Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    POODLE implications?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 11 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      Dessertine
      last edited by

      So PiBa you're saying it doesn't work with Squid as a reverse proxy ?

      I tried to change lighttp conf, but still doesn't work.

      I have 15 websites behind pfsense, what should I do? change to  haproxy-devel package ?

      Thx

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        It depends on what is handling the SSL.

        If you have squid handling the SSL, you'll need to find a configuration change for it that will disable SSLv3.

        If squid is passing the SSL through to the actual web server, then you'll need to disable SSLv3 there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D Offline
          Dessertine
          last edited by

          All server bellow are Ok with their configuration, test OK.

          I assume that squid is handling the SSL, but I don't know how to disable it. think in "Squid Reverse HTTPS Settings" ?

          Enable HTTPS reverse proxy is checked on my conf, but if I disable it, i can't access my website.

          1 Reply Last reply Reply Quote 0
          • F Offline
            firewalluser
            last edited by

            Dont know if this is useful?

            http://www.squid-cache.org/Doc/config/http_port/

            "TLS / SSL Options:

            cert= Path to SSL certificate (PEM format).

            key= Path to SSL private key file (PEM format)
            if not specified, the certificate file is
            assumed to be a combined certificate and
            key file.

            version= The version of SSL/TLS supported
                1 automatic (default)
                2 SSLv2 only
                3 SSLv3 only
                4 TLSv1.0 only
                5 TLSv1.1 only
                6 TLSv1.2 only

            cipher= Colon separated list of supported ciphers.
            NOTE: some ciphers such as EDH ciphers depend on
                  additional settings. If those settings are
                  omitted the ciphers may be silently ignored
                  by the OpenSSL library.

            options= Various SSL implementation options. The most important
            being:
                NO_SSLv2    Disallow the use of SSLv2
                NO_SSLv3    Disallow the use of SSLv3
                NO_TLSv1    Disallow the use of TLSv1.0
                NO_TLSv1_1  Disallow the use of TLSv1.1
                NO_TLSv1_2  Disallow the use of TLSv1.2
                SINGLE_DH_USE Always create a new key when using
                  temporary/ephemeral DH key exchanges
                ALL      Enable various bug workarounds
                  suggested as "harmless" by OpenSSL
                  Be warned that this reduces SSL/TLS
                  strength to some attacks.
            See OpenSSL SSL_CTX_set_options documentation for a
            complete list of options.

            clientca= File containing the list of CAs to use when
            requesting a client certificate.

            cafile= File containing additional CA certificates to
            use when verifying client certificates. If unset
            clientca will be used.

            capath= Directory containing additional CA certificates
            and CRL lists to use when verifying client certificates.

            crlfile= File of additional CRL lists to use when verifying
            the client certificate, in addition to CRLs stored in
            the capath. Implies VERIFY_CRL flag below.

            dhparams= File containing DH parameters for temporary/ephemeral
            DH key exchanges. See OpenSSL documentation for details
            on how to create this file.
            WARNING: EDH ciphers will be silently disabled if this
            option is not set.

            sslflags= Various flags modifying the use of SSL:
                DELAYED_AUTH
            Don't request client certificates
            immediately, but wait until acl processing
            requires a certificate (not yet implemented).
                NO_DEFAULT_CA
            Don't use the default CA lists built in
            to OpenSSL.
                NO_SESSION_REUSE
            Don't allow for session reuse. Each connection
            will result in a new SSL session.
                VERIFY_CRL
            Verify CRL lists when accepting client
            certificates.
                VERIFY_CRL_ALL
            Verify CRL lists for all certificates in the
            client certificate chain.

            sslcontext= SSL session ID context identifier.
            "

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • D Offline
              Dessertine
              last edited by

              I don't think.
              squid conf in pfsense is managed by pfsense, and like this :

