Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense and Squid going forward?

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 491 Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      The base Squid package was updated upstream so most of the security issues were fixed. However it's unsupported and is still expected to be removed at some point.

      JonathanLeeJ D 3 Replies Last reply Reply Quote 0
      • JonathanLeeJ Offline
        JonathanLee @stephenw10
        last edited by

        @stephenw10 please keep it. I absolutely love that package. I have been waiting on 23.05.01 until the status page is fixed so I can upgrade. All the security things where fixed and that was the main concern originally

        Make sure to upvote

        1 Reply Last reply Reply Quote 1
        • JonathanLeeJ Offline
          JonathanLee @SlowITDown
          last edited by

          @SlowITDown look at the version squid 7.3 ….

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • S Offline
            SlowITDown
            last edited by

            @stephenw10 said in pfSense and Squid going forward?:

            The base Squid package was updated upstream so most of the security issues were fixed. However it's unsupported and is still expected to be removed at some point.

            Thanks for the reply will keep that in mind.

            The reason i was asking was we have a client that has a firewall in currently but the device is EOL and they are looking for something that:
            1: can cache websites as they are limited to a 10mb/s line (call it a rural area)
            2: can log what websites are surfed by what IP
            3: Limit website access to certain times and block certain website (ie "all Adult Content")

            My "limited" experience with firewalls is you do that with squid and squid guard.

            So if Squid is being removed i would have to figure out what the new tools are for such functions.

            Thanks again for taking the time to reply.

            1 Reply Last reply Reply Quote 0
            • D Offline
              DBMandrake @stephenw10
              last edited by DBMandrake

              @stephenw10 I know many of us have beat this drum to death in the forum, so take this as genuine and constructive feedback, but there are many of us who love PFSense who will have no choice but to walk away if/when Squid is finally dropped. (Probably to OpnSense as that is the closest analogue in feature set to PFSense for obvious reasons, and they are still officially supporting Squid)

              I was quite surprised and very relieved to see it received a "stay of execution" shall we say, in 2.8.0, and in fact got some updates.

              I had been quietly dreading the promised 2.8.0 release which would remove Squid because I would have had to immediately ramp up the search for an alternative and put plans in place to migrate which is not easy when it has become a core part of a network and the many and varied features and services of PFSense are relied on, which are hard to replicate in one device in many other products. Furthermore, upgrading from CE to Plus would not solve the problem for me as it was to be removed from Plus as well.

              (In fact the constant "will they, won't they" fear regarding removal of Squid is the primary thing that has put me off going from CE to Plus, as I would be foolish to do so only to have a feature I rely entirely on removed from the paid version soon after paying for it)

              All business networks above a certain size rely on proxy server functionality, so to remove it from an otherwise very powerful firewall leaves a gaping hole in functionality that would simply make PFSense a "no" for many networks. You can run an explicit proxy on another device but if you need transparent proxying as well (especially to support BYO devices) the proxy has to run directly on the firewall.

              Sure, I get it - Squid is old code, and a lot of the traditional functionality of Squid (such as full URL inspection, content filtering, caching) is no longer usable or meaningful in a modern HTTPS everywhere world, making Squid somewhat obsolete as a project and about 80% of the configuration GUI for it in PFSense is now worthless, however SNI inspection and domain based blocking does still work for now, and that's all that's really available these days unless you want to go down the route of installing certificates on all clients and doing full certificate based interception and decryption, or forcing only explicit proxy use - which is another can of worms and which is not feasible with BYO devices.

              To be honest, we don't need Squid and all its baggage specifically, all that's really needed these days is a lightweight proxy server (both transparent and explicit) which can apply domain based access controls using SNI, which integrates with some sort of category based domain lists - the latter functionality currently provided by SquidGuard.

