23.01 Squid issue
-
@stephenw10 @stephenw10 I upgraded from 22.05 to 23.01.
22.05 was working fine.
After upgrading Squid was running e squidGuard was not.
SquidGuard was appearing in "installed packages" but not in the menu options and neither in the services runnig, and a notification about the mentioned error started to be shown.
I applied the patch and the error has gone. But squidGuard did no appear in the menu options and neither in services running.
I removed squidGuard package and reinstalled. The error was back and squidGuard appears in the installed packages but not in the menu options and neither in services running.
Then I applied the patch and the error has gone, but squidGuard did not appears in the menu options and neither in the services running.
And so on, as many times as I can uninstall and reinstall.
The way I can see to solve this issue is the suidguard.conf to be corrected in the installion package.
The error in the squidguard.conf occurs because a ")" is not present in a line of the code.
-
@hugoeyng said in 23.01 Squid issue:
The error in the squidguard.conf occurs because a ")" is not present in a line of the code.
I'm not sure where you're seeing that. It looks like the errors you're seeing are in the squidguard pkg install script. It fails before it's able to add the menu and service items.
It doesn't fail on a clean install to 23.01 that never had squidguard so it pretty much has to be something in your existing config that's tripping it up. To be clear this is a bug. It should handle existing squidguard config.If you remove the existing squidguard entris fromn your config file it will probably install fine.
What squidguard values do you have in the config? My test box basic config does not hit this:
<squidguardgeneral> <config> <squidguard_enable>on</squidguard_enable> <ldap_enable></ldap_enable> <ldapbinddn></ldapbinddn> <ldapbindpass></ldapbindpass> <ldapcachetime>0</ldapcachetime> <stripntdomain></stripntdomain> <striprealm></striprealm> <ldapversion>3</ldapversion> <rewrite_children>16</rewrite_children> <rewrite_children_startup>8</rewrite_children_startup> <rewrite_children_idle>4</rewrite_children_idle> <enable_guilog>on</enable_guilog> <enable_log>on</enable_log> <log_rotation>on</log_rotation> <adv_blankimg>on</adv_blankimg> <blacklist></blacklist> <blacklist_proxy></blacklist_proxy> <blacklist_url></blacklist_url> </config> </squidguardgeneral> -
@stephenw10 /usr/local/pkg/squidguard.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
<packagegui>
<copyright>
<![CDATA[
/*- squidguard.xml
- part of pfSense (https://www.pfsense.org)
- Copyright (c) 2015-2023 Rubicon Communications, LLC (Netgate)
- Copyright (C) 2006-2013 Sergey Dvoriancev dv_serg@mail.ru
- All rights reserved.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
*/
]]>
</copyright>
<name>squidguardgeneral</name>
<title>Proxy filter SquidGuard: General settings</title>
<include_file>/usr/local/pkg/squidguard.inc</include_file>
<!-- Installation -->
<menu>
<name>SquidGuard Proxy Filter</name>
<tooltiptext>Modify the proxy server's filter settings</tooltiptext>
<section>Services</section>
<url>/pkg_edit.php?xml=squidguard.xml&id=0</url>
</menu>
<tabs>
<tab>
<text>General settings</text>
<url>/pkg_edit.php?xml=squidguard.xml&id=0</url>
<active/>
</tab>
<tab>
<text>Common ACL</text>
<url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url>
</tab>
<tab>
<text>Groups ACL</text>
<url>/pkg.php?xml=squidguard_acl.xml</url>
</tab>
<tab>
<text>Target categories</text>
<url>/pkg.php?xml=squidguard_dest.xml</url>
</tab>
<tab>
<text>Times</text>
<url>/pkg.php?xml=squidguard_time.xml</url>
</tab>
<tab>
<text>Rewrites</text>
<url>/pkg.php?xml=squidguard_rewr.xml</url>
</tab>
<tab>
<text>Blacklist</text>
<url>/squidGuard/squidguard_blacklist.php</url>
</tab>
<tab>
<text>Log</text>
<url>/squidGuard/squidguard_log.php</url>
</tab>
<tab>
<text>XMLRPC Sync</text>
<url>/pkg_edit.php?xml=squidguard_sync.xml</url>
</tab>
</tabs>
<service>
<name>squidGuard</name>
<description><![CDATA[Proxy server filter Service]]></description>
<executable>squidGuard</executable>
<starts_on_sync></starts_on_sync>
</service>
<fields>
<field>
<fielddescr>Enable</fielddescr>
<fieldname>squidguard_enable</fieldname>
<description>Check this option to enable squidGuard.</description>
<sethelp>
<![CDATA[
<strong><span class="errmsg">Important: </span></strong>Please set up at least one category on the 'Target Categories' tab before enabling.
See <a href="https://docs.netgate.com/pfsense/en/latest/packages/cache-proxy/squidguard.html">this link for details</a>.
