Squid with Upstream Proxy - Config

shocko · Apr 12, 2023, 3:27 PM

I'm using pfsesne CE 2.5.2. I have the squid package installed to act as a proxy server (explicit and transparent) in my lab. pfSense bridges my lab to the internet but via an upstream proxy hosted outside my lab. As such I have pfSense with a LAN into my lab and WAN to my host (I'm using Hyper-V). I need to do the following:

configure the pfsense squid package/explicit proxy service with an upstream proxy
configure the pfsense squid package/transparent proxy service with an upstream proxy

My upstream proxy is PX proxy so no auth required from the Squid instance on pfsense CE.

stephenw10 · Apr 12, 2023, 4:25 PM

Squid will use the pfSense routing for outbound connections. Did you try adding the proxy in the general pfSense settings?
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

shocko · Apr 12, 2023, 7:43 PM

@stephenw10 the link you send is for the proxy for the appliance itself not squid no?

michmoor · Apr 12, 2023, 8:03 PM

@shocko Your pfsense proxy talks to an upstream proxy, correct? The link provided are the settings you need to potentially modify.

shocko · Apr 12, 2023, 8:06 PM

@michmoor said in Squid with Upstream Proxy - Config:

Your pfsense proxy

The squid package/service running in transparent proxy mode needs to talk to an upstream proxy. The pfsense appliance proxy used for appliance updates/package pull etc is a different thing no? That link states as much:

If this firewall resides in a network which requires a proxy for outbound Internet access, enter the proxy options in this section so that requests from the firewall for items such as packages and updates will be sent through the proxy.

stephenw10 · Apr 12, 2023, 9:03 PM

Squid is a service running on the firewall that opens TCP connections outbound like any other service. Have tried adding the proxy there?

Squid can probably use an upstream proxy directly though if you add some custom config.

shocko · Apr 13, 2023, 8:07 PM

Looks like we simply use the cache_peer directive in the pre-auth custom section. Problem is upstream you need a proxy that accepts TLS.

stephenw10 · May 10, 2023, 3:33 PM

Why do you say that? Looks like you would need to specify TLS for the peer to use it to me.

http://www.squid-cache.org/Versions/v5/cfgman/cache_peer.html

shocko · May 10, 2023, 3:33 PM

@stephenw10 said in Squid with Upstream Proxy - Config:

Why do you say that? Looks like you would need to specify TLS for the peer to use it to me.

http://www.squid-cache.org/Versions/v5/cfgman/cache_peer.html

We observed this on the wire.

stephenw10 · May 10, 2023, 3:59 PM

You didn't specify TLS and it was still trying to use it?

shocko · May 10, 2023, 9:49 PM

@stephenw10 Yes seems so.

shocko · May 16, 2023, 9:37 AM

Any ideas anyone?