PfSense 2.3 Squid Reverse Proxy Intermediate Compatibility Config issue
-
When using the GUI to change from Modern to Intermediate, under the Squid Reverse Security Settings section, the squid.conf is updated incorrectly. The first IP entry is updated properly, however subsequent entries (for IPs defined under User Defined Reverse Proxy IPs) are malformed in a minor, but nonfunctional, way. There may be a better way to correct the issue, but for me, I just made the change to the second IPs that made them match up with the layout of the first. Squid isn't something I work with often, so I'm not fully familiar with the expected conf syntax.
The biggest issue being that I have to make this manual change each time I want to update the configuration. Is this a bug in the GUI or am I overlooking something?
Proper example:
https_port 127.0.0.1:123 accel cert=example.crt key=example.key dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA \ options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=example.com vhostMalformed example:
https_port exampleIP:123 accel cert=example.crt key=example.key dhparams=/etc/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE defaultsite=example.com vhostErrors received before manual changes:
2016/04/14 07:39:52| /usr/local/etc/squid/squid.conf:96 unrecognized: 'vhost' 2016/04/14 07:39:52| /usr/local/etc/squid/squid.conf:99 unrecognized: 'm' -
Just for reference, I have identified the issue and submitted a pull request with the correction. The Squid port was configured to correctly break out the real IP config onto two lines. However, the section that handled reverse proxy IPs did not. This became an issue with a single line would exceed the Squid limit of 1024 characters.