Squid 3.3.4 package for pfsense with ssl filtering

marcelloc

Little Problem here: you have to insert a new line after the custom caching options. If not the configuration becomes corrupted.

Test inserting an extra <enter>on your custom options.</enter>

wheelz

On the i-cap for AV feature… If I am already using Dan's Guardian with the ClamAV options, would there be any reason to switch to squid using i-cap when it is working? Or is that mainly geared for people who are using squid by itself?

marcelloc

@wheelz:

On the i-cap for AV feature… If I am already using Dan's Guardian with the ClamAV options, would there be any reason to switch to squid using i-cap when it is working? Or is that mainly geared for people who are using squid by itself?

No need to move. dansguardian talks to clamav via socket.

marcelloc

pkg version 2.1.2 is out.

main change

change ssl filtering cert combo from server-cert to ca-cert
Insert an additional <enter>after cache pattern custom field to avoid config crashes</enter>

This version has ssl_filtering working really nice on pfsense 2.1. :)

On 2.0.x enable ipv6 on system->advanced to squid be able to listen on configured port.

EDIT

Using squid from my repo, ssl_filtering is working fine on 2.0.x too ;D

1368761856.278    210 192.168.0.3 TCP_MISS/200 978 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761856.699    442 192.168.0.3 TCP_MISS/200 19903 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761856.714    521 192.168.0.3 TCP_MISS/200 905 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761857.121    203 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761857.136    219 192.168.0.3 TCP_MISS/200 680 GET https://www.google.com.br/xjs/_/js/k=-im9hrMhEvY.en_US./m=wta/am=wA/r                                                                                 t=j/d=0/sv=1/rs=AItRSTMxcUTKX7_k7F3jagv1ABf8swPrOg - PINNED/189.86.41.119 text/javascript
1368761858.327    632 192.168.0.3 TCP_MISS/200 915 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761859.649   1548 192.168.0.3 TCP_MISS/200 14473 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761859.661    228 192.168.0.3 TCP_MISS/200 850 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761860.026    220 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761860.970    397 192.168.0.3 TCP_MISS/200 851 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.121    388 192.168.0.3 TCP_MISS/200 856 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.223    311 192.168.0.3 TCP_MISS/200 855 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.410    397 192.168.0.3 TCP_MISS/200 860 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761862.720   1537 192.168.0.3 TCP_MISS/200 18542 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761863.104    222 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761865.464    232 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761866.209    507 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio                                                                                 n/octet-stream
1368761866.684    479 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio

Fehler20

Quote from: Fehler20 on Yesterday at 01:57:17 pm

Little Problem here: you have to insert a new line after the custom caching options. If not the configuration becomes corrupted.

Test inserting an extra <enter>on your custom options.</enter>

Does NOT work for some reason. Thank you for the fix.

athurdent

Gave SSL filtering a new shot with the new package version, also updated the pfSense 2.1 beta to the lastest.
Squid picks my Test CAs cert and starts fine with that. Had to turn off remot certificate verification, otherwise I could not use it at all for SSL. Now it works for a minute, very slow and then dies. Here's are the logs. I have an IPv6-enabled network, but the test KVM I use is only configured for IPv4. But those PINNED entries seem to try IPv6…