]]>
</sethelp>
<type>checkbox</type>
</field>
<field>
<name>LDAP Options</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Enable LDAP Filter</fielddescr>
<fieldname>ldap_enable</fieldname>
<description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description>
<type>checkbox</type>
<enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields>
</field>
<field>
<fielddescr>LDAP DN</fielddescr>
<fieldname>ldapbinddn</fieldname>
<description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description>
<type>input</type>
<size>60</size>
</field>
<field>
<fielddescr>LDAP DN Password</fielddescr>
<fieldname>ldapbindpass</fieldname>
<description><![CDATA[Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z/][a-zA-Z0-9/_-./:%+?=&]]]></description>
<type>password</type>
</field>
<field>
<fielddescr>LDAP Cache Time</fielddescr>
<fieldname>ldapcachetime</fieldname>
<description><![CDATA[Number of seconds to cache LDAP Results (recommended value: 300)]]></description>
<default_value>0</default_value>
<type>input</type>
</field>
<field>
<fielddescr>Strip NT domain name</fielddescr>
<fieldname>stripntdomain</fieldname>
<description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description>
<type>checkbox</type>
<default_value>on</default_value>
</field>
<field>
<fielddescr>Strip Kerberos Realm</fielddescr>
<fieldname>striprealm</fieldname>
<description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description>
<type>checkbox</type>
<default_value>on</default_value>
</field>
<field>
<fielddescr>LDAP Version</fielddescr>
<fieldname>ldapversion</fieldname>
<type>select</type>
<default_value>3</default_value>
<options>
<option>
<name>Version 2</name>
<value>2</value>
</option>
<option>
<name>Version 3</name>
<value>3</value>
</option>
</options>
</field>
<field>
<name>Service options</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Rewrite process children</fielddescr>
<fieldname>rewrite_children</fieldname>
<description>Maximum number of SquidGuard redirector processes that Squid may spawn. Using too few of these helper processes (a.k.a. "helpers") creates request queues. Using too many helpers wastes your system resources. (Default: 16)</description>
<default_value>16</default_value>
<type>input</type>
</field>
<field>
<fielddescr>Rewrite process children startup</fielddescr>
<fieldname>rewrite_children_startup</fieldname>
<description>Sets a minimum of how many SquidGuard processes are to be spawned when Squid starts or reconfigures. (Default: 8)</description>
<default_value>8</default_value>
<type>input</type>
</field>
<field>
<fielddescr>Rewrite process children idle</fielddescr>
<fieldname>rewrite_children_idle</fieldname>
<description>Sets a minimum of how many SquidGuard processes Squid is to try and keep available at all times. (Default: 4)</description>
<default_value>4</default_value>
<type>input</type>
</field>
<field>
<name>Logging options</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Enable GUI log</fielddescr>
<fieldname>enable_guilog</fieldname>
<description><![CDATA[Check this option to log the access to the Proxy Filter GUI.]]></description>
<type>checkbox</type>
</field>
<field>
<fielddescr>Enable log</fielddescr>
<fieldname>enable_log</fieldname>
<description><![CDATA[Check this option to log the proxy filter settings like blocked websites in Common ACL, Group ACL and Target Categories. This option is usually used to check the filter settings.]]></description>
<type>checkbox</type>
</field>
<field>
<fielddescr>Enable log rotation</fielddescr>
<fieldname>log_rotation</fieldname>
<description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description>
<type>checkbox</type>
</field>
<field>
<name>Miscellaneous</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Clean Advertising</fielddescr>
<fieldname>adv_blankimg</fieldname>
<description><![CDATA[Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage.]]></description>
<type>checkbox</type>
</field>
<field>
<name>Blacklist options</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Blacklist</fielddescr>
<fieldname>blacklist</fieldname>
<description>Check this option to enable blacklist</description>
<type>checkbox</type>
<enablefields>blacklist_proxy,blacklist_url</enablefields>
</field>
<field>
<fielddescr>Blacklist proxy</fielddescr>
<fieldname>blacklist_proxy</fieldname>
<description>
<![CDATA[<br>
Blacklist upload proxy - enter here, or leave blank.<br>
Format: host:[port login:pass] . Default proxy port 1080.<br>
Example: '192.168.0.1:8080 user:pass'
]]>
</description>
<type>input</type>
<size>100</size>
</field>
<field>
<fielddescr>Blacklist URL</fielddescr>
<fieldname>blacklist_url</fieldname>
<description>
<![CDATA[Enter the path to the blacklist (blacklist.tar.gz) here. You can use FTP, HTTP or LOCAL URL blacklist archive or leave blank. The LOCAL path could be your pfsense (/tmp/blacklist.tar.gz).]]>
</description>
<type>input</type>
<size>100</size>
</field>
</fields>
<custom_add_php_command/>
<custom_php_validation_command>
squidguard_validate($_POST, $input_errors);
</custom_php_validation_command>
<custom_php_command_before_form>
squidguard_before_form($pkg);
</custom_php_command_before_form>
<custom_php_after_form_command>
squidGuard_print_javascript();
</custom_php_after_form_command>
<custom_php_resync_config_command>
squidguard_resync();
</custom_php_resync_config_command>
<custom_php_install_command>
squidguard_install_command();
squidguard_resync();
</custom_php_install_command>
<custom_php_deinstall_command>
squidguard_deinstall_command();
</custom_php_deinstall_command>
</packagegui>
-
That's the standard package xml. What matters is the squidguard config lines inside the main pfSense config (/cf/conf/config.xml).
