Squid Returned to Packages *** PLEASE TEST ***

sullrich

Thanks, commited!

databeestje

So enter a log location anyways. It's required.

blodulv

Using p5.

On line 915 of squid.inc a reference is made to $port:

   $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";

I have a port defined, however, at this point in the script the $port variable has nothing assigned to it so I get a bad rule. My fix was just to comment that line out as I'm only using transparent proxy.

sullrich

@blodulv:

Using p5.

On line 915 of squid.inc a reference is made to $port:

   $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";

I have a port defined, however, at this point in the script the $port variable has nothing assigned to it so I get a bad rule. My fix was just to comment that line out as I'm only using transparent proxy.

You are not running the latest squid package.  There are only 863 lines in squid.inc on the latest and the pass rules do not look anything like that…

hadi57

looks like we're back to:

stopping /usr/local/etc/rc.d/proxy_monitor.sh…

again.

just installed squid and used transparent proxy.

sullrich

@hadi57:

looks like we're back to:

stopping /usr/local/etc/rc.d/proxy_monitor.sh…

again.

just installed squid and used transparent proxy.

Upgrade to latest snapshot.

adrianhensler

It's really late here so I could be off the mark; but I also think there's something funky going on. I'm also getting the empty $port creating:

There were error(s) loading the rules: /tmp/rules.debug:250: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [250]: pass in quick on sk0 proto tcp from any to !(sk0) port flags S/SA keep state…

I've just reinstalled and am using 2.6.5_1-p5.  I'll take another look tomorrow evening if I have a chance.... I'm sure someone will figure it out before I do.

databeestje

My bad, fixing into P6

databeestje

Fixed.

mhab12

I wasn't seeing any results from the white or black lists under the 12-23 build with the latest package and transparent proxy.  Will try a clean install and see if that fixes it.  Anyone else?

mhab12

Just tried a clean install.  Still not seeing any effect from the access control lists, namely the blacklist and whitelist.  This was on the 12/23 build and Squid 2.6.5_1-p6.  I'm also seeing strange lines (errors?) in the sys log.  A sample follows.

Dec 30 16:55:04 php: : Resyncing configuration for all packages.
Dec 30 16:55:04 php: : Reloading Squid for configuration sync
Dec 30 16:55:04 php: : Resyncing configuration for all packages.
Dec 30 16:55:05 php: : Reloading Squid for configuration sync
Dec 30 16:55:05 php: : Could not open for writing
Dec 30 16:55:05 last message repeated 13 times
Dec 30 16:55:05 check_reload_status: reloading filter
Dec 30 16:55:05 php: : Could not open for writing
Dec 30 16:55:05 last message repeated 13 times
Dec 30 16:55:05 squid[668]: Squid Parent: child process 992 started
Dec 30 16:55:05 squid[668]: Squid Parent: child process 992 exited with status 1
Dec 30 16:55:06 check_reload_status: updating dyndns
Dec 30 16:55:08 squid[668]: Squid Parent: child process 1117 started
Dec 30 16:55:08 squid[668]: Squid Parent: child process 1117 exited with status 1
Dec 30 16:55:11 squid[668]: Squid Parent: child process 1137 started
Dec 30 16:55:11 squid[668]: Squid Parent: child process 1137 exited with status 1
Dec 30 16:55:11 squid[668]: Exiting due to repeated, frequent failures

Squid is in fact running and I can use it manually through my browser or via transparent.  Just not sure why none of the lists are working and the strange log entries.

databeestje

I still have not found time to test the access control lists. Not sure what's wrong because acls are a integral part of squid.

The log lines that is exiting with error code 1 is weird. Because I don't see that, or at least not as much. The good thing is that process does not get killed but fails to startup. I see this particularly on boot.

I am pondering the thought of recommending squidguard to implement filtering although I have zerro experience with that. And i'm not sure if we have a package for that yet.

Justinw

The lastest package causes squid to start twice, that's why where getting all the squid xxx exited due blah blah blah in the squid logs.  It seems that when the package is synced with squid.inc on startup, it starts squid, then all the .sh files in rc.d are executed and it starts squid again.  With the update to the package I think the *.sh stop was removed to fix the problem with proxy_monitor hanging, and it was effective, I think with some edits to the squid.inc file we could be good to go again.  I'll take a look at it myself, but just wanted to let you know about it.  It also seems one is started with the user root and the other the user proxy.  I'll report back when I know more

mhab12

Could the dual instances of Squid be killing the ACLs?  Are the ACLs up and running on one instance but all traffic is being routed through the other?

databeestje

I just performed a upgrade to the latest code and after a reboot there are no errors and start properly. At least with the current -p6 version.

