Squid/LightSquid/SquidGuard alternatives

BigBoss

@tfuto said in Squid/LightSquid/SquidGuard alternatives:

@BigBoss: Unfortunately the E2guardian project is frozen and only accepts bugfixes. Looking at the repo there is not much life there. Also, there is no official vulnerability tracking, which is a kind of red flag, as there was a pretty severe CVE reported and was just recently patched.

I consider Squid having a better momentum and alertness (even from US government) to patch vulnerabilities, so replacing Squid with e2guardian might not be the best choice for me. Thank you for suggesting anyway.

Hello, I have read that the e2guardian repository has discontinued its support. What I am talking about is the unofficial plugin that works differently than the e2guardian repository prepared by marcelloc.
I did not investigate the security vulnerability, it works behind the firewall.

Netgate is cutting off community support to sell paid pfsense. If the community supports Opnsense, it will be better than pfsense.
Other recommendations are good, it makes sense to run squid in a different VM.

DBMandrake

@KOM said in Squid/LightSquid/SquidGuard alternatives:

@tfuto Spin up a VM, install squid, squidguard, lightsquid on that. No reason squid must be on the firewall.

Transparent proxying is very difficult to achieve if Squid is not running on the firewall device as Squid relies on having direct access to the pf state table to be able do the transparent interception and correctly know how to send back the replies to the client. This isn't possible with Squid running on a separate device.

Running Squid on a separate (to the side) device is really only an alternative for explicit proxy use and does not help for those of us transparent proxying. (We actually use both transparent and explicit proxying)

To do transparent proxying properly through a firewall which doesn't support it natively the additional device doing the proxying would need to be in-line, carrying all traffic not just a proxy server off to one side that only received redirected web traffic. While this can be done it is inefficient and inelegant as you effectively have two firewalls in series with twice the hardware, twice the configuration maintenance, and double the chance of something going wrong with the hardware/software.

Removing Squid is a huge mistake IMHO, despite the flaws Squid has and the work that probably needs to be done to bring it up to snuff.

A firewall vendor who offers a firewall that for over a decade includes web contenting filtering out of the blue saying they are depreciating and soon removing the web content filter/proxy - key features of any enterprise firewall - entirely without a replacement is kind of laughable to be honest, and makes netgate look untrustworthy as a vendor to rely on.

Saying they don't have the resources to make Squid work properly and securely when every other vendor in the industry uses a version of squid behind the scenes for proxying/web filtering isn't a good look for them IMHO.

I'm using CE so I guess I can't complain too much - however if I'd paid to upgrade to Plus only to find via a blog post linked from a 3rd party Youtube video that a key feature we rely on completely was being removed I wouldn't be too happy, and it seems this could be a repeat of the PFSense plus home license debacle.

If they do go ahead and remove it I'll have no choice but to reluctantly switch our systems to something else (possibly OpnSense) as the transparent proxy with content filtering is a key feature for us. I don't want to switch because I'm very comfortable with PFSense now and happy with it in every other regard after having invested hundreds of hours in configuration/testing, but this is a showstopper for us.

KOM

@DBMandrake I never use Squid in transparent mode. Too many problems and weirdness, hassles with certs, etc. I use a combination of WPAD and DHCP option 252 to set the proxy for clients.

michmoor

@DBMandrake said in Squid/LightSquid/SquidGuard alternatives:

A firewall vendor who offers a firewall that for over a decade includes web contenting filtering out of the blue saying they are depreciating and soon removing the web content filter/proxy - key features of any enterprise firewall - entirely without a replacement is kind of laughable to be honest, and makes netgate look untrustworthy as a vendor to rely on.

Saying they don't have the resources to make Squid work properly and securely when every other vendor in the industry uses a version of squid behind the scenes for proxying/web filtering isn't a good look for them IMHO.

I agree with you completely but up to a point. The big players in the enterprise space have the R&D cash to pay developers to build a custom Squid package. So ive been monitoring my Palo Alto emails waiting on a notification about security advisories regarding PAN-OS...and there hasnt been one since 9/18/2023 which signals to me that they have no concerns about Squid because its a very customized package for them.

Netgate is fortunately or unfortunately alone in this regards in that there is no native way to do web filtering. pfblockerNG isnt an alternative

JonathanLee

Let's fix it it's open source, it's all there just needs maintainers

AlternateShadow

@DBMandrake said in Squid/LightSquid/SquidGuard alternatives:

Removing Squid is a huge mistake IMHO

I agree, my company currently uses netgate hardware and in our industry the features provided by a transparent forward proxy are required so if netgate can no longer provide that feature we will almost certainly switch to a different vendor.