The install script is choking on something there when it tries to create the required tags. Usually when we see those php errors it's because there is something missing from the config that it assumed was there or something already present that it assumed was not. The older version of php was much more forgiving. -
@stephenw10 cf/conf/config.xml
<squidguardgeneral> <config> <squidguard_enable>on</squidguard_enable> <ldap_enable></ldap_enable> <ldapbinddn></ldapbinddn> <ldapbindpass></ldapbindpass> <ldapcachetime>0</ldapcachetime> <stripntdomain></stripntdomain> <striprealm></striprealm> <ldapversion>2</ldapversion> <rewrite_children>16</rewrite_children> <rewrite_children_startup>8</rewrite_children_startup> <rewrite_children_idle>4</rewrite_children_idle> <enable_guilog>on</enable_guilog> <enable_log>on</enable_log> <log_rotation>on</log_rotation> <adv_blankimg></adv_blankimg> <blacklist>on</blacklist> <blacklist_proxy></blacklist_proxy> <blacklist_url>http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz</blacklist_url> </config> </squidguardgeneral> <squidguarddefault> <config> <dest>PADRAO !blk_blacklists_child !blk_blacklists_malware all</dest> <notallowingip></notallowingip> <deniedmessage></deniedmessage> <redirect_mode>rmod_int</redirect_mode> <redirect>Erro de acesso na ACL!</redirect> <safesearch>on</safesearch> <rewrite>safesearch</rewrite> <enablelog>on</enablelog> </config> </squidguarddefault> -
@hugoeyng Have you tried this yet?
Ref:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html -
@jonathanlee I did not try this because in my point of view this will not solve the root question that is: th squidGuard installation package has a bug in it.
-
@hugoeyng I understand I just keep thinking that something within your configuration is bonked up. You know how when you reinstall a package all your settings stay, if that config is bonked up it will make it appear that the package is messed up. I just keep thinking back to how my configuration was missing a section and kept doing the same thing until I found out that reverse proxy needed to be saved again, it was showing as missing, did not matter how many times I reinstalled the package it would fail until I fixed the configuration.
-
@jonathanlee said in 23.01 Squid issue:
I understand I just keep thinking that something within your configuration is bonked up. You know how when you reinstall a package all your settings stay, if that config is bonked up it will make it appear that the package is messed up. I just keep thinking back to how my configuration was missing a section and kept doing the same thing until I found out that reverse proxy needed to be saved again, it was showing as missing, did not matter how many times I reinstalled the package it would fail until I fixed the configuration.
So, how I can completly remove SquidGuard in a way to make a clean install (without old configurations)?
I already tried some instructions, but did not work. -
@hugoeyng (/cf/conf/config.xml) rename with a .old after add patches and than rename it back to .xml maybe, if not revert it back. @stephenw10 would that work?
-
@jonathanlee I am sorry, but I can not agree your suggestion. I did waht you sugested , but did not work.
Could you send a config.xml that is working with squidGuard? I will replace it in my installation. -
@hugoeyng sure I can I will have to delete my password as it shows in clear text on the config file. How can I send it to you
-
@jonathanlee you can paste here or send to my e-mail
-
@hugoeyng what is your email?
-
@jonathanlee [removed]
-
@hugoeyng security !!!
I would recommend you guys private message each other your contact emails
-
@hugoeyng I sent you a copy of my config file. I hope that helps please don't share it with anyone else. I hope that helps you secure your system and get your URL blocker working again. Use it with a dif checker to see what is bonked up. I was somewhat worried to share this as it's everything, but then I thought, what is the goal? Well, it's to help secure systems with cyber security as the end result. I am 1. just running this at my home it's not really a super secure environment, so no big deal if I share it. I hope that helps you in some way as people are generally good.
-
https://redmine.pfsense.org/issues/13984
Someone else has found a solution while researching this issue
Make sure to upvote
-
This post is deleted! -
@jonathanlee It got worse
WARNING: Current pkg repository has a new PHP major
version. pfSense should be upgraded before
installing any new package.
