Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there an easier way to secure squid3 proxy clients?

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bnangle
      last edited by

      Hi Everyone,

      I am very new to pfSense but I have been playing around with it and with Squid at home and was wondering if there is an easier way to secure the proxy clients? When I run the SSL Labs client test at https://www.ssllabs.com/ssltest/viewMyClient.html with the default squid configuration and SSL proxying the results are not very pretty. However when I replace the top 30 or so lines in my squid.conf file (with the lines below) I achieve what I think are great results results, but whenever there is a change made to Squid via the WebGUI it reverts back to being insecure until I manually update the squid.conf file and restart the process.

      Is there a way to somehow include the following lines on any changes to my instance of Squid so that it will always start with the following options?

      This file is automatically generated by pfSense

      Do not edit manually !

      http_port 192.168.1.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

      http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

      https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

      icp_port 0
      dns_v4_first off
      pid_filename /var/run/squid/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
      visible_hostname localhost
      cache_mgr admin@localhost
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      netdb_filename /var/squid/logs/netdb.state
      pinger_enable on
      pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
      sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
      sslcrtd_children 25
      sslproxy_options NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE
      sslproxy_cipher ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH
      sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/

      I am using Squid3 version 0.2.8 on pfsense version 2.2.3 and order to use the "dhparams=/etc/ssl/dhparam2048.pem" option I had to run the following via the shell "openssl dhparam -out dhparams.pem 2048", sorry if everyone already knows this, I am very new to all this but I am learning a ton!

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        What do you mean by "not very pretty"?  I'm running 2.2.2 with squid3 and squidguard 1.5.1.  The page you linked to seems to work well enough for me in that it says I have good protocol support and am not vulnerable to any of their attacks.  Usually when people talk about proxy and security, they're talking about leaking machine names, internal IP addresses, proxy presence, version etc etc.  This seems to be more about your browser security.

        1 Reply Last reply Reply Quote 0
        • B
          bnangle
          last edited by

          Thanks for the response KOM!

          Not very pretty was a probably a little over the top, when I run the link the ciphers listed below show as supported unless I have updated the Squid config file. I have tested the browsers without Squid and the ciphers below don't show up,  does this mean they can be ignored since the browsers don't support them?

          TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  WEAK
          TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)  WEAK
          TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)  WEAK
          TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)  WEAK
          TLS_RSA_WITH_RC4_128_SHA (0x5)  WEAK
          TLS_RSA_WITH_RC4_128_MD5 (0x4)  WEAK
          TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)  WEAK
          TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12)  WEAK
          TLS_RSA_WITH_DES_CBC_SHA (0x9)  WEAK
          TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)  INSECURE
          TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11)  INSECURE
          TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)  INSECURE
          TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)  INSECURE
          TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)  INSECURE

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            No idea, I'm not a cryptologist

            1 Reply Last reply Reply Quote 0
            • B
              bnangle
              last edited by

              No worries, thanks much for your help, I will continue to play around and see what I can find out, have a good one!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.