SSL Offloading with squid3 + HAProxy



  • Hi everybody,

    I am currently trying to use the squid reverse-proxy to decrypt SSL traffic before sending it to my HAProxy (both hosted on my PfSense). However it looks like the configuration is not written in squid.conf if :

    • Squid HTTPS Reverse Proxy is enabled on the "General" tab.
    • my server is configured to listen to HTTP port in the "Web Server" tab.

    So I was wondering if configuring SSL offloading into Squid is possible through the WebUI.

    Another question then : is is possible to configure a VirtualIP as reverse-proxy interface ? (instead of WAN interface).

    Regards,



  • Why don't you use HAProxy as reverse proxy directly (as it designed to be used)?
    From my experience, it deals with SSL termination perfectly and can listen on any interface you want, including Virtual IP…



  • Thank you for your quick reply.

    I would have prefer this solution too, but Iread somewhere that SSL termination is handle by HAProxy version 1.5 and above. And it looks like pfSense is running the 1.4.24 version of HAProxy.

    Regards,



  • HAProxy 1.5 is available as haproxy-devel pfSense package. I use it and it works fine for my purposes.



  • You were right, it works great with the haproxy-devel package.

    However, is there some security or performance risks/issues running the haproxy-devel package in a production environment ?

    Thanks for your help,



  • From what I learned while using pfSense extensively for some time already, risk is the same if there is a security or other issue in HAProxy (or any other package) - all packages are contributions and I do not expect quick fixes for any of them. Basically - use at your own risk. Yes, main system - pfSense - is developed and maintained with a good standard (recent heartbleed security issue was good example), the packages are not.
    There are packages, which won't even work if installed and no one is there to fix them :(
    There are, of course, packages, which are maintained much better, but fixes to them are still approved by pfSense developers and may not make their way to package repository for long time…

    So - if your deployment is critical, I would suggest you locate HAProxy installation of separate, maintainable server, instead of running it on pfSense.



  • Well, ok I see what you mean.

    Thank you very much !