Squid Returned to Packages *** PLEASE TEST ***

mhab12

Thanks again for all the squid work.  Hope nobody minds if databeestje gets the $125 remaining on my bounty.  I'm really looking forward to the last few kinks getting worked out soon.

Maybe some of the other Squid users out there could pitch in a bit too, data deserves it!

sullrich

Data deserves every penny plus some more…

jahonix

@databeestje:

I have not had time or incentive to fix these errors yet.

Woops, sorry!
I thought of recalling that these fields were blank filled on install but that might not be committed yet.

Thanks for the hard work you put in squid!

Level 10

I fixed the problem on that way:

(well, it's a dirty hack, but it works out with 2.6.5_1-p9)

Tab "Access control"

Allowed subnets: use a local subnet (that subnet don't have to exist realy in your network), that dosn't fit to the proxy-interface. (the interface-subnet is used automaticly)

Unrestricted IPs: the same as subnets above - an ip that dosn't fit to the local subnet on proxy-interface

Banned host addresses: an ip not used in your local network

Whitelist: 0.0.0.0 - it means all ip-ranges
Blacklist: an ip-adress not used in your local network

Have nice proxying ;)

AkumaKuruma

mines crashing with the following

Jan 16 08:40:58 squid: Bungled squid.conf line 70: http_access allow localnet 
Jan 16 08:40:33 php: : Not installing nat reflection rules for a port range > 500 
Jan 16 08:40:33 php: : SQUID is installed but not started. Not installing redirect rules. 
Jan 16 08:40:33 php: : SQUID is installed but not started. Not installing redirect rules. 
Jan 16 08:40:28 php: : Not installing nat reflection rules for a port range > 500 
Jan 16 08:40:26 check_reload_status: reloading filter 

sounds like it doesnt like me having the higher ports forwarded. but that shouldnt really matter to squid.

databeestje

Not sure why you would want a squid without a valid localnet decleration.

Also, when you check the allow networks on local interfaces you automatically will have this filled out. Since this is what most users will want.

databeestje

Version p10 just committed.

This should fix the empty ACL problem. I'll see how hard it is to rewrite the acl lists into a line by line format instead of commaseperated.

Mikhail

@databeestje:

Version p10 just committed.

This should fix the empty ACL problem. I'll see how hard it is to rewrite the acl lists into a line by line format instead of commaseperated.

it does't work…
Jan 16 19:07:42 kernel: pid 62862 (squid), uid 0: exited on signal 6 (core dumped)
Jan 16 19:07:41 squid: No port defined

Mikhail

also i can't make any changes on General settings page.

The following input errors were detected:

* You must start log location with a / mark
    * That is not a valid log location dir
    * You can not run squid on the same port as the webgui

P.S. I am not using logs…

AkumaKuruma

Data: i ended up having to wipe squid completely off including manually deleting the squid config files for it fo finally work. all the settings were correct and enabled as they should have been. guess it was an artifact from a previous version that was interfering. last test was P9 and was blocking what i was telling it too.

I'll try out P10 when i get home tonight.

nepumuk

Squid now works with empty fields here - great!

superwutze

coredumps here too

latest snapshot and p10 and only "pid xxxx (squid), uid 0: exited on signal 6 (core dumped)"

pkg uninstalled, used pkg_delete to remove both squid-packages, 'find / -name "squid"' and all deleted and even removed all squid lines from /cf/conf/config.xml but it stays the same.

my pkg_info shows the following:

bsdinstaller-2.0.2006.0728 BSD Installer mega-package
cpdup-1.05          A comprehensive filesystem mirroring program
lighttpd-1.4.13     A secure, fast, compliant, and very flexible Web Server
lua-5.0.2_1         Small, compilable scripting language providing easy access
openldap-client-2.3.24 Open source LDAP client implementation
openldap-client-2.3.30 Open source LDAP client implementation
openntpd-3.7p1,2    OpenBSD's Network Time Protocol daemon
pcre-6.7            Perl Compatible Regular Expressions library
perl-5.8.8          Practical Extraction and Report Language

what packages can safely be removed (dependencies from squid)? maybe there is some old version in there that has to be reinstalled.

AkumaKuruma

any plans to get wildcards working? i.e.  *.blockeddomain.com would block www.blockeddomain.com and ftp.blockeddomain.com

or is this something outside the scope of what the default squid package can do?

as for testing P10, I cant get it to work except for having all fields have an entry in them. I have to have dummy information in the top 3 fields (using 192.168.255.0/24 block since my network isnt). so as far as i can tell, P10 doesnt fix anything and runs identical to P9

mhab12

I know 'wildcards' worked in p9.  I was able to enter google.com in the blacklist and was unable reach any destination at google (i.e. mail.google.com, maps.google.com, etc.)  I tried others that I knew had many subdomains and got the same result.  That said, true wildcards were not working as they used to.  You can not enter an * in the blacklist and only allow the whitelist.  Haven't had a chance to try out p10.

As far as ftp goes, I believe Squid is an HTTP proxy only.  Things like ftp.host.com (i assume you meant the ftp protocol) would circumvent any sort of blacklisting that was actually working.  I too would like something that could block traffic on all protocols (i.e. external proxies, remote desktop, ftp, etc.) but for now I think our only option is Squid or the captive portal (which has other limitations).

databeestje

Then it's not p10 you are running.

I have tested this on 3 different machines, and I have just reinstalled the package from the package screen. And on all of those I see no core dumps and it works with empty fields.

Are you using reinstall xml gui components or reinstall package? Since there are 2 icons to choose from.
I use the former. If you deinstall the package and then install it again that works all the same.
No need to remove packages from the CLI. I have not required it.

With regards to the blacklisting I employ a dstdomain match. so .domain.com would match all subdomains of domain.com. So no * is required. we are using dstdom regex matching for the black and whitelist.

Mikhail:
If the general settings page barks at you that you need to configure a setting. CONFIGURE A SETTING.
It's there for a reason and I really don't care that you think that you don't need it.

jahonix

@databeestje:

If the general settings page barks at you that you need to configure a setting. CONFIGURE A SETTING.

OK, please help me out here.
Which setting is required when the log says:

kernel: pid 93017 (squid), uid 0: exited on signal 6 (core dumped)
squid: No port defined

The only port I can imagine is the proxy port and that one is set to 3128.
Transparent mode is disabled currently since squid doesn't start and this would be quite … unproductive ;-)
What else can I do?

Thanks for your input!

Mikhail

I just installed v.11 - it still does't work… again problems with general settings page :'(

databeestje

And have you put in a log location field?
e.g. /var/squid/log ?

databeestje

If the general settings page complains even after providing all required fields I can troubleshoot this.

I have just committed version p13. Warning, the config format for a number of fields has changed. They should be migrated automatically. If they are not, try reinstalling the package again. When I tested this I needed 2 attempts after which it succesfully migrated the fields.

databeestje

and p14 which might actually migrate the config correctly.