Squid-reverse
-
@trendchiller I had time to test and so far so good. Able to have it point to 4 different servers behind squid. Wildcard sub-host works good!.. I still have to test HTTPS but i'm not in rush to test…
Only drawback I have found are global settings. I like having forwarded_for off, via off for proxy but need them on when using reverse-proxy so the web server correctly puts the IPs in its logs. To work around this, I created another squid.conf file just for reverse-proxy and started another instance of squid on the box.... Major benefit here:I can keep access.log separate and pretty soon turn off logging for reverse-proxy since the web servers keep their own logs. And have different global settings.
I ended up hacking squid.inc so it would stop/restart both instances of squid. This way I don't need to start the second instance from the cmdline.
Is it pretty? No but works for me :-) Not sure if I'll keep it this way, may just go back to using pound but found squid reverse-proxy is faster then pound... and faster is good...lol...
-
I'm trying to get the dansguardian package and the squid-reverse package to work together using ntlm single sign on. In the guides I have it says this:
As Samba-3.x has it's own authentication helper there is no need to build any of the Squid
authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you
do). You do however need to enable support for the NTLM scheme if you plan on using this. Also
you may want to use the wbinfo_group helper for group lookups
–enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"I'm not that familiar with how pfsense packages are compiled. Is the squid-reverse package compiled with these options? Or is that even the right question to ask? (trying to muddle my way though this to help)
-
i can't speak for the developer but here is the output of squid -v
Squid Cache: Version 3.1.19 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--disable-translation' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth LDAP SASL YP' '--enable-digest-auth-helpers=password ldap' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group ldap_group' '--enable-ntlm-auth-helpers=smb_lm' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd aufs' '--enable-disk-io=AIO Blocking DiskDaemon DiskThreads' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-cache-digests' '--enable-wccpv2' '--enable-referer-log' '--enable-useragent-log' '--enable-arp-acl' '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--disable-loadable-modules' '--disable-kqueue' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd8.1' 'build_alias=i386-portbld-freebsd8.1' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -rpath=/usr/lib:/usr/local/lib -L/usr/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --with-squid=/usr/ports/www/squid31/work/squid-3.1.19 --enable-ltdl-conveniencefrom what i can tell, the options are enabled
-
Oh… heh... still learning some commands. :) thx
-
I think It's build with all options except experimental.
-
I noticed when I start it manually that the package puts a parameter into squid.conf that squid doesn't know about. I get this when I restart the service:
2012/04/04 11:34:08| parseConfigFile: squid.conf:18 unrecognized: 'sslcrtd_children'
I looked up that parameter (http://www.squid-cache.org/Doc/config/sslcrtd_children/) and it shows it is available in 3.1 3.2 3.HEAD… so I did a /usr/local/sbin/squid -v and got this:
Squid Cache: Version 2.7.STABLE9
??? I installed it from the packages through the GUI... Why does Cino's show 3.1.19 and mine older? Is that the right version?
-
It is.
what packages do you have installed?
-
Just the following:
squid-reverse
dansguardian
sargAlso as you know I installed samba to try to get the ntlm working.
-
try reinstalling the "squid-reverse" package, maybe dansguardian installed the squid package as a dependency and overwrote your squid-reverse installed version.
-
Thanks! It is Dansguardian package that is causing it. I'll post what I found there.
-
Thanks! It is Dansguardian package that is causing it. I'll post what I found there.
Dansguardian force squid2 install by itself.
It's not on pfsense package instalation process.
I'm working on a squid3 as dependence for dansguardian, but it's not done yet.
-
Hi !
we'll have to have a look why the pbi's are not built :-(
sorry…Any news on the problem? I'd really like to try squid-reverse.
-
Thanks! It is Dansguardian package that is causing it. I'll post what I found there.
Dansguardian force squid2 install by itself.
It's not on pfsense package instalation process.
I'm working on a squid3 as dependence for dansguardian, but it's not done yet.
I just tested unloading both packages, then loading dansguardian first and squid-reverse second. This seems to be working on my setup now with the newer squid version (however still not able to filter based on ntlm user).
-
Hi all,
I've merged squid-rever and squid3 in only one package for pfsense 2.0 with reverse options in a brand new service-> reverse proxy menu.
Check screen shots on it's thread
http://forum.pfsense.org/index.php/topic,48347.0.htmlatt,
Marcello Coutinho
