Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.3.4 package for pfsense with ssl filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    305 Posts 72 Posters 308.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      @athurdent:

      It would not start because of:

      squid[88922]: execvp failed: (2) No such file or directory
      

      Now it's working and I am testing it.

      I'm confused, is it working or not ???

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • L
        Legion
        last edited by

        @marcelloc:

        @Legion:

        DG on pfSense:8080 with Squid as parent
        Squid3 on 127.0.0.1:3128

        Check if squid is running, on log you sent I can see only warnings.

        squid -NsXY on console can show you squid startup error or /var/squid/logs/cache.log

        Nope, wasn't running. I tried again and got:

        Noticeable points:

        • I had all my subnets on the ACL allow list (don't remember why)
        • I had pfsense.org and pfsense.com in ACL allow lists, from problems I had once accessing new package information
        • I didn't uninstall Squid3 first. But when I noticed that I still had it, I tried to uninstall it and reinstall Squid3-dev and it still didn't work
        • I get multiple dansguardian[23423]: Error connecting to proxy messages in system.log and no internet connectivity at all
        • no transparent http or https checked, Squid3-dev listening on localhost:3128 only, NAT rules to redirect 80 to DG, then DG has Squid as parent.

        Maybe Squid3-dev works best without DG underneath?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          @Legion:

          Noticeable points:

          • I had all my subnets on the ACL allow list (don't remember why)
          • I had pfsense.org and pfsense.com in ACL allow lists, from problems I had once accessing new package information
          • I didn't uninstall Squid3 first. But when I noticed that I still had it, I tried to uninstall it and reinstall Squid3-dev and it still didn't work
          • I get multiple dansguardian[23423]: Error connecting to proxy messages in system.log and no internet connectivity at all
          • no transparent http or https checked, Squid3-dev listening on localhost:3128 only, NAT rules to redirect 80 to DG, then DG has Squid as parent.

          Maybe Squid3-dev works best without DG underneath?

          uninstall both and then reinstall squid3-dev.

          I've pushed yesterday some fixes to conf generator.

          I think it's better to test squid itself and then go to dansguardian integration.

          Leave localhost unchecked, it's automatically inserted when using transparent mode. I'll include this warning on gui to prevent some errors.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • A
            athurdent
            last edited by

            @marcelloc:

            @athurdent:

            It would not start because of:

            squid[88922]: execvp failed: (2) No such file or directory
            

            Now it's working and I am testing it.

            I'm confused, is it working or not ???

            Sorry for not being clearer. After copying the libs it would not start until I reinstalled it. Just wanted to let others know that maybe a reinstall is needed after putting the libs in place.
            It works fine now and I have to dig a little further into ssl filtering ;)

            1 Reply Last reply Reply Quote 0
            • A
              athurdent
              last edited by

              @marcelloc:

              @wheelz:

              How are the certificates set up?  I know the pfsense box should act as a certificate authority and all the clients must trust it.  So is the CA cert automatically generated and how do

              Default web configurator certificate can be used.

              I deleted my original default certificates some time ago and set up my own CA using pfSense. What kind of certificate do I need to create for SSL interception to work? I tried generating a CA certificate signed by my CA but Squid does not like it.
              I always get

              squid: No valid signing SSL certificate configured for http_port 192.168.x.4:3128
              

              also tried using a server certificate, does not work either, same error. Any hints for me?

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @athurdent:

                also tried using a server certificate, does not work either, same error. Any hints for me?

                I'm using a server ceritificate signed by created ca.

                webconfigurator in some cases may work too.

                Check on cache.log if squid is not crashing while trying to intercept ssl.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • F
                  Fehler20
                  last edited by

                  I've found another missing file:

                  ERROR: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory
                  FATAL: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory Squid Cache (Version 3.3.4)

                  (there IS a file called basic_msnt_auth)

                  I get this error, if I try to activate the NT Domain authentication. By the way, there is another helper called ntlm_smb_lm_auth. Wouldn't that be the better choice for windows?

                  1 Reply Last reply Reply Quote 0
                  • W
                    wheelz
                    last edited by

                    @Fehler20:

                    I've found another missing file:

                    ERROR: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory
                    FATAL: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory Squid Cache (Version 3.3.4)

                    (there IS a file called basic_msnt_auth)

                    I get this error, if I try to activate the NT Domain authentication. By the way, there is another helper called ntlm_smb_lm_auth. Wouldn't that be the better choice for windows?

                    The only tested NTLM authentication for pfsense that I am aware of is outlined in my thread:  http://forum.pfsense.org/index.php/topic,58700.0.html.  That was using an earlier version of squid though.  If you find other auth plugins that work or expand on this, I'd really like to know the details of it.  If so, please post it in that thread to put it all in one place for everyone's benefit.

                    1 Reply Last reply Reply Quote 0
                    • F
                      Fehler20
                      last edited by

                      It seems to be that there was some renaming done. The LDAP plugin is broken, too (I havn't tested RADIUS).
                      @wheelz: You are correct :), I've tried ntlm_smb_lm_auth today and it does not seem to work either with IE and FF. There are some strings exchanged between the Domain Controller and squid, but SSO with NTLM does not work neither entering the creditals manually.

                      Btw could you add another option to the webinterface: I gives the ability to add custom caching rules.

                      /usr/local/pkg/squid.inc line 983

                      //custom Options
                      $conf.=sq_text_area_decode($settings['custcache']);
                      $conf.='
                      ';

                      and

                      /usr/local/pkg/squid_cache.xml line 138ff.

