Squid Blocking Web Access

marcelloc

qwaven,

If you have a backup file before squid install, just restore it to remove squid conf.

If you do not have, you can try to backup the config, edit file to remove squid options and the restore.

Do this carefully so as not to spoil your pfsense.

qwaven

Hi Marcelloc,

Thanks for your help.

I've since reinstalled the firewall system. Unfortunately I appear to be having the exact same issue. I believe there is some issue with the Squid package or a setting I'm missing within Snort or Squid.

Steps I took:

-Install PF Sense and verify normal network activity works
-Install SNORT; setup; and tested loading websites works fine. Service is loaded without issue.
-Installed Squid3; setup; started. Turn on transparent mode and the error appears!
If I turn off transparent and direct my browser to the firewall ip port 3128 I can surf the internet through the proxy.

-I even tried keeping Squid transparent mode off, and manually adding a firewall rule to redirect port 80 to Squid (same as transparent mode) and I get the SAME error.

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /

The following error was encountered:

    Invalid URL 

Some aspect of the requested URL is incorrect. Possible problems:

    Missing or incorrect access protocol (should be `http://'' or similar)
    Missing hostname
    Illegal double-escape in the URL-Path
    Illegal character in hostname; underscores are not allowed 

Your cache administrator is admin@admin.com. 

Any thoughts? No other setup has been done with PF Sense; fresh install.

Thanks!

marcelloc

check if first lines of squid.conf has the transparent set in front of listening ip address(es).

qwaven

Thanks. You will need to advise how to do that. I am very unfamiliar with how to do this on PF Sense. I take it this would be via command line?

Please let me know,

Cheers!

marcelloc

You can use at console/ssh/diagnostics-> command prompt : head -20 /usr/local/etc/squid/squid.conf

qwaven

Hi,

I see the following for my interfaces.

http_port 10.10.10.1:3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 7

Does that look correct or should my LAN IP also have the intercept?

Thanks for your help!

marcelloc

change this line (using Diagnostics-> edit file) on /usr/local/etc/squid/squid.conf

from:
http_port 10.10.10.1:3128

to:
http_port 10.10.10.1:3128 transparent

and test transparent access after executing killall -HUP squid on console/ssh/diagnostics-> command prompt

qwaven

I was having trouble getting the command to work. Squid would not start at all with transparent keyword.

However if I use intercept

10.10.10.1:3128 intercept

Squid will start, but I still encounter the same error. :(

NOW, I did some experimenting and found that if I omit the IP Address and just use:

http_port 3128 intercept

This WORKS! at last. Verified on an http header site and I see that "it" sees my proxy details.

Is there any issue with me doing this? Security concerns primarily? All of my internal networks should pass through the proxy anyhow, I just have not configured them yet! :)

Thanks for your help!

Update: Turns out I have one more issue! If I reboot, my configuration reverts back to before I made any changes…. Is there like an "apply" I need to activate? I did the changes via SSH.

marcelloc

@qwaven:

Is there any issue with me doing this? Security concerns primarily? All of my internal networks should pass through the proxy anyhow, I just have not configured them yet! :)

You need firewall rules to prevent external access to you squid this way.
I'll check the intercept option on squid3 package

@qwaven:

]Update: Turns out I have one more issue! If I reboot, my configuration reverts back to before I made any changes…. Is there like an "apply" I need to activate? I did the changes via SSH.

Config file is built every time you boot or apply settings on squid gui.

qwaven

Thanks for your help.

If I cannot retain my settings after reboot I'm not sure this will work. :(

Please do let me know what you find via Squid 3 package. Although I had originally started with the default 2.x installed package.

Cheers.

qwaven

Any update?

I've tried using Dansguardian with a firewall rule redirecting port 80 instead of Squid/SquidGuard intercept mode. This seems to work so far. Wondering if I should just stick with D then?

Not really clear on the difference between the two softwares.

Thanks for your help.