Reverse Proxy -> IPv6 support

GrandmasterB

Hi All,

Is there any chance that IPv6 is build in to the GUI of the Squid reverse proxy package?
I think the Squid package already supports IPv6 without a problem. But the IPv6 interface is not activated by default from the GUI in PFsense.

thx!

GrandmasterB

Did some research.
The GUI does not collect the IPv6 adressen from the selected interfaces and only configures the IPv4 adresses.

There can be a workaround, but due to some errors, it is not working.

For a workaround, this can be an option:
it is possible to add an extra IP adres in the field: "User Defined Reverse Proxy IPs". If you put your IPv6 adress in there, the config should be good.
But, the GUIonly accepts adresses like: 2a01:333:222:111:ffff::1 and not [2a01:333:222:111:ffff::1]. But Squid needs the brackets to be working correctly.

Question 1: can these IP checks be altered to also accept the bracket IPv6 adress?

The the second error I found:
When i alter the squid.conf file manually to the IP-adress with brackets, the original error is solved. But there is still an other startup error. The HTTPS_PORT line in the config file gets to long for Squid and it brakes it, as a result Squid will not startup.
For example. The line should be:
https_port [2a01:333:222:111:ffff::1]:443 accel cert=/usr/local/etc/squid/56be021919506.crt key=/usr/local/etc/squid/56be021919506.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=www.demo.com vhost

But when adding an extra  User Defined Reverse Proxy IP, the line does not get the extra brakeline, which results in an broken configuration:
https_port [2a01:333:222:111:ffff::1]:443 accel cert=/usr/local/etc/squid/56be021919506.crt key=/usr/local/etc/squid/56be021919506.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=www.demo.com vhost

If this can be fixed, then IPv6 reverse proxy is working as it should.

Is there someone who can make these changes in the SQUID package GUI config files?

Thx,
B

doktornotor

notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy.

P.S. The too long line is fixed in 2.3.3 packages. Apparently, noone is backporting anything to 2.3.2, and noone is releasing 2.3.3

https://github.com/pfsense/FreeBSD-ports/commit/a6d15b81474396a043df664c2c645356d7718601

doktornotor

As for the IPv6 literals, you can test this, adding the code before this line

			if (is_ipaddrv6($reip)) {
				$reip = "[{$reip}]";
			}

and report back.

GrandmasterB

I did add those lines and it is working correctly. Thx.

The Fix for the too long lines I also adjusted in the squid_reverse.inc, and now the IPv6 is working !
Although it should be better to have an IPv6 / IPv4 selection box on the config page, so that the IPv6 and Ipv4 adresses are taken from the interfaces itself based on the selected interface.

But for now this is working!

PS. Now looking into HAProxy, but for my simple usecase of a Exchange front-end reverse proxy and SSL offloading (only 1 backend server). Squid looks easier and has pre-defined Exchange options. But maybe you can help me with the HAproxy settings for that.

@doktornotor:

As for the IPv6 literals, you can test this, adding the code before this line

			if (is_ipaddrv6($reip)) {
				$reip = "[{$reip}]";
			}

and report back.

doktornotor

Thanks for testing. Fortunately, I have no Exchange boxes to care about anywhere => cannot test. :D

On that note: Are you using IPv6 for "CAS-Array / OWA Frontend IP Address(es)" as well?

GrandmasterB

@doktornotor:

Thanks for testing. Fortunately, I have no Exchange boxes to care about anywhere => cannot test. :D

On that note: Are you using IPv6 for "CAS-Array / OWA Frontend IP Address(es)" as well?

Yes I do for the external (front-end) side.
Internal, they are Ipv4

doktornotor

OK, thanks. I'll add the "manual IP" workaround to this PR so all should work on 2.3.3/2.4 once it's merged.

IPv6 GUI support is too much work at the moment, and definitely problematic with the non-reverse part, in particular the transparent proxy stuff.

GrandmasterB

@doktornotor:

notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy.

Configured HAproxy now.  Much better and flexible! And Exchange works perfect.
thx