Feature #9700: Secure Squid HTTPS Proxy - pfSense Packages - pfSense bugtracker

Actions

#1

Updated by Kyle Klouzal almost 3 years ago

Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?

Actions

Copy link

#2

Updated by Viktor Gurov almost 3 years ago

Status changed from New to Feedback

This would involve adding a new configuration block inside Services->Squid->General after "Squid General Settings" > and before "Transparent Proxy Settings". This new configuration block would be called "Secure Proxy Settings" and have the following configuration options:
Enable Secure Proxy - Check Box - Enable/Disable use of 'https_port' configuration directive in squid.conf.
Secure Proxy Port - Number Entry - Port number to use during setup of 'https_port' for secure proxy connections.
Certificate - Dropdown - Certificate to use during setup of 'https_port'. Lists current certificates on system.
Other options may be supplied as deemed necessary.

Already implemented

Kyle Klouzal wrote in #note-1:

Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?

Unable to reproduce - enabling 'transparent' mode only adds 'intercept' option, but not 'https_port'
pfSense-pkg-squid 0.4.45_7

Actions

Copy link

#3

Updated by Kyle Klouzal almost 3 years ago

/usr/local/etc/squid/squid.conf output

before enabling 'transparent' mode:

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
...

after enabling 'transparent' mode:

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

'intercept' mode is undesirable..
http://www.squid-cache.org/Doc/config/https_port/
http://www.squid-cache.org/Doc/config/http_port/

IP-Layer NAT interception delivering traffic to this Squid port, NP: disables authentication on the port.

All web traffic immediately starts flowing into squid in intercept mode. Desired approach is to use WPAD/PAC file to point clients to the proxy server.
a 'https_port' config directive without intercept/tproxy is required to enable ssl connection to proxy server facilitated via WPAD/PAC file.

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Feature #9700

Secure Squid HTTPS Proxy

Updated by Kyle Klouzal almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Kyle Klouzal almost 3 years ago