Squid3 - New GUI with sync, normal and reverse proxy

Truster

Hi,

i found a bug/typo in /usr/local/pkg/squid_reverse.inc:136

RPC-over-HTTPS doen't work correct.

    136                         if($settngs['reverse_owa_rpchttp'])
    137                                         array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll');

correct is:

    136                         if($settings['reverse_owa_rpchttp'])
    137                                         array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll');

tooks lot of time to get Outlook RPC-over-HTTPS working :P

marcelloc

@Truster:

i found a bug in /usr/local/pkg/squid_reverse.inc:136

I've pushed the fix for this typo, thank's for the feedback!  :)

moh10ly

Could you please post your configuration ? I would like to host my webserver through squid reverse proxy and it didn't work for me..

Truster

1st: You have to correct the typo as descripted in my post before…

I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yes

and of course, you have to open that port in the firewall rules.

i'm using OWA/Exch2010...

hope, this helps.

Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.

marcelloc

@Truster:

1st: You have to correct the typo as descripted in my post before…

Or just install latest package version (2.0.5_6)  ;)

quetzalcoatl

Thank you marcellok!!!

At last, since today, squid works again with both http and https caching everything.

I have been waiting for this fix for months!!!

Thanks again. May Quetzalcoatl bless you!

I wonder who is porting squid to freeBSD.

Now squid 3.3 beta is outwith several nice improvements and fixes since 3.2 and 3.1
Hopefully some kind guy will port it soon to freeBSD to make it available for pfSense as well.

mauricioniñoavella

Hi marcelloc,

I wonder if it works  squid3 with SquidGuard
or I can suggest that I can work with squid for Access Control List (ACL)

Thanks for your understanding.

Regards

Mauricio Niño

marcelloc

@mauricioniñoavella:

I wonder if it works  squid3 with SquidGuard

Yes, just reinstall squid3 after squidguard install

@mauricioniñoavella:

or I can suggest that I can work with squid for Access Control List (ACL)

On current package version, if acl fields available does not fit your need, you can create manual acls on custom_options

phil.davis

Notification/doco: The latest squid and squid3 have replaced the previous process called proxy_monitor with sqpmon.

[2.1-BETA1][admin@test.mydomain]/root(6): ls -l /usr/local/pkg/sqpmon.sh
-rwxr-xr-x  1 root  wheel  2906 Jan 21 15:28 /usr/local/pkg/sqpmon.sh
[2.1-BETA1][admin@test.mydomain]/root(7): ls -l /usr/local/etc/rc.d/sq*
-rwxr-xr-x  1 root  wheel  335 Jan 21 15:28 /usr/local/etc/rc.d/sqp_monitor.sh
-rwxr-xr-x  1 root  wheel  449 Jan 21 15:46 /usr/local/etc/rc.d/squid.sh
[2.1-BETA1][admin@test.mydomain]/root(8): ps ax | grep sqpmon
83263   0- I      0:00.26 /bin/sh /usr/local/pkg/sqpmon.sh

If you install the latest squid (2.7.9 pkg v.4.3.2) or squid3 (3.1.20 pkg 2.0.5_8), you will find an sqpmon process appears (squid process monitor) running /usr/local/pkg/sqpmon.sh. It does what proxy_monitor used to do - checks every minute or so to see if squid is still running. The sqp_monitor.sh script is called at startup and shutdown to start and stop it.
This helps out a guy in Ethiopia who was having trouble fetching files with "proxy" in the filename. It also fixes some potential problems with proxy_monitor - it was possible to have a scenario where proxy_monitor.sh would get called at shutdown and actually hang the shutdown, preventing a reboot from ever completing. Now sqpmon works the way that other package component startup/shutdown scripts are designed.
This all works on 2.0.n or 2.1-BETAn systems.

fragged

I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:

acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.*
cache deny steamtest

Squid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.

What am I doing wrong? :F

Regards,
Joona

Tikimotel

Will we see an update of the squid3 package to the 3.2 branch?

Stable v3.2.7 released on the 1st of Feb.
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html

Some bugs regarding ipv6 have been fixed in this latest version.
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID_3_2_7.html

Still no freshports.org update though, that is still at v3.2.6

p.s. the package name is 3.1.20 and 3.1.22 is rolled out in PBI. (I'm running 2.1 beta)

marcelloc

I'm testing 3.2.6 and SSL filtering this weekend. :)

Tikimotel

I've checked just now, freshports.org has finished porting v3.2.7  ;)

marcelloc

@Tikimotel:

I've checked just now, freshports.org has finished porting v3.2.7  ;)