Justinw

I'll test it and let you know

mhab12

@databeestje:

I just performed a upgrade to the latest code and after a reboot there are no errors and start properly. At least with the current -p6 version.

What version of pfSense are you using?  I'd like to try this too.  I tried a clean install of the 12-23 build, but those errors I posted were from that.  Also, have you tried transparent mode?

Justinw

I'm using Pfsense 1.0.1-SNAPSHOT-12-23-2006, and your updated squid 2.6.5_1-p6.  I am using transparent mode with access log enabled.

on a clean boot this is the error I get in the system logs:

Jan 4 09:05:43 php: : Starting Squid
Jan 4 09:05:43 squid[658]: Squid Parent: child process 662 started
Jan 4 09:05:43 squid[657]: Squid Parent: child process 660 started
Jan 4 09:05:43 check_reload_status: check_reload_status is starting
Jan 4 09:05:44 check_reload_status: check_reload_status is starting
Jan 4 09:05:44 (squid): Cannot open HTTP Port
Jan 4 09:05:44 kernel: pid 660 (squid), uid 62: exited on signal 6
Jan 4 09:05:44 squid[657]: Squid Parent: child process 660 exited due to signal 6
Jan 4 09:05:47 squid[657]: Squid Parent: child process 702 started
Jan 4 09:05:47 squid[657]: Squid Parent: child process 702 exited with status 1
Jan 4 09:05:50 squid[657]: Squid Parent: child process 706 started
Jan 4 09:05:50 squid[657]: Squid Parent: child process 706 exited with status 1
Jan 4 09:05:53 squid[657]: Squid Parent: child process 708 started
Jan 4 09:05:53 squid[657]: Squid Parent: child process 708 exited with status 1
Jan 4 09:05:56 squid[657]: Squid Parent: child process 712 started
Jan 4 09:05:56 squid[657]: Squid Parent: child process 712 exited with status 1
Jan 4 09:05:56 squid[657]: Exiting due to repeated, frequent failures

In cache.log I am getting:

2007/01/04 09:05:43| Starting Squid Cache version 2.6.STABLE5 for i386-portbld-freebsd6.1…
2007/01/04 09:05:43| Process ID 662
2007/01/04 09:05:43| With 7232 file descriptors available
2007/01/04 09:05:43| Using kqueue for the IO loop
2007/01/04 09:05:43| Starting Squid Cache version 2.6.STABLE5 for i386-portbld-freebsd6.1...
2007/01/04 09:05:43| Process ID 660
2007/01/04 09:05:43| With 7232 file descriptors available
2007/01/04 09:05:43| Using kqueue for the IO loop
2007/01/04 09:05:43| DNS Socket created at 0.0.0.0, port 61421, FD 10
2007/01/04 09:05:43| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2007/01/04 09:05:43| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2007/01/04 09:05:43| DNS Socket created at 0.0.0.0, port 61798, FD 5
2007/01/04 09:05:43| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2007/01/04 09:05:43| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2007/01/04 09:05:43| Unlinkd pipe opened on FD 10
2007/01/04 09:05:43| Unlinkd pipe opened on FD 15
2007/01/04 09:05:43| Swap maxSize 256000 KB, estimated 1575384 objects
2007/01/04 09:05:43| Target number of buckets: 78769
2007/01/04 09:05:43| Using 131072 Store buckets
2007/01/04 09:05:43| Max Mem  size: 16384 KB
2007/01/04 09:05:43| Max Swap size: 256000 KB
2007/01/04 09:05:43| Store logging disabled
2007/01/04 09:05:43| Swap maxSize 256000 KB, estimated 1575384 objects
2007/01/04 09:05:43| Target number of buckets: 78769
2007/01/04 09:05:43| Using 131072 Store buckets
2007/01/04 09:05:43| Max Mem  size: 16384 KB
2007/01/04 09:05:43| Max Swap size: 256000 KB
2007/01/04 09:05:43| Store logging disabled
2007/01/04 09:05:43| Rebuilding storage in /var/squid/cache (CLEAN)
2007/01/04 09:05:43| Rebuilding storage in /var/squid/cache (DIRTY)
2007/01/04 09:05:43| Using Least Load store dir selection
2007/01/04 09:05:43| Current Directory is /var/run
2007/01/04 09:05:43| Using Least Load store dir selection
2007/01/04 09:05:43| Current Directory is /etc
2007/01/04 09:05:43| Loaded Icons.
2007/01/04 09:05:44| Accepting transparently proxied HTTP connections at 127.0.0.1, port 80, FD 12.
2007/01/04 09:05:44| Accepting proxy HTTP connections at 192.168.104.1, port 3128, FD 13.
2007/01/04 09:05:44| WCCP Disabled.
2007/01/04 09:05:44| Ready to serve requests.
2007/01/04 09:05:43| Loaded Icons.
2007/01/04 09:05:44| commBind: Cannot bind socket FD 17 to 127.0.0.1:80: (48) Address already in use
2007/01/04 09:05:44| commBind: Cannot bind socket FD 17 to 192.168.104.1:3128: (48) Address already in use
FATAL: Cannot open HTTP Port
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
CPU Usage: 0.059 seconds = 0.016 user + 0.043 sys
Maximum Resident Size: 7964 KB
Page faults with physical i/o: 4
2007/01/04 09:05:44| Done reading /var/squid/cache swaplog (63 entries)
2007/01/04 09:05:44| Finished rebuilding storage from disk.
2007/01/04 09:05:44|        63 Entries scanned
2007/01/04 09:05:44|        0 Invalid entries.
2007/01/04 09:05:44|        0 With invalid flags.
2007/01/04 09:05:44|        63 Objects loaded.
2007/01/04 09:05:44|        0 Objects expired.
2007/01/04 09:05:44|        0 Objects cancelled.
2007/01/04 09:05:44|        0 Duplicate URLs purged.
2007/01/04 09:05:44|        0 Swapfile clashes avoided.
2007/01/04 09:05:44|  Took 0.9 seconds (  67.9 objects/sec).
2007/01/04 09:05:44| Beginning Validation Procedure
2007/01/04 09:05:44|  Completed Validation Procedure
2007/01/04 09:05:44|  Validated 63 Entries
2007/01/04 09:05:44|  store_swap_size = 152k
2007/01/04 09:05:44| storeLateRelease: released 0 objects

It seems strange to me that PHP thinks its starting squid when no other package does that, it looks like it still gets executed that way and in the rc.d?  I'm thinking that the bind error and the one that stalls out is the second one being started, because after all those error messages under status > services squid is still running and a ps -U proxy reveals:

662  ??  S      0:01.49 (squid) -D (squid)

Still looking into how to fix it on my end, any help is appreciated though

Update:
After changing squid.sh to squid in the rc.d so it doesn't startup on boot I get this in the systme logs:

php: : Starting Squid
Jan 4 09:36:24 check_reload_status: check_reload_status is starting
Jan 4 09:36:24 check_reload_status: reloading filter
Jan 4 09:36:25 squid[664]: Squid Parent: child process 669 started
Jan 4 09:36:25 check_reload_status: check_reload_status is starting
Jan 4 09:36:26 login: login on ttyv0 as root

clean start

sullrich

Jan 4 09:05:44    (squid): Cannot open HTTP Port
Jan 4 09:05:44    kernel: pid 660 (squid), uid 62: exite

webConfigurator running on port 80?

bender

I am testing pfSense 1.0.1-SNAPSHOT-12-28-2006 and squid 2.6.5_1-p6

Everything seemed to be working fine until I tried adding some access control lists ;)  I tried entering a mac address in the "Unrestricted MAC Addresses" text box.

Now when I enter: /usr/local/sbin/squid status
at a shell prompt, I get:

2007/01/04 20:50:37| aclParseAclLine: Invalid ACL type 'arp'
FATAL: Bungled squid.conf line 40: acl unrestricted_macs arp "/var/squid/acl/unrestricted_macs.acl"
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.

I believe that this error would occur when the configuration parameter: –enable-arp-acl
was not included when squid was compiled.

I haven't had a chance to dig through the php code yet to see if or where this might be missing but wanted to know if maybe I have missed something obvious before I do.

Thanks.