2013/05/17 16:25:52 kid1| Starting Squid Cache version 3.3.4 for i386-portbld-freebsd8.3...
2013/05/17 16:25:52 kid1| Process ID 81090
2013/05/17 16:25:52 kid1| Process Roles: worker
2013/05/17 16:25:52 kid1| With 11095 file descriptors available
2013/05/17 16:25:52 kid1| Initializing IP Cache...
2013/05/17 16:25:52 kid1| DNS Socket created at [::], FD 12
2013/05/17 16:25:52 kid1| DNS Socket created at 0.0.0.0, FD 14
2013/05/17 16:25:52 kid1| Adding domain local-lan from /etc/resolv.conf
2013/05/17 16:25:52 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2013/05/17 16:25:52 kid1| Adding nameserver 192.168.x.254 from /etc/resolv.conf
2013/05/17 16:25:52 kid1| Adding nameserver 192.168.x.254 from /etc/resolv.conf
2013/05/17 16:25:52 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| Logfile: opening log /var/squid/logs/access.log
2013/05/17 16:25:52 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log'
2013/05/17 16:25:52 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2013/05/17 16:25:52 kid1| Store logging disabled
2013/05/17 16:25:52 kid1| Swap maxSize 0 + 8192 KB, estimated 630 objects
2013/05/17 16:25:52 kid1| Target number of buckets: 31
2013/05/17 16:25:52 kid1| Using 8192 Store buckets
2013/05/17 16:25:52 kid1| Max Mem  size: 8192 KB
2013/05/17 16:25:52 kid1| Max Swap size: 0 KB
2013/05/17 16:25:52 kid1| Using Least Load store dir selection
2013/05/17 16:25:52 kid1| Current Directory is /usr/local/www
2013/05/17 16:25:52 kid1| Loaded Icons.
2013/05/17 16:25:52 kid1| HTCP Disabled.
2013/05/17 16:25:52 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/05/17 16:25:52 kid1| Pinger socket opened on FD 32
2013/05/17 16:25:52 kid1| Squid plugin modules loaded: 0
2013/05/17 16:25:52 kid1| Adaptation support is off.
2013/05/17 16:25:52 kid1| Accepting SSL bumped HTTP Socket connections at local=192.168.x.4:3128 remote=[::] FD 28 flags=9
2013/05/17 16:25:52 kid1| Accepting SSL bumped HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 29 flags=9
2013/05/17 16:25:52 kid1| Accepting ICP messages on [::]:7
2013/05/17 16:25:52 kid1| Sending ICP messages from [::]:7
2013/05/17 16:25:52| pinger: Initialising ICMP pinger ...
2013/05/17 16:25:52| pinger: ICMP socket opened.
2013/05/17 16:25:52| pinger: ICMPv6 socket opened
2013/05/17 16:25:53 kid1| storeLateRelease: released 0 objects
FATAL: Received Segment Violation...dying.
2013/05/17 16:26:01 kid1| Closing HTTP port 192.168.x.4:3128
2013/05/17 16:26:01 kid1| Closing HTTP port 127.0.0.1:3128
2013/05/17 16:26:01 kid1| Stop receiving ICP on [::]:7
2013/05/17 16:26:01 kid1| Stop sending ICP from [::]:7
2013/05/17 16:26:01 kid1| storeDirWriteCleanLogs: Starting...
2013/05/17 16:26:01 kid1|   Finished.  Wrote 0 entries.
2013/05/17 16:26:01 kid1|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.116 seconds = 0.116 user + 0.000 sys
Maximum Resident Size: 63296 KB
Page faults with physical i/o: 0