Compiling and testing

big changelog

Fri 2013-02-01 03:54:21 -0700 Amos Jeffries +23 -6 3.2.7
Thu 2013-01-31 21:58:59 -0700 Amos Jeffries +4 -0 Fix ipv6 enabled pinger.
Thu 2013-01-31 21:57:13 -0700 Amos Jeffries +11 -8 Bug #3687: unhandled exception: c when using interception and peers
Thu 2013-01-31 21:56:07 -0700 Alex Rousskov +2 -0 Bug #3111: Mid-term fix for the forward.cc "err" assertion.
Thu 2013-01-31 21:54:23 -0700 Sebastien Wenske +5 -0 Support OpenSSL NO_Compression option
Tue 2013-01-29 00:00:55 -0700 Amos Jeffries +2 -2 Fix WCCPv2 'comparison between signed and unsigned integer expressions'
Mon 2013-01-28 04:49:40 -0700 Amos Jeffries +1 -1 Bug #3567: Memory leak handling malformed requests
Mon 2013-01-28 04:48:06 -0700 Amos Jeffries +9 -0 Bug #3735: raw-IPv6 domain URLs crash if IPv6-disabled
Mon 2013-01-28 04:45:07 -0700 Amos Jeffries +2 -3 Bug #3732: Fix ConnOpener IPv6 awareness
Mon 2013-01-28 04:41:04 -0700 Amos Jeffries +6 -2 Initialize mem_node fully
Mon 2013-01-28 04:40:12 -0700 Tianyin Xu +6 -0 Bug #3736: Floating point exception due to divide by zero
Mon 2013-01-28 04:29:16 -0700 Alex Rousskov +5 -0 Fix "address.GetPort() != 0" assertion for helpers on FreeBSD (at least).
Mon 2013-01-28 04:25:34 -0700 Amos Jeffries +25 -18 WCCP: Fix memory leak in mask assignment, improve debuggsing.
Mon 2013-01-28 04:23:27 -0700 Amos Jeffries +32 -32 Polish quick_abort feature decision code
Mon 2013-01-28 04:22:25 -0700 Amos Jeffries +1 -0 Fix memory leak in IP address unit test
Mon 2013-01-28 02:59:18 -0700 Amos Jeffries +12 -2 Fix memory leaks in ICMP
Mon 2013-01-28 02:58:16 -0700 Tianyin Xu +1 -1 Bug #3729: 32-bit overflow in parsing 64-bit configuration values
Sun 2013-01-27 22:43:11 -0700 Tomas Hozza +36 -10 Fix various Disk I/O issues in all modules
Sun 2013-01-27 22:40:06 -0700 Francesco Chemolli +2 -2 Fix error in config parser which would mis-assign the sslcrlfile directive.
Sun 2013-01-27 22:39:19 -0700 Francesco Chemolli +54 -26 Plugged memory leaks in digest authentication module
Sun 2013-01-27 21:33:00 -0700 Tianyin Xu +4 -0 Bug #3728: Improve debug for cache_dir
Sun 2013-01-27 21:30:26 -0700 Tomas Hozza +3 -0 Make sure copied strings are properly terminated in snmplib and wccp2
Sun 2013-01-27 21:28:17 -0700 Tomas Hozza +32 -10 Fix various issues in snmplib
Sun 2013-01-27 21:27:32 -0700 Tomas Hozza +31 -11 Fix various issues in smblib
Fri 2013-01-25 02:59:54 -0700 Timo Teras +7 -2 Bug #3678: external acl grace period causes acl lookup failures

geijt

I've modified the squid-reverse package to support redirects.
This was something I missed after migrating from Microsoft TMG 2010 to pfsense.

You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com
Or in case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect function.

I think you can expect the updated package soon.

redflag237

@Truster:

1st: You have to correct the typo as descripted in my post before…

I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yes

and of course, you have to open that port in the firewall rules.

i'm using OWA/Exch2010...

hope, this helps.

Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.

I configured it like this:
reverse Proxy Interface: WAN
External FQDN secret.no-ip.org
Reset TCP connections if request is unauthorized: active
Enable HTTP reverse proxy: Active
reverse HTTP port: 8080

Web Servers:
Enable this peer: active
Peer Alias: mynas
Peer Ip: 10.178.1.61
Peer Port: 8080
Peer Protocol: HTTP

Mappings:
Enable this URI: enabled
Group Name: NAS-MyNAS
Peers: mynas (selected)
URIs: *

Result: TCP Connection is being reset.
–---

When disabling the 'Reset if unauthorised' button, i'm getting an access denied Message of Squid.

Can anyone help me, please?

geijt

Redflag237,

Did you tried entering some actual URIs instead of * on you mapping?

The URIs field expects a regex, just * isn't a valid regex.
If you really want to accept everything enter ^.*$ as URI, I didn't checked or squid accept this but it's a valid regex. ;-)

dneuhaeuser

I think I found a small bug leading to this message in system log:
"Not calling package sync code for dependency squidreverse of squid3 because some include files are missing."

This is my patch suggestion:

–- /usr/local/pkg/squid_reverse.xml    2013-02-17 16:15:30.000000000 +0100
+++ /usr/local/pkg/squid_reverse.xml    2013-02-17 16:15:49.000000000 +0100
@@ -50,3 +50,3 @@
       <title>Proxy server: Reverse Proxy</title>

• <include_file>squid.inc</include_file>

• <include_file>/usr/local/pkg/squid.inc</include_file>
          <tabs>–Dennis</tabs>

fragged

@fragged:

I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:

acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.*
cache deny steamtest

Squid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.

What am I doing wrong? :F

Regards,
Joona

Can anyone help me with this? The custom settings pops up into /usr/pbi/squid-amd64/etc/squid/squid.conf, but content that falls under the url_regex is still being cached. My cache keeps getting filled by one time Steam downloads.

marcelloc

Fragged,  did you enabled cache dynamic content?
Can you check on squid conf for more cache options defined?