I also think the way they have announced this will end up being a problem for them. I would be willing to bet that the majority of users who will be affected don't even know it is happening yet. I only know about it because, by random chance, I happened to see the blog post while visiting netgate's website to look at new hardware. Normally, I don't follow their blog or newsletters and rely on the release notes to keep up to date with changes. Unfortunately, the release notes for 23.09 do not include any mention of Squid being deprecated, so at almost any other time I would have missed this news. The doc pages for Squid do include deprecation notices, which is good, and will hopefully prevent some new users from wasting time setting up a package that will be removed, but if you already have it setup and working or have set it up before there is little reason to visit those pages so existing users are unlikely to see those notifications either.

The only thing worse than a vendor dropping support for a feature you rely on is them dropping support without adequately communicating the change far enough in advance to prepare for it. Unless netgate does a better job of communicating this kind of change there is a very real risk that users will get a bad surprise when it does happen and they are not going to be very happy with netgate or sympathetic to their reasoning.

tfuto

@michmoor said in Squid/LightSquid/SquidGuard alternatives:

ive been monitoring my Palo Alto emails waiting on a notification about security advisories regarding PAN-OS...and there hasnt been one since 9/18/2023

Well there are many recent CVEs and RedHat responds to them.

I think NetGate might got confused about the large amount of open vulnerabilities, as most of them were patched in the latest releases. E.g. CVE-2023-46848 was posted in 3rd of November 2023, but if you look closely it shows: "Versions from including (>=) 5.0.3 and before (<) 6.4". The patch notes also show versions. Squid is currently at version 6.5.

The real issues with Squid are:

• No dedicated security team that responds in a timely manner and
• No backports of security patches to earlier versions.

(And also, the insane amount of old code that is not used by most of the regular users. I went through the source and I am used to contributing to large open source projects, but... this is just not fun, and I actually understand the code.)

@AlternateShadow: I completely agree with everything what you wrote.

Considering that there are 2.5 million production deployment that use Squid, I would be happy to chip in a dollar per year with others to have the codebase audited and patched. Or have NetGate create a dedicated response team for Squid as part of a separate software security patching plan.

Anything from NetGate that says: "We will be honest folks, we cannot maintain this for free anymore, so you need to pay a yearly small fee, so that we could continue to provide Squid for you with patches" is fine for me. Or at least do a survey, what customers think about this change. (All purchasers of NetGate hardware get pfSense Plus, and this change affect them as well, not just the pfSense CE users).

Or: NetGate should consult with the Squid team, get group awareness from other vendors also using Squid, and they all figure out a plan to correctly maintain Squid, including long term funding and SLA. Since NIST is alert about the Squid issues, Squid could even get US government funding.

Removing the heart of a smart router is a pretty bad idea. If one is not using transparent proxying with fine-grained control, he is missing out on something absolutely important.

lg1980

Hello,

I have an "unofficial" project that some of you may have already heard of (pf2ad) and it depends solely on Squid.
With this notice, I am preparing an extra repository for it and the family packages (which should also lose support -- Squidguard, Lightsquid, etc..)
Regarding the Squid update, I have already compiled a package for version 6.5 that can be updated here:

https://gitlab.labexposed.com/-/snippets/14

(pfSense CE version 2.7.1 only)

I hope I can help in some way

Thx

Luiz Costa

dreamworks

I spent the last couple of months digging into proxying on the pfsense for various reasons. The pf2ad extension (https://pf2ad.com) from Luiz is certainly worth a look.

From a proxy prospectice you'll still run into the "missing" DNS whitelist feature (e.g. allow *.younameit.com traffice) as one can only whitelist IP addresses on the pfense. (Same weird thing that one can't block a MAC address on an interface)

But hopefully something that evolves... I would expect that open feature requests are around for both features..

For the time beeing I work with various IP Whitelists, e.g.
https://adamnetworks.dev/pub/fwaliases/-/tree/694fb414ca57ced0539ac4792f1c595826e16ddf

I am primarly posting this link as I would like to hear from other sources which can be used for e.g. O365, Google, Signal, Whatsapp to name a few..

Best regards from Europe

JonathanLee

I use PfSense Plus so I can't test it