1368800710.702    143 192.168.x.66 NONE/200 0 CONNECT www.google.de:443 - HIER_DIRECT/173.194.47.88 -
1368800710.964    105 192.168.x.66 TCP_MISS/200 28891 GET https://www.google.de/ - PINNED/2a00:1450:4013:c01::5e text/html
1368800711.282     36 192.168.x.66 TCP_MISS/304 265 GET https://www.google.de/images/icons/product/chrome-48.png - PINNED/2a00:1450:4013:c01::5e -
1368800711.401    105 192.168.x.66 NONE/200 0 CONNECT www.google.de:443 - HIER_DIRECT/173.194.47.88 -
1368800720.299    109 192.168.x.66 NONE/200 0 CONNECT www.google.de:443 - HIER_DIRECT/173.194.47.95 -
1368800720.302    107 192.168.x.66 NONE/200 0 CONNECT www.google.de:443 - HIER_DIRECT/173.194.47.95 -
1368800720.477     42 192.168.x.66 TCP_MISS/302 630 GET https://www.google.de/search? - PINNED/2a00:1450:4013:c01::5e text/html
1368800720.596     73 192.168.x.66 NONE/200 0 CONNECT ssl.gstatic.com:443 - HIER_DIRECT/173.194.113.15 -
1368800720.625    106 192.168.x.66 NONE/200 0 CONNECT www.google.de:443 - HIER_DIRECT/173.194.47.95 -
1368800729.866    109 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.82 -
1368800730.228    203 192.168.x.66 TCP_MISS/302 359 GET https://www.google.com/doodles - PINNED/2a00:1450:4016:800::1012 text/html
1368800730.446    161 192.168.x.66 TCP_MISS/200 1895 GET https://www.google.com/doodles/finder - PINNED/2a00:1450:4016:800::1012 text/html
1368800730.580     71 192.168.x.66 TCP_MISS/200 11722 GET https://www.google.com/doodles/css/allstyles.css - PINNED/2a00:1450:4016:800::1012 text/css
1368800730.664     98 192.168.x.66 NONE/200 0 CONNECT www.gstatic.com:443 - HIER_DIRECT/173.194.113.15 -
1368800730.671    110 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.82 -
1368800735.437    505 192.168.x.66 NONE/200 0 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/94.245.70.66 -
1368800735.667     73 192.168.x.66 TCP_MISS/200 23830 GET https://iecvlist.microsoft.com/IE10/1152921505002013023/iecompatviewlist.xml - PINNED/94.245.70.66 text/xml
1368800739.874     73 192.168.x.66 NONE/200 0 CONNECT www.gstatic.com:443 - HIER_DIRECT/173.194.113.15 -
1368800739.878    109 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.81 -
1368800739.898    107 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.81 -
1368800749.090     72 192.168.x.66 NONE/200 0 CONNECT www.gstatic.com:443 - HIER_DIRECT/173.194.113.15 -
1368800749.111    108 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.83 -
1368800749.128    104 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.83 -
1368800761.094     72 192.168.x.66 NONE/200 0 CONNECT ssl.google-analytics.com:443 - HIER_DIRECT/173.194.112.126 -
1368800761.138    108 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.80 -
1368800761.296     48 192.168.x.66 TCP_MISS/200 16281 GET https://ssl.google-analytics.com/ga.js - PINNED/2a00:1450:4001:803::101e text/javascript
1368800761.599     26 192.168.x.66 TCP_MISS/200 506 GET https://ssl.google-analytics.com/__utm.gif? - PINNED/2a00:1450:4001:803::101e image/gif
1368800761.786    103 192.168.x.66 NONE/200 0 CONNECT www.google.com:443 - HIER_DIRECT/173.194.47.80 -

One request, could the "common" log format be avilable as an option? It's much easier to read. It would require something like this:


access_log daemon:/var/squid/logs/access.log common

marcelloc

@athurdent:

Gave SSL filtering a new shot with the new package version, also updated the pfSense 2.1 beta to the lastest.

I've pushed to my repo a squid version that is working with 2.0.x (squid-3.3.4_1)

@athurdent:

Squid picks my Test CAs cert and starts fine with that. Had to turn off remot certificate verification, otherwise I could not use it at all for SSL.

Next pbi build will include ca_root_certificates

@athurdent:

Now it works for a minute, very slow and then dies. Here's are the logs. I have an IPv6-enabled network, but the test KVM I use is only configured for IPv4. But those PINNED entries seem to try IPv6…

Can you test it on 2.0.x too? My tests result is a fast reply with or without ssl filtering.

@athurdent:

One request, could the "common" log format be avilable as an option? It's much easier to read. It would require something like this:

access_log daemon:/var/squid/logs/access.log common

I'll check it.

athurdent

I only have 2.1 installs, would have to setup a new test KVM for that. I'll see what I can do, might take some time though as I am a little busy for the next days, sorry.

wheelz

@marcelloc:

I've pushed to my repo a squid version that is working with 2.0.x (squid-3.3.4_1)

…

Can you test it on 2.0.x too? My tests result is a fast reply with or without ssl filtering.

I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

marcelloc

@wheelz:

I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

on console/ssh, remove squid package using pkg_delete and then install squid using

amd64
pkg_add -rf http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.4_1.tbz

i386
pkg_add -rf http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.4_1.tbz

check if there is no missing libs using squid -v

Then save config on gui and start tests.

markuhde

For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

P.S. I decided to mess with it anyways. I can't get it to start. I copyed the libs and now I get this when I try to start squid:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

athurdent

Hi, I wasn't able to setup a 2.0.x system, but I gave my 2.1 KVM IPv6 connectivity. Tailing squid cache.log and access.log simultaneuosly shows that squid dies and restarts after every request, even HTTP-only.
Either my system needs a complete reinstall and is damaged somehow, or this may help:
http://www.comfsm.fm/computing/squid/FAQ-11.html#ss11.48

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

marcelloc

@markuhde:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

marcelloc

@athurdent:

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

What you get with squid -v on console?
And with openssl version?

markuhde

@marcelloc:

@markuhde:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

Ooh you're right I did I forgot that system is i386! Thanks!

quetzalcoatl

@markuhde:

For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

P.S. I decided to mess with it anyways. I can't get it to start. I copied the libs and now I get this when I try to start squid:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

I actually was able to make squid run with load balancing and you need to turn on some weird settings otherwise only one WAN will be used by squid.
I no longer do load balancing but i suggest you to do as following as it always works getting squid caching + load balancing:

Use a machine with pfsense to do load balancing with 2 or more WANs and 1 LAN output and all WITHOUT SQUID. This will be machine (A)
Then use a secondary machine(B), real or virtual that will connect the wan coming from the LAN of machine (A).
This (B) machine will be a dedicated squid pfsense machine that will do caching and everything and all users will be connected to machine (B) LAN.
The (A) machine, the one that does load balancing, does not need much HDD and RAM. 1GB of RAM and 10GB of HDD should be enough.
The (B) machine, that does squid caching works, in my case with 8GB of RAM, 100GB HDD and 50GB reserved for Disk Caching.

This is an easy and rock solid configuration.
Since i don't have the money to buy more computers I used to do all this with virtual machines.

quetzalcoatl

After ading the missing library files and setting everything up, the squid service starts and stays up and running but no caching is being done.

I always measure byte hit ration dividing LAN output by WAN input in megabytes or gigabytes and i get the Byte Hit Ratio %

I usually get from 4% to 20% but since i installed squid 3.3.4 i could never get any hit.

I noticed also that since yesterday I'm actually getting more data from the WAN input than the data is being sent to LAN.

It looks like incomplete downloads are getting fully downloaded but not stored in cache, and if stored in cache, not served to LAN from cache.

These following lines are my aggressive custom config, maybe someone can improve it.
Anyways with or without this custom options I'm never getting cache hits.
I know that some of those options are already included into the GUI but i added them into the custom config section as well just in case i forget to set them from the GUI.
Help me improve that please! Looking forward for the most efficient and aggressive squid caching.

