Squid: webgui_port added to safeports and sslports acl in squid.inc
-
In the /usr/local/pkg/squid.inc file for the Squid package, I notice that the port that the web GUI is configured to listen on (stored in the variable $webgui_port) is automatically added to the "safeports" and "sslports" ACLs. Is there a particular reason for this? If not, I have a reason against it.
Consider the following scenario: An internal network made up of several different VLANs, with the pfSense box acting as the gateway and also as a filter between those VLANs, allowing or disallowing traffic to pass based on the security context of each VLAN. pfSense is also running Squid and SquidGuard to act as a filtering proxy for the whole network. The pfSense box has an interface on each VLAN in the network (192.168.0.1, 192.168.1.1, 192.168.2.1, etc) but has firewall rules in place to only pass traffic to one of those interfaces, on a VLAN defined as secure (let's say 192.168.0.1). This is how pfSense is administered, and the less secure networks are not allowed to talk to 192.168.0.0/24.
So far, so good. But now enter Squid. A clever user on a less secure network could change his browser settings to go through the proxy for all addresses, including localhost. He could then point his browser at http://localhost and, via the Squid proxy, arrive at a login page for the pfSense web GUI. For all other internal network this can be worked around by setting a destination ACL and denying access, but squid.inc also hardcodes an allow rule for localhost, so for the pfSense box itself this will not work. OK, let's move the web GUI to a non-standard port to work around this, since Squid won't proxy for anything not in "safeports", and 443 is (rightly) there by default. Except squid.inc also hardcodes an allow rule for $webgui_port, so any port I move the GUI to will be allowed again the next time I make any Squid change and it rebuilds its config.
Given this, I propose that $webgui_port be removed from the "safeports" and "sslports" ACL in squid.inc. I doubt this would have much impact on most people, as I suspect that:
1. most people don't change the default port, and 443 is already in "safeports" and "sslports"
2. most people wouldn't need the proxy server to gain access to the pfSense GUI anywayAnyone to whom 1 and 2 don't apply is likely to be an advanced user anyway, and if they need their alternate GUI port in "safeports", they should have no problems adding it themselves in the GUI, since there seems to be a field for that.