Squid Returned to Packages *** PLEASE TEST ***

databeestje

I have to debug the "whitelist access only" to see why it doesn't work. The only important part with the acls is the ordering. and allowed_subnets and localnet are last in the queue. I have no idea on this one yet.

With regards to access to the logs, none of that is currently implemented. Access to the cache.log is not such a problem. Since that one is small and for debugging purposes only. The access log however needs something akin to sarge or webalizer for generating anything usefull.

Syslog would be a workaround. Although by far the easiest way to move the logs around. Although this would be a bad idea on  a larger installation.

jahonix

@mhab12:

@ jahonix
What version of pfSense are you running?

1.0.1-SNAPSHOT-01-13-2007
built on Sun Jan 14 15:07:53 EST 2007

jahonix

Thanks, databeestje, we have a working squid now. p15 finally did it.

superwutze

well, here it still dumps, but no more at startup. no matter whether transparent or not.
i'm running 1.0.1-SNAPSHOT-01-13-2007 and just download the next one. squid is p15.

squid starts without problems but dumps at any access.

another thing: when i disable 'allow on interface' but include the interface's ip-subnet to the allowed subnets it denies me access (and no dump!).

so, the download is ready, i'll post again after update.
edit:
now i'm running 1.0.1-SNAPSHOT-01-19-2007 and it still is the same, core dump at access.
sure there are no dependencies that need updates?

databeestje

better check if the acl(s) you use are in the new line by line format.

so no , in there.

mhab12

Has anyone had any luck so far in getting a wildcard to work in the blacklist or somehow been able to create a 'whitelist only' proxy?

MerlinWV

There is still some wrong …
Clean install of 1.0.1 iso, immediate upgrade to latest snapshot (2007-01-19), install squid.

It starts and seems to be running on the default port (3128), but if I try to change anything on the General settings page (i.e. Admin e-mail, displayed hostname, PORT), I get the notorious:
The following input errors were detected:
You can not run squid on the same port as the webgui

Any hints? I'm running pfSense with the WEBGUI on the default HTTPS-Port of 443 and I'm trying to set the Proxy-Port to 8080 ...

jahonix

@MerlinWV:

The following input errors were detected: You can not run squid on the same port as the webgui

Change the webGUI port to: HTTP:81, save it and set it back to https:443
This cured it over here on 2 installs

Maybe it's just the unused reference to HTTP:80 that squid doesn't like, but I don't know.
I have set squid to transparent mode on port 80, FWIW

superwutze

found it!

i had to activate and deactivate the upstream-proxy! no idea why that but it solved it!! p15 running!!

Justinw

I gave it a test run, p15 seems to be working great for me, I will update you if I find out anything new in my logs!

MerlinWV

Setting the WebGUI-Port solved it.
No need to set it to http:81 and back to https:443.

Just specifying a port in the WebGUI-Field does the trick (even if it's the default https port of 443).

Which gives me the suspicion that the "WebGUI-Port-Field is used for a RegEx - and an empty RegEx matches all … I'll test if a WebGui-Port of 80 prevents a Proxy-Port of 8080 or 8000 ...

SatireWolf

Woot! I'm going to give this a try in the next week or two on the big iron box I've been running squid on since before it got b0rken'd. I have a 60+ day uptime on that box, squid hasn't been restarted once.

ju5t4s

Hi, can you recompile squid with –enable-arp-acl option, because, arp acls not working.

thank you very much :)

mhab12

Any luck yet with white list only or any kind of wild card in the black list field?  Just tried with a clean install of snapshot 1-24 and I'm still making it to any site.  Maybe we'll have to do something like ipCop and create a whitelist only check box.  I suspect in their implementation it removes the blacklist_acl completely and leaves only the whitelist in squid.conf.  Just a thought, my programming / text edit skills in FreeBSD are marginal at best.

Any ideas data?

AkumaKuruma

what kind of wildcard are you looking for in the blocked domains? trying to be able to block domains like sex ? cuz that WOULD be nice.
currently though it can block all subdomains of a domain. wonder if it will work on top domains. would be neat if i could block, say, all of .ru (havent tried so it may already do it). course i could do the same thing by running an internal DNS.

ju5t4s

There is also some difficulties if i setup my proxy without transparent proxy and Allow users on interfase, with Allowed subnets, then squid.inc create

acl allowed_subnets src XXX.XXX.XXX.XXX/XX

but there is no

http_access allow allowed_subnets

also waiting for recompiled squid binaries with –arp

mhab12

Blacklisting TLDs does work as reported in this post some time ago.  I want to be able to block all sites not explicitly named in my whitelist.

ju5t4s

for whitelisting and blacklisting use wildcard "."

example for blacklist:

.sex.
.xxx.
.ch
.net
.123456.

if you leave only "." dot in list then your users can access only sites listed in Whitelist

Best regards
Ju5t4s

mhab12

The period worked!!!! Thank you so much ju5t4s.

PC_Arcade

@AkumaKuruma:

what kind of wildcard are you looking for in the blocked domains? trying to be able to block domains like sex ? cuz that WOULD be nice.
currently though it can block all subdomains of a domain. wonder if it will work on top domains. would be neat if i could block, say, all of .ru (havent tried so it may already do it). course i could do the same thing by running an internal DNS.

I tried (as a matter of interest) to block all .ru domains, but using .ru in the blocked area blocks sites like this forum :lol: I'm not sure it should though.

It shouldn't block forum should it? I can understand it blocking foru, as there's nothing after the ru and it would match the wildcard pattern, but not forum