Squid3 - New GUI with sync, normal and reverse proxy
-
i found a bug in /usr/local/pkg/squid_reverse.inc:136
I've pushed the fix for this typo, thank's for the feedback! :)
-
Could you please post your configuration ? I would like to host my webserver through squid reverse proxy and it didn't work for me..
-
1st: You have to correct the typo as descripted in my post before…
I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yesand of course, you have to open that port in the firewall rules.
i'm using OWA/Exch2010...
hope, this helps.
Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.
-
1st: You have to correct the typo as descripted in my post before…
Or just install latest package version (2.0.5_6) ;)
-
Thank you marcellok!!!
At last, since today, squid works again with both http and https caching everything.
I have been waiting for this fix for months!!!
Thanks again. May Quetzalcoatl bless you!
I wonder who is porting squid to freeBSD.
Now squid 3.3 beta is outwith several nice improvements and fixes since 3.2 and 3.1
Hopefully some kind guy will port it soon to freeBSD to make it available for pfSense as well. -
Hi marcelloc,
I wonder if it works squid3 with SquidGuard
or I can suggest that I can work with squid for Access Control List (ACL)Thanks for your understanding.
Regards
Mauricio Niño
-
I wonder if it works squid3 with SquidGuard
Yes, just reinstall squid3 after squidguard install
or I can suggest that I can work with squid for Access Control List (ACL)
On current package version, if acl fields available does not fit your need, you can create manual acls on custom_options
-
Notification/doco: The latest squid and squid3 have replaced the previous process called proxy_monitor with sqpmon.
[2.1-BETA1][admin@test.mydomain]/root(6): ls -l /usr/local/pkg/sqpmon.sh -rwxr-xr-x 1 root wheel 2906 Jan 21 15:28 /usr/local/pkg/sqpmon.sh [2.1-BETA1][admin@test.mydomain]/root(7): ls -l /usr/local/etc/rc.d/sq* -rwxr-xr-x 1 root wheel 335 Jan 21 15:28 /usr/local/etc/rc.d/sqp_monitor.sh -rwxr-xr-x 1 root wheel 449 Jan 21 15:46 /usr/local/etc/rc.d/squid.sh [2.1-BETA1][admin@test.mydomain]/root(8): ps ax | grep sqpmon 83263 0- I 0:00.26 /bin/sh /usr/local/pkg/sqpmon.shIf you install the latest squid (2.7.9 pkg v.4.3.2) or squid3 (3.1.20 pkg 2.0.5_8), you will find an sqpmon process appears (squid process monitor) running /usr/local/pkg/sqpmon.sh. It does what proxy_monitor used to do - checks every minute or so to see if squid is still running. The sqp_monitor.sh script is called at startup and shutdown to start and stop it.
This helps out a guy in Ethiopia who was having trouble fetching files with "proxy" in the filename. It also fixes some potential problems with proxy_monitor - it was possible to have a scenario where proxy_monitor.sh would get called at shutdown and actually hang the shutdown, preventing a reboot from ever completing. Now sqpmon works the way that other package component startup/shutdown scripts are designed.
This all works on 2.0.n or 2.1-BETAn systems. -
I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:
acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.* cache deny steamtestSquid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.
What am I doing wrong? :F
Regards,
Joona -
Will we see an update of the squid3 package to the 3.2 branch?
Stable v3.2.7 released on the 1st of Feb.
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.htmlSome bugs regarding ipv6 have been fixed in this latest version.
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID_3_2_7.htmlStill no freshports.org update though, that is still at v3.2.6
p.s. the package name is 3.1.20 and 3.1.22 is rolled out in PBI. (I'm running 2.1 beta)
-
I'm testing 3.2.6 and SSL filtering this weekend. :)
-
I've checked just now, freshports.org has finished porting v3.2.7 ;)
-
I've checked just now, freshports.org has finished porting v3.2.7 ;)
Compiling and testing
big changelog
Fri 2013-02-01 03:54:21 -0700 Amos Jeffries +23 -6 3.2.7
Thu 2013-01-31 21:58:59 -0700 Amos Jeffries +4 -0 Fix ipv6 enabled pinger.
Thu 2013-01-31 21:57:13 -0700 Amos Jeffries +11 -8 Bug #3687: unhandled exception: c when using interception and peers
Thu 2013-01-31 21:56:07 -0700 Alex Rousskov +2 -0 Bug #3111: Mid-term fix for the forward.cc "err" assertion.
Thu 2013-01-31 21:54:23 -0700 Sebastien Wenske +5 -0 Support OpenSSL NO_Compression option
Tue 2013-01-29 00:00:55 -0700 Amos Jeffries +2 -2 Fix WCCPv2 'comparison between signed and unsigned integer expressions'
Mon 2013-01-28 04:49:40 -0700 Amos Jeffries +1 -1 Bug #3567: Memory leak handling malformed requests
Mon 2013-01-28 04:48:06 -0700 Amos Jeffries +9 -0 Bug #3735: raw-IPv6 domain URLs crash if IPv6-disabled
Mon 2013-01-28 04:45:07 -0700 Amos Jeffries +2 -3 Bug #3732: Fix ConnOpener IPv6 awareness
Mon 2013-01-28 04:41:04 -0700 Amos Jeffries +6 -2 Initialize mem_node fully
Mon 2013-01-28 04:40:12 -0700 Tianyin Xu +6 -0 Bug #3736: Floating point exception due to divide by zero
Mon 2013-01-28 04:29:16 -0700 Alex Rousskov +5 -0 Fix "address.GetPort() != 0" assertion for helpers on FreeBSD (at least).