                      <field><fielddescr>Custom Cache Options</fielddescr>
                      <fieldname>custcache</fieldname>
                      <description>Specify custom Cache rules here.</description>
                      <type>textarea</type>
                      <cols>50</cols>
                      <rows>5</rows>
                      <encoding>base64</encoding></field>

                      Edit: I have found a new problem/mistake. The cache function only works if I manually add this custom option:

                      cache allow ALL

                      Maybe this has to be added to the default configuration.

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        @Fehler20:

                        It seems to be that there was some renaming done. The LDAP plugin is broken, too (I havn't tested RADIUS).

                        @Fehler20:

                        Btw could you add another option to the webinterface: I gives the ability to add custom caching rules.

                        Can't it be done on custom options?

                        @Fehler20:

                        Edit: I have found a new Problem/mistake. The cache funktion only works if I manually add this custom option:

                        cache allow ALL

                        Maybe this has to be added to the default configuration.

                        I'll check it.

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fehler20
                          last edited by

                          Can't it be done on custom options?

                          Yes, but it is a little bit confusing, if there is an option. It causes every following configuration change to fail because the config file is corrupted.

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @Fehler20:

                            Can't it be done on custom options?

                            Yes, but it is a little bit confusing, if there is an option. It causes every following configuration change to fail because the config file is corrupted.

                            custom_options need one cmd per line instead of old  ";" from squid2.

                            Is this the way you are doing?

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • F
                              Fehler20
                              last edited by

                              Quote from: Fehler20 on Today at 11:42:58 am

                              Quote

                              Can't it be done on custom options?

                              Yes, but it is a little bit confusing, if there is an option. It causes every following configuration change to fail because the config file is corrupted.

                              custom_options need one cmd per line instead of old  ";" from squid2.

                              Is this the way you are doing?

                              Yes, my config is running!

                              I just noticed that if you use an authentcation method from the authentication tab this causes the following error:

                              php: /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2013/05/16 19:07:32| ERROR: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory FATAL: auth_param basic program /usr/local/libexec/squid/msnt_auth: (2) No such file or directory Squid Cache (Version 3.3.4): Terminated abnormally. CPU Usage: 0.012 seconds = 0.008 user + 0.004 sys Maximum Resident Size: 37344 KB Page faults with physical i/o: 0'

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @Fehler20:

                                I just noticed that if you use an authentcation method from the authentication tab this causes the following error:

                                I'm fixing it and checking other config changes. I'll push new gui version today.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  pkg version 2.1.1 is out.

                                  main changes

                                  • Fixed auth plugins filenames

                                  • Included more ssl_crt checks

                                  • Included custom refresh_pattern field for dynamic content on cache tab

                                  • Included missing cache allow all on squid.inc(this may fix no cache hits issue with dynamic content enabled.)

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Fehler20
                                    last edited by

                                    •Included custom refresh_pattern field for dynamic content on cache tab

                                    Little Problem here: you have to insert a new line after the custom caching options. If not the configuration becomes corrupted.
                                    Besides this caching (of dynamic content) works for me now. Thank you!

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      @Fehler20:

                                      Little Problem here: you have to insert a new line after the custom caching options. If not the configuration becomes corrupted.

                                      Test inserting an extra <enter>on your custom options.</enter>

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        wheelz
                                        last edited by

                                        On the i-cap for AV feature… If I am already using Dan's Guardian with the ClamAV options, would there be any reason to switch to squid using i-cap when it is working?  Or is that mainly geared for people who are using squid by itself?

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          @wheelz:

                                          On the i-cap for AV feature… If I am already using Dan's Guardian with the ClamAV options, would there be any reason to switch to squid using i-cap when it is working?  Or is that mainly geared for people who are using squid by itself?

                                          No need to move. dansguardian talks to clamav via socket.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            pkg version 2.1.2 is out.

                                            main change

                                            • change ssl filtering cert combo from server-cert to ca-cert

                                            • Insert an additional <enter>after cache pattern custom field to avoid config crashes</enter>

                                            This version has ssl_filtering working really nice on pfsense 2.1.  :)

                                            On 2.0.x enable ipv6 on system->advanced to squid be able to listen on configured port.

                                            EDIT

                                            Using squid from my repo, ssl_filtering is working fine on 2.0.x too  ;D

                                            1368761856.278    210 192.168.0.3 TCP_MISS/200 978 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761856.699    442 192.168.0.3 TCP_MISS/200 19903 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
                                            1368761856.714    521 192.168.0.3 TCP_MISS/200 905 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761857.121    203 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
                                            1368761857.136    219 192.168.0.3 TCP_MISS/200 680 GET https://www.google.com.br/xjs/_/js/k=-im9hrMhEvY.en_US./m=wta/am=wA/r                                                                                 t=j/d=0/sv=1/rs=AItRSTMxcUTKX7_k7F3jagv1ABf8swPrOg - PINNED/189.86.41.119 text/javascript
                                            1368761858.327    632 192.168.0.3 TCP_MISS/200 915 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761859.649   1548 192.168.0.3 TCP_MISS/200 14473 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
                                            1368761859.661    228 192.168.0.3 TCP_MISS/200 850 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761860.026    220 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
                                            1368761860.970    397 192.168.0.3 TCP_MISS/200 851 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761861.121    388 192.168.0.3 TCP_MISS/200 856 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761861.223    311 192.168.0.3 TCP_MISS/200 855 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761861.410    397 192.168.0.3 TCP_MISS/200 860 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
                                            1368761862.720   1537 192.168.0.3 TCP_MISS/200 18542 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
                                            1368761863.104    222 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
                                            1368761865.464    232 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
                                            1368761866.209    507 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio                                                                                 n/octet-stream
                                            1368761866.684    479 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio   
                                            

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.