Squid Rev Proxy w/ user-defined IPs and compatibility="Intermediate" problem



  • Hi, first time post to the forums, hoping someone can benefit from my recent trials.

    software: pfSense 2.3.1p5 with Squid package 0.4.21

    config: two machines in CARP configuration. WAN interfaces (x.x.x.134 and x.x.x.135) with virtual IP x.x.x.133
    Squid Reverse Proxy configured on WAN for use as an inbound proxy to several Microsoft IIS servers (clients connect to WAN VIP x.x.x.133).

    issue: Once the setting "User Defined Reverse Proxy IPs" is filled in on the settings page, it is impossible to select Compatibility Mode "Intermediate".  The additional http_port line will overrun due to the longer Cipher string used by "Intermediate" and squid will refuse to restart with syslog message "Bungled /usr/local/etc/squid/squid.conf line xx: https_port x.x.x.133:443 ….."  Additionally, since pfsense apparently checks the config before issuing a squid hup, you may not notice that squid is still running with the old config (in my case "Modern").  I did not see the "Bungled..." message until I forced a squid service restart.

    workaround: The https_port line created for the physical WAN interface automatically does a length check on the https_port line and inserts a "" line break, it seemingly does NOT do so for the User Defined Reverse Proxy IP.  I worked around the issue by adding one but I fully expect to have to manually insert this line break every time I save the Reverse Proxy settings in the future.

    The relevant lines in /usr/local/etc/squid/squid.conf looked like:

    https_port x.x.x.135:443 accel cert=/usr/local/etc/squid/56940a5ad75da.crt key=/usr/local/etc/squid/56940a5ad75da.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=sig-norf-prx-01.signature.us vhost

    https_port x.x.x.133:443 accel cert=/usr/local/etc/squid/56940a5ad75da.crt key=/usr/local/etc/squid/56940a5ad75da.key  dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=sig-norf-prx-01.signature.us vhost

    I'm sure I could have been more savvy in figuring this out but it took me a long time to find a work around.  I'm happy to submit a bug report but it seems to be protocol to post here first.  Thanks,  Marc