Mon 2013-01-28 04:25:34 -0700 Amos Jeffries +25 -18 WCCP: Fix memory leak in mask assignment, improve debuggsing.
Mon 2013-01-28 04:23:27 -0700 Amos Jeffries +32 -32 Polish quick_abort feature decision code
Mon 2013-01-28 04:22:25 -0700 Amos Jeffries +1 -0 Fix memory leak in IP address unit test
Mon 2013-01-28 02:59:18 -0700 Amos Jeffries +12 -2 Fix memory leaks in ICMP
Mon 2013-01-28 02:58:16 -0700 Tianyin Xu +1 -1 Bug #3729: 32-bit overflow in parsing 64-bit configuration values
Sun 2013-01-27 22:43:11 -0700 Tomas Hozza +36 -10 Fix various Disk I/O issues in all modules
Sun 2013-01-27 22:40:06 -0700 Francesco Chemolli +2 -2 Fix error in config parser which would mis-assign the sslcrlfile directive.
Sun 2013-01-27 22:39:19 -0700 Francesco Chemolli +54 -26 Plugged memory leaks in digest authentication module
Sun 2013-01-27 21:33:00 -0700 Tianyin Xu +4 -0 Bug #3728: Improve debug for cache_dir
Sun 2013-01-27 21:30:26 -0700 Tomas Hozza +3 -0 Make sure copied strings are properly terminated in snmplib and wccp2
Sun 2013-01-27 21:28:17 -0700 Tomas Hozza +32 -10 Fix various issues in snmplib
Sun 2013-01-27 21:27:32 -0700 Tomas Hozza +31 -11 Fix various issues in smblib
Fri 2013-01-25 02:59:54 -0700 Timo Teras +7 -2 Bug #3678: external acl grace period causes acl lookup failures -
I've modified the squid-reverse package to support redirects.
This was something I missed after migrating from Microsoft TMG 2010 to pfsense.You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com
Or in case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect function.I think you can expect the updated package soon.
-
1st: You have to correct the typo as descripted in my post before…
I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yesand of course, you have to open that port in the firewall rules.
i'm using OWA/Exch2010...
hope, this helps.
Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.
I configured it like this:
reverse Proxy Interface: WAN
External FQDN secret.no-ip.org
Reset TCP connections if request is unauthorized: active
Enable HTTP reverse proxy: Active
reverse HTTP port: 8080Web Servers:
Enable this peer: active
Peer Alias: mynas
Peer Ip: 10.178.1.61
Peer Port: 8080
Peer Protocol: HTTPMappings:
Enable this URI: enabled
Group Name: NAS-MyNAS
Peers: mynas (selected)
URIs: *Result: TCP Connection is being reset.
–---When disabling the 'Reset if unauthorised' button, i'm getting an access denied Message of Squid.
Can anyone help me, please?
-
Redflag237,
Did you tried entering some actual URIs instead of * on you mapping?
The URIs field expects a regex, just * isn't a valid regex.
If you really want to accept everything enter ^.*$ as URI, I didn't checked or squid accept this but it's a valid regex. ;-) -
I think I found a small bug leading to this message in system log:
"Not calling package sync code for dependency squidreverse of squid3 because some include files are missing."This is my patch suggestion:
–- /usr/local/pkg/squid_reverse.xml 2013-02-17 16:15:30.000000000 +0100
+++ /usr/local/pkg/squid_reverse.xml 2013-02-17 16:15:49.000000000 +0100
@@ -50,3 +50,3 @@
<title>Proxy server: Reverse Proxy</title>- <include_file>squid.inc</include_file>
- <include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>–Dennis</tabs>
-
I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:
acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.* cache deny steamtestSquid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.
What am I doing wrong? :F
Regards,
JoonaCan anyone help me with this? The custom settings pops up into /usr/pbi/squid-amd64/etc/squid/squid.conf, but content that falls under the url_regex is still being cached. My cache keeps getting filled by one time Steam downloads.
-
Fragged, did you enabled cache dynamic content?
Can you check on squid conf for more cache options defined? -
Fragged, did you enabled cache dynamic content?
Can you check on squid conf for more cache options defined?Dynamic content is off. Here's my full config.
[2.1-BETA1][admin@pfsense.localdomain]/root(10): cat /usr/pbi/squid-amd64/etc/squid/squid.conf # This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.11.1:3128 http_port 127.0.0.1:3128 intercept icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname localhost cache_mgr fragged@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 30 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.11.0/24 httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 4096 MB maximum_object_size_in_memory 524288 KB memory_replacement_policy heap GDSF cache_replacement_policy heap GDSF cache_dir ufs /var/squid/cache 4096 8 256 minimum_object_size 0 KB maximum_object_size 1024 KB offline_mode offcache_swap_low 90 cache_swap_high 95 # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost # Allow external cache managers acl ext_manager src 127.0.0.1 acl ext_manager src 192.168.11.1 acl ext_manager src http_access allow manager ext_manager http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Custom options acl steamtest url_regex -i http://.*/depot/.*/chunk/.* cache deny steamtest # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc
