires a certificate (not yet implemented).
NO_DEFAULT_CA
Don't use the default CA lists built in
to OpenSSL.
NO_SESSION_REUSE
Don't allow for session reuse. Each connection
will result in a new SSL session.
VERIFY_CRL
Verify CRL lists when accepting client
certificates.
VERIFY_CRL_ALL
Verify CRL lists for all certificates in the
client certificate chain.sslcontext= SSL session ID context identifier.
" -
I don't think.
squid conf in pfsense is managed by pfsense, and like this :# This file is automatically generated by pfSense # Do not edit manually ! http_port xx.xx.xx.xx:3128 icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /dev/null cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 0 shutdown_lifetime 3 seconds uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap LFUDA cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 100 32 256 minimum_object_size 0 KB maximum_object_size 32 KB offline_mode offcache_swap_low 90 cache_swap_high 95 # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port xx.xx.xx.xx:80 accel defaultsite=xxx.xxx.com vhost https_port xx.xx.xx.xx:443 accel cert=/usr/pbi/squid-i386/etc/squid/53a2b80f5b90d.crt key=/usr/pbi/squid-i386/etc/squid/53a2b80f5b90d.key defaultsite=xxx.xxx.com vhost # cache_peer xx.xx.xx.xx.2 parent 443 0 proxy-only no-query no-digest originserver login=PASS round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_IPB-CAS acl rules...
I'm not sure I can put "options" in this file.
And I think is there a way to configure squid squid pass through ssl, on pfsense.
-
Squid itself has the options but the pfSense GUI doesn't. You can could reach out to developer and see if he can add them into the GUI.
http://www.squid-cache.org/Doc/config/cache_peer/
For me, I use squid as a proxy (to block ads, certain sites for the kids, logging) but then I fire-up another instance of squid (script on startup) to use my own config file for reverse-proxy. It allows me to have more control since not all the options are in the GUI and also allows me to have 2 separate log files.
-
I only use pfenses as a reverse proxy in my DMZ, to unload my firewall witch manage all outbound traffic. So maybe I can just instantiate squid with a script too.
How do you do?
On a onother side, I asked developer how to do with the GUI.
-
So, did someone find a way to tell squid3 to not use SSLv3 for reverse proxy?
I tried to set this line, under "Service", "Proxy Server", in the "Custom Options" field:
sslproxy_options NO_SSLv2,NO_SSLv3
but it seems I still have ssl3 enabled
-
anyone?
-
http://www.sigma.zone/2015/03/securing-ssl-cipher-suite-in-pfsense.html
looks like working one
qualys gives grade B
it's for squid 3 Reverse Proxy