              Some say "just use PFBlocker" but this does not replicate the functionality when you have different VLAN's/subnets with different blocklist requirements, (for example Staff vs Students in a school, which is my situation) and ultimately, DNS based filtering cannot be made watertight in a complex environment because there are always ways for clients to defeat external DNS blocks.

              All other major firewall vendors have some proxy server with SNI recognition and category based domain lists as a core feature - whether they're rolling their own code or quietly still using Squid/SquidGuard behind the scenes, which I know some do.

              I'm all for replacing Squid/SquidGuard with a modern, lightweight proxy server that just performs these basic still feasible features, (transparent/explicit proxy, SNI inspection, category based domain name blocking) and would love to see this happen however I'm not aware of any current open source proxy projects that meet the requirements. Most ground up Squid replacements probably remain proprietary internal code of firewall vendors.

              While Netgate may disagree or not see it as a priority, I think many of us believe that proxy server functionality is a core feature that any advanced firewall needs and should have so IMHO removing Squid without providing some kind of modern replacement is a problem for a lot of people that will see them leaving or not using PFSense in the first place.

              1 Reply Last reply Reply Quote 1
              • JonathanLeeJ Offline
                JonathanLee
                last edited by JonathanLee

                "Why Squid Should Stay – Major Upstream Progress in 6.x → 7.x
                Over the past year, Squid development has seen a major resurgence, with substantial improvements in security, code modernization, protocol support, and platform compatibility. While it’s true Squid was relatively stagnant for several years, the recent pace of upstream changes demonstrates an active and forward-looking roadmap that directly addresses the concerns which led to discussions about removing the package.

                Key Reasons to Retain Squid in pfSense

                1. Security and Stability Improvements
                Numerous security-critical fixes have landed, including improved TLS handling, memory safety hardening, Kerberos and authentication robustness, and stricter ACL validation.
                Y2038 readiness and proper timeout handling reduce long-term technical debt.
                Upstream now proactively removes legacy code that previously posed maintenance risks (e.g., deprecated auth helpers, obsolete protocols, dead features).

                2. Aggressive Removal of Obsolete Components
                Recent releases streamlined the codebase, cutting legacy baggage:
                Removed Edge Side Include (ESI), Ident protocol, cachemgr.cgi, squidclient, old UFS/AUFS purge tools, and unused multicast/ICP features.
                Eliminated deprecated APIs, dead code paths, and fragile maintenance hacks.

                3. Modernization and Portability
                Fixes for OpenSSL v3+, GCC 13–15, and MinGW/Windows builds.
                Updated SNMP counters, EDNS support for DNS, and improved IPv6 ACL matching.
                Build system refreshes for modern toolchains (libtool/automake, pkg-config checks).

                4. Active Development and Frequent Releases
                In just the last 12 months, Squid jumped from mid-6.x into the 7.x series with five significant releases:

                • 6.11 → 6.14 (Sep 2024 – Jun 2025): DNS reliability, Kerberos improvements, memory leak prevention, large upload handling, GCC build fixes, and better configuration clarity.
                • 7.0.1 Pre-release (Feb 2025): Massive cleanup milestone – removal of outdated protocols, dozens of bug fixes, security improvements, Windows and MinGW portability fixes, logging improvements, and Y2038 handling.
                • 7.0.2 (Jun 2025): Fixes for RESPMOD hangs, OpenSSL 3 support, Solaris and GCC portability, TLS-DH parameter handling, and SNMP corrections.
                • 7.1 (Jul 2025): Latest release – includes getaddrinfo() IP duplication fix, removal of SMB/LANMAN auth helpers, additional documentation and code cleanups.
                • These changes reflect consistent, upstream-driven effort—not a one-off patch drop.

                The Reality: Squid Is Far from Dead

                The upstream changelogs show hundreds of resolved issues, major feature pruning, and ongoing modernization efforts. This isn’t a dormant project anymore; it’s actively maintained with a clear trajectory toward security and protocol compliance in modern environments.

