Is there an easier way to secure squid3 proxy clients?



  • Hi Everyone,

    I am very new to pfSense but I have been playing around with it and with Squid at home and was wondering if there is an easier way to secure the proxy clients? When I run the SSL Labs client test at https://www.ssllabs.com/ssltest/viewMyClient.html with the default squid configuration and SSL proxying the results are not very pretty. However when I replace the top 30 or so lines in my squid.conf file (with the lines below) I achieve what I think are great results results, but whenever there is a change made to Squid via the WebGUI it reverts back to being insecure until I manually update the squid.conf file and restart the process.

    Is there a way to somehow include the following lines on any changes to my instance of Squid so that it will always start with the following options?

    This file is automatically generated by pfSense

    Do not edit manually !

    http_port 192.168.1.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

    http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

    https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH options=NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE dhparams=/etc/ssl/dhparam2048.pem

    icp_port 0
    dns_v4_first off
    pid_filename /var/run/squid/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
    sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    sslcrtd_children 25
    sslproxy_options NO_SSLv2:NO_SSLv3:No_Compression:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE
    sslproxy_cipher ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED@STRENGTH
    sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/

    I am using Squid3 version 0.2.8 on pfsense version 2.2.3 and order to use the "dhparams=/etc/ssl/dhparam2048.pem" option I had to run the following via the shell "openssl dhparam -out dhparams.pem 2048", sorry if everyone already knows this, I am very new to all this but I am learning a ton!

    Thanks in advance!



  • What do you mean by "not very pretty"?  I'm running 2.2.2 with squid3 and squidguard 1.5.1.  The page you linked to seems to work well enough for me in that it says I have good protocol support and am not vulnerable to any of their attacks.  Usually when people talk about proxy and security, they're talking about leaking machine names, internal IP addresses, proxy presence, version etc etc.  This seems to be more about your browser security.



  • Thanks for the response KOM!

    Not very pretty was a probably a little over the top, when I run the link the ciphers listed below show as supported unless I have updated the Squid config file. I have tested the browsers without Squid and the ciphers below don't show up,  does this mean they can be ignored since the browsers don't support them?

    TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  WEAK
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)  WEAK
    TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)  WEAK
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)  WEAK
    TLS_RSA_WITH_RC4_128_SHA (0x5)  WEAK
    TLS_RSA_WITH_RC4_128_MD5 (0x4)  WEAK
    TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)  WEAK
    TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12)  WEAK
    TLS_RSA_WITH_DES_CBC_SHA (0x9)  WEAK
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)  INSECURE
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11)  INSECURE
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)  INSECURE
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)  INSECURE
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)  INSECURE



  • No idea, I'm not a cryptologist



  • No worries, thanks much for your help, I will continue to play around and see what I can find out, have a good one!