              # This file is automatically generated by pfSense
              # Do not edit manually !
              http_port xx.xx.xx.xx:3128
              icp_port 7
              dns_v4_first off
              pid_filename /var/run/squid.pid
              cache_effective_user proxy
              cache_effective_group proxy
              error_default_language en
              icon_directory /usr/pbi/squid-i386/etc/squid/icons
              visible_hostname localhost
              cache_mgr admin@localhost
              access_log /dev/null
              cache_log /var/squid/logs/cache.log
              cache_store_log none
              sslcrtd_children 0
              logfile_rotate 0
              shutdown_lifetime 3 seconds
              uri_whitespace strip
              
              acl dynamic urlpath_regex cgi-bin \?
              cache deny dynamic
              cache_mem 8 MB
              maximum_object_size_in_memory 32 KB
              memory_replacement_policy heap LFUDA
              cache_replacement_policy heap LFUDA
              cache_dir ufs /var/squid/cache 100 32 256
              minimum_object_size 0 KB
              maximum_object_size 32 KB
              offline_mode offcache_swap_low 90
              cache_swap_high 95
              
              # No redirector configured
              
              #Remote proxies
              
              # Setup some default acls
              acl allsrc src all
              acl localhost src 127.0.0.1/32
              acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
              acl sslports port 443 563
              acl manager proto cache_object
              acl purge method PURGE
              acl connect method CONNECT
              
              # Define protocols used for redirects
              acl HTTP proto HTTP
              acl HTTPS proto HTTPS
              
              http_access allow manager localhost
              
              http_access deny manager
              http_access allow purge localhost
              http_access deny purge
              http_access deny !safeports
              http_access deny CONNECT !sslports
              
              # Always allow localhost connections
              http_access allow localhost
              
              request_body_max_size 0 KB
              delay_pools 1
              delay_class 1 2
              delay_parameters 1 -1/-1 -1/-1
              delay_initial_bucket_level 100
              delay_access 1 allow allsrc
              
              # Reverse Proxy settings
              http_port xx.xx.xx.xx:80 accel defaultsite=xxx.xxx.com vhost
              https_port  xx.xx.xx.xx:443 accel cert=/usr/pbi/squid-i386/etc/squid/53a2b80f5b90d.crt key=/usr/pbi/squid-i386/etc/squid/53a2b80f5b90d.key defaultsite=xxx.xxx.com vhost
              #
              cache_peer  xx.xx.xx.xx.2 parent 443 0 proxy-only no-query no-digest originserver login=PASS round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_IPB-CAS
              
              acl rules...
              
              

              I'm not sure I can put "options" in this file.

              And I think is there a way to configure squid squid pass through ssl, on pfsense.

              1 Reply Last reply Reply Quote 0
              • C Offline
                Cino
                last edited by

                Squid itself has the options but the pfSense GUI doesn't. You can could reach out to developer and see if he can add them into the GUI.

                http://www.squid-cache.org/Doc/config/cache_peer/

                For me, I use squid as a proxy (to block ads, certain sites for the kids, logging) but then I fire-up another instance of squid (script on startup) to use my own config file for reverse-proxy. It allows me to have more control since not all the options are in the GUI and also allows me to have 2 separate log files.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  Dessertine
                  last edited by

                  I only use pfenses as a reverse proxy in my DMZ, to unload my firewall witch manage all outbound traffic. So maybe I can just instantiate squid with a script too.

                  How do you do?

                  On a onother side, I asked developer how to do with the GUI.

                  1 Reply Last reply Reply Quote 0
                  • N Offline
                    nss
                    last edited by

                    So, did someone find a way to tell squid3 to not use SSLv3 for reverse proxy?

                    I tried to set this line, under "Service", "Proxy Server", in the "Custom Options" field:

                    sslproxy_options NO_SSLv2,NO_SSLv3

                    but it seems I still have ssl3 enabled

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      cdburgess75
                      last edited by

                      anyone?

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        default666
                        last edited by

                        http://www.sigma.zone/2015/03/securing-ssl-cipher-suite-in-pfsense.html
                        

                        looks like working one

                        qualys gives grade B

                        it's for squid 3 Reverse Proxy

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.