Page MenuHomeVyOS Platform

Should we keep web proxy functionality in base 1.2/1.3/2.0?
ClosedPublic

Asked by syncer on Nov 26 2017, 5:50 PM.

Since Squid(web proxy part) not maintained by anyone
and have significant problems (like old hardcoded blacklist)

Please don't reply yes unless you either
A) Not using this functionality from day to day and ready to test and improve it
B) Would like to maintain Squid and all packages related to it

Event Timeline

syncer created this object with visibility "Public (No Login Required)".
syncer created this object in space S1 VyOS Public.

I do use squid in production, but without the hardcoded blacklists, rather my own local list only, and as an explicit proxy with a rejection message locally hosted as HTTP on the inbuilt lighttpd instance (can't serve HTTPS rejections because of certificate trust issues).

I suppose if you did pull it I could live with setting up an external proxy, but I like being able to force a subnet to use only the proxy rather than let it NAT out, at least to capture the HTTPS CONNECT messages when neccessary.

With limited people in the project I think the "core" features for a router should be of priority. A lot of things is nice to have, but we need to have a good router.
IPv6 with VRRP, connection tracking, updated routing engine, IPv6 PD is stuff we need and requires a lot of design, implementation, testing and documentation.

I vote for the need to have and not the nice to have ;-)

Web proxies are relatively complex by nature and offer an attractive attack surface. I don't like having such software on routers at all, even if they are properly maintained. Better to relegate this functionality to a system which is external to the router.

I suppose I should also mention that I am also using a proxy PAC file hosted on the internal lighttpd instance as well over HTTP (again, can't use HTTPS due to certificate trust issues for unknown client PC's) which is important due to DHCP server URL designation of a PAC/WPAD file currently.

Again, an external proxy could host it's own PAC file as well, and I could set that for the DHCP server subnet settings, but having that in the router is helpful. While VyOS is not a UTM gateway router, many gateway routers frequently function additionally as a minimal proxy and often self-host the PAC file for their proxy.

I use squid as a caching proxy to very considerably speed up patching and non-encrypted static web content. I also use the blacklists which are updated every day. While VyOS with Squid and Wifi is a very good integrated router for home and SOHO, I also use it as building bloc for sample firewalls you encounter in corporate environments in several showcases.

I already did contribute to the squid package.

@syncer I am the unofficial maintainer of the Squid-Cache RPM's and DEB packages and doing it for more then 4 years now.
These days network routers are actually Route Servers and only the low cost devices doesn't contains any form of proxy functionality on them.
If you need a simple IP router you don't need it and this is most of the use cases of YVOS to my knowledge.
However we might be able to compromise on something in the middle instead of ditching it or other proxies.
Squid-Cache is good for caching but very old so for filtering there are couple other more efficient solutions and also the nature of the Internet HTTP world have changed so caching is good only for very specific purposes...
So I think that it would be a nice to have but if it's possible to allow the admin configure Squid or another proxy outside of the configuration shell it would be a better solution.
Also if you want to intercept traffic into squid you can just use DNAT rules.

Deprecate that function, and push resources to building on Core routing and Code stability

We may want to consider other backend for web proxy functionality

@syncer @aldoleiva1 I have built binaries and installation scripts for Debian(8,8) and Ubuntu(14.04,16.04,18.04).
If I will have a build node VM or docker container I believe I can at-least make a binary package(tar) of Squid.
I have also written a nice helper and library https://github.com/elico/drbl-peer/ which can be used as an acl mechanism for Squid.
The only missing part is a helper that has a list of domains from a hosts style file like SquidGuard and can block or allow a specific white or blacklist with an auto dynamic reload option.

If someone is willing to create a new configuration module that will be used with Squid 4.3 I am willing to take something on me.