                Why This Matters for pfSense
                The main reason Squid was on the chopping block was lack of maintenance. That reason no longer applies. Squid is alive, modernizing, and actively improving security. Removing it now would be a step backward when upstream has done the heavy lifting to make it viable again.

                Recommendation: Keep Squid in pfSense, update it to the current 7.x series, and leverage the ongoing upstream momentum to provide users with a secure, modern caching/proxy solution.

                Bottom line: Squid is not just maintained—it’s moving fast. This is the perfect time to keep it, not drop it.—pfSense can now provide its users with an up-to-date, secure, and stable caching/proxy solution without carrying legacy baggage.

                Also here is the email that went out a couple days ago. I disagree about stating it's old code.. as Squid developers are also working on a solution to QUIC in the background currently.

                "The Squid HTTP Proxy team is very pleased to announce the availability
                of the Squid-7.1 release!

                This release is, we believe, stable enough for general production use.
                We encourage all users of any previous major version of Squid to upgrade to it,
                as well as users of beta version 7.0.X.

                It can be downloaded from GitHub, at
                https://github.com/squid-cache/squid/releases/tag/SQUID_7_1

                Since version 6, Squid offers:

                • better support for overlapping IP ranges and wildcard domains in acl
                • countless security, portability, and documentation fixes

                Since version 6, some previously deprecated features have been removed:

                • Edge Side Includes (ESI)
                • access to the cache manager using the cache_object:// scheme - use
                  http instead
                • the squdclient tool - use curl
                  http://<squid-address>/squid-internal-mgr/menu instead
                • the cachemgr.cgi tool
                • the purge tool - use the http PURGE method instead
                • Ident protocol support
                • basic_smb_lm_auth and ntlm_smb_lm_auth helpers - use Samba's
                  ntlm_auth instead

                Further details can be found in the release notes and in the changelog

                Please remember to run "squid -k parse" when testing the upgrade to a new
                version of Squid. It will audit your configuration files and report
                any identifiable issues the new release will have in your installation
                before you "press go".

                If you encounter any issues with this release please file a bug report at
                https://bugs.squid-cache.org/

                --
                Francesco Chemolli


                squid-users mailing list
                squid-users@lists.squid-cache.org
                https://lists.squid-cache.org/listinfo/squid-users"

                Ref:
                https://github.com/squid-cache/squid/releases

                Make sure to upvote

                1 Reply Last reply Reply Quote 1
                • JonathanLeeJ Offline
                  JonathanLee @stephenw10
                  last edited by JonathanLee

                  @stephenw10 How do we get it supported ?? Maybe a bug bounty ?

                  I am doing a git clone right now and will do the Makefile and set it to 7.1.x and run the makes and commit and push it and open a pull request for the package it is still on 6.13. Again it has to be approved. But at least I tried.

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ Offline
                    JonathanLee
                    last edited by JonathanLee

                    https://github.com/pfsense/FreeBSD-ports/pull/1420

                    Merged I could not test it but it is in there with the make file now and the distinfo file

                    @stephenw10

                    Let me know if you can test that out

                    Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way

                    Make sure to upvote

                    JonathanLeeJ 1 Reply Last reply Reply Quote 1
                    • JonathanLeeJ Offline
                      JonathanLee @JonathanLee
                      last edited by JonathanLee

                      @JonathanLee https://github.com/pfsense/FreeBSD-ports/pull/1420

                      I have tested this and it complies I do not know if anyone else has the ability to test this on pfsense dev mode but here is the pull that sets the Makefile to use Squid 7. I took a long long time to compile and it removes Auth for SMB_LM

                      Make sure to upvote

                      A 1 Reply Last reply Reply Quote 1
                      • A Offline
                        aGeekhere @JonathanLee
                        last edited by

                        @JonathanLee Would be nice if squid 7 came to pfsense, if squid is discontinued from pfsense then i guess a docker container running squid could be an option.

                        Never Fear, A Geek is Here!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.