refresh_pattern -i .$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http:// 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://. 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://... 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.gg.in.th 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www.....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www.....net 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www....net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://www..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://www.*.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(3g2|3gp|asf|asx|avi|divx|flv|iff|ifo|m3u|m4a|m4v|mov|mpa|mpeg|mpe|qt|qtm|viv|mpg|ogg|rm|rmvb|scr|swf|vob|wmv|x-flv|xvid)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(aif|aiff|amr|cda|mid|wav|wma|midi|au|ram|ra|snd|mp2|mp3|mp4)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(3dm|ai|ani|art|bmp|cdr|cdt|cmf|cur|drw|dwg|dxf|eps|eps2|gif|icl|icm|ico|indd|jpeg|jpg|jpe|max|pct|pcx|png)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(ps|psd|psp|qxd|qxp|rels|svg|tga|thm|tif|tiff|wmf|wrl|xbm|xcf|xif|yuv|pnm|pbm|pgm|ppm|rgb|xpm|xwd|pic|pict)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(accdb|bfc|cbr|chm|csv|db|dbf|doc|docx|dot|hlp|kml|Kmz|lab|log|mdb|msg|odt|ost|pages|pdb|pdf|pps|txt|ppt|pptx|pst|pub|rtf|wpd|wps|wri|xlr|xls|xlsx|xlt)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(app|bat|cmd|com|exe|gadget|msi|pif|vb|wsf|torrent)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(8bi|bin|cat|cpl|dbx|dll|drv|gam|hex|hqx|lnk|nes|plugin|reg|rom|sav|sys|xll)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(arj|sit|zip|rar|rgz|psf|lzh|lha|cab|tar|tgz|gz|Z|wp|wp5|7z|pkg|rpm|sea|sitx|tar.gz|zipx|prn|srf|tex|latax|gpf|upd|jar|bz2|gzip|ace|kf|a[0-9][0-9]|r[0-9][0-9])$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(fnt|fon|otf|ttf)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(dmg|iso|toast|vcd)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(api|bas|c|cbl|class|cpp|cs|dtd|fla|java|m|pl|py|vbx)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(bak|bup|cdl|cfg|dat|deb|dss|dvf|efx|emf|eml|gho|gpx|ini|key|keychain|m4b|m4p|mcd|mim|mswmm|ori|prf|ptb|qbb|qbw|raw|sdf|ses|sql|ss|tmp|uue|uxx|vcf|xml|xsl|xtm)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(ht|htm|html|shtml|xhtml|css|js|jsp|asp|cer|cgi|csr|part|php|phtml|rss)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern ^gopher: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern ^ftp: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern . 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i (/cgi-bin/|?)$ 0 0% 0
tcp_outgoing_address 127.0.0.1
max_filedescriptors 65536
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 0
ie_refresh off
client_db off
range_offset_limit 0
reload_into_ims on
retry_on_error on
via off
cache allow all
refresh_all_ims on
half_closed_clients off
vary_ignore_expire on
strip_query_terms on
server_persistent_connections on
ipcache_size 16384
fqdncache_size 16384
log_fqdn off
positive_dns_ttl 999 hours
negative_dns_ttl 999 hours
negative_ttl 999 hours
dns_v4_first on
pipeline_prefetch on
maximum_object_size_in_memory 8 MB

Fehler20

What do you want to do exactly? Because if this Cache rules should work, you nearly block all dynamic content (included google etc.).

I've selected cache dynamic content and use some custom pattern to cache exe, gif, png etc. (those content does normally not change often without changing URL). I use slightly different override options:

override-expire ignore-must-revalidate ignore-no-cache ignore-no-store ignore-private

(ignore-no-cache should not be noticed anymore but it doesn't create any error)

I get hit rates about 20%

Moreover there seems to be a problem, if Minimum Disk Cache Size is not set to 0. In that case no caching happens to me.

Maybe you should change your cache-time, too: http://www.squid-cache.org/mail-archive/squid-users/201211/0279.html

athurdent

@marcelloc:

@athurdent:

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

What you get with squid -v on console?
And with openssl version?

[2.1-BETA1][root@pfsense-kvm.local-lan]/root(1): squid -v
Squid Cache: Version 3.3.4
configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/sbin' '--sbindir=/usr/pbi/squid-amd64/sbin' '--datadir=/usr/pbi/squid-amd64/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/pbi/squid-amd64/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP SASL NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-amd64' '--mandir=/usr/pbi/squid-amd64/man' '--infodir=/usr/pbi/squid-amd64/info/' '--build=amd64-portbld-freebsd8.3' 'build_alias=amd64-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-amd64/lib -L/usr/pbi/squid-amd64/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-amd64/lib -L/usr/lib' 'CPPFLAGS=-I/usr/pbi/squid-amd64/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience
[2.1-BETA1][root@pfsense-kvm.local-lan]/root(2): openssl version
OpenSSL 0.9.8y 5 Feb 2013

marcelloc

[quote]
OpenSSL 0.9.8y 5 Feb 2013
[/quote]

I'll try to push the fix I've applied to 2.0.x to freebsd ports.
My snapshot is older then yours. On mine, squid does not crash with openssl version(OpenSSL 0.9.8q 2 Dec 2010).