Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reverse Proxy -> IPv6 support

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GrandmasterB
      last edited by

      Hi All,

      Is there any chance that IPv6 is build in to the GUI of the Squid reverse proxy package?
      I think the Squid package already supports IPv6 without a problem. But the IPv6 interface is not activated by default from the GUI in PFsense.

      thx!

      1 Reply Last reply Reply Quote 0
      • G
        GrandmasterB
        last edited by

        Did some research.
        The GUI does not collect the IPv6 adressen from the selected interfaces and only configures the IPv4 adresses.

        There can be a workaround, but due to some errors, it is not working.

        For a workaround, this can be an option:
        it is possible to add an extra IP adres in the field: "User Defined Reverse Proxy IPs". If you put your IPv6 adress in there, the config should be good.
        But, the GUIonly accepts adresses like: 2a01:333:222:111:ffff::1 and not [2a01:333:222:111:ffff::1]. But Squid needs the brackets to be working correctly.

        Question 1: can these IP checks be altered to also accept the bracket IPv6 adress?

        The the second error I found:
        When i alter the squid.conf file manually to the IP-adress with brackets, the original error is solved. But there is still an other startup error. The HTTPS_PORT line in the config file gets to long for Squid and it brakes it, as a result Squid will not startup.
        For example. The line should be:
        https_port [2a01:333:222:111:ffff::1]:443 accel cert=/usr/local/etc/squid/56be021919506.crt key=/usr/local/etc/squid/56be021919506.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=www.demo.com vhost

        But when adding an extra  User Defined Reverse Proxy IP, the line does not get the extra brakeline, which results in an broken configuration:
        https_port [2a01:333:222:111:ffff::1]:443 accel cert=/usr/local/etc/squid/56be021919506.crt key=/usr/local/etc/squid/56be021919506.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=www.demo.com vhost

        If this can be fixed, then IPv6 reverse proxy is working as it should.

        Is there someone who can make these changes in the SQUID package GUI config files?

        Thx,
        B

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy.

          P.S. The too long line is fixed in 2.3.3 packages. Apparently, noone is backporting anything to 2.3.2, and noone is releasing 2.3.3

          https://github.com/pfsense/FreeBSD-ports/commit/a6d15b81474396a043df664c2c645356d7718601

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            As for the IPv6 literals, you can test this, adding the code before this line

            
            			if (is_ipaddrv6($reip)) {
            				$reip = "[{$reip}]";
            			}
            
            

            and report back.

            1 Reply Last reply Reply Quote 0
            • G
              GrandmasterB
              last edited by

              I did add those lines and it is working correctly. Thx.

              The Fix for the too long lines I also adjusted in the squid_reverse.inc, and now the IPv6 is working !
              Although it should be better to have an IPv6 / IPv4 selection box on the config page, so that the IPv6 and Ipv4 adresses are taken from the interfaces itself based on the selected interface.

              But for now this is working!

              PS. Now looking into HAProxy, but for my simple usecase of a Exchange front-end reverse proxy and SSL offloading (only 1 backend server). Squid looks easier and has pre-defined Exchange options. But maybe you can help me with the HAproxy settings for that.

              @doktornotor:

              As for the IPv6 literals, you can test this, adding the code before this line

              
              			if (is_ipaddrv6($reip)) {
              				$reip = "[{$reip}]";
              			}
              
              

              and report back.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Thanks for testing. Fortunately, I have no Exchange boxes to care about anywhere => cannot test. :D

                On that note: Are you using IPv6 for "CAS-Array / OWA Frontend IP Address(es)" as well?

                1 Reply Last reply Reply Quote 0
                • G
                  GrandmasterB
                  last edited by

                  @doktornotor:

                  Thanks for testing. Fortunately, I have no Exchange boxes to care about anywhere => cannot test. :D

                  On that note: Are you using IPv6 for "CAS-Array / OWA Frontend IP Address(es)" as well?

                  Yes I do for the external (front-end) side.
                  Internal, they are Ipv4

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    OK, thanks. I'll add the "manual IP" workaround to this PR so all should work on 2.3.3/2.4 once it's merged.

                    IPv6 GUI support is too much work at the moment, and definitely problematic with the non-reverse part, in particular the transparent proxy stuff.

                    1 Reply Last reply Reply Quote 0
                    • G
                      GrandmasterB
                      last edited by

                      @doktornotor:

                      notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy.

                      Configured HAproxy now.  Much better and flexible! And Exchange works perfect.
                      thx

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.