VyOS proxy (Squid)

Hi all,

I’m looking for public input on a few questions before I rewrite the proxy functionality within VyOS.
In terms of functionality, I suppose due to the raise of https connections, it’s not used for caching anymore.
Please let me know your use cases.

Thanks.

I mainly use in two limited modes.

whitelist
Here, I give limited outside internet access to specific subnets. Access list is a hand curated list, mostly various auto-update CDN servers like windows update, and major CA operated OSCP servers to cover certificate revocations.

blacklist
short hand curated list, unfortunately with some fantastically dumb blocks (blocking all .cn for instance)

in the past I did use the whitelist as a ghetto hairpin routing as a bad split horizon DNS hack, since end user browsers using WPAD via DHCP would favor the proxy’s DNS determination, which honors the local static hostname mappings. registered

We wanted to use squid in VyOS as a transparent proxy for https requests in guest network and logging that as well, but turns out that squid can only do that if it’s compiled with “–with-openssl” option, which is not the case in VyOS. Thus, we decided to not use VyOS for that.

Squid won’t need openssl support if you just want to connect clients to https websites, you only need it if you want to interfere and terminate the clients ssl session at squid, have then plain text and establish the ssl connection between squid and the destination.

Anyone who needs it running as reverse proxy too?

i think reverse proxy is out of scope for squid since we have nginx in place already

nginx community version didn’t support ntlm auth website. I recommanded vyos to support haproxy as the reverse proxy.

Yeah I can see the gap with authentication, squid ha a ton of new ones including radius auth. I have started to rewrite the existing features and check first against ldap, once that is working I’m going to focus on new features.

Our main use is to give access to Citrix desktops. Storefront passes an ICA file with a proxy configured. That proxy points to a Vyos router with squid configured. But Vyos is not in control: We use our own configuration file and we have adjusted /etc/init.d/squid3 to make squid use this alternative configuration file.

So effectively Vyos only brings the binaries and starts the service.

Thanks for all your answers, I think we can safely remove the url-filtering, gives you back some memory on your systems too. I have so far done a 1:1 re-implementation (auth is still missing, once done I can integrate it into the rolling branch) and did skip things like the filtering, since no one uses it anyway. Once it has been released, I think we can implement features to better integrate into the real world config scenarios. @Frank can you describe your changes you need, maybe it makes sense to integrate it or to implement something you can store and load an external config file.