• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid 3.3.4 package for pfsense with ssl filtering

Scheduled Pinned Locked Moved Cache/Proxy
305 Posts 72 Posters 301.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wheelz
    last edited by May 17, 2013, 6:15 PM

    @marcelloc:

    I've pushed to my repo a squid version that is working with 2.0.x (squid-3.3.4_1)

    …

    Can you test it on 2.0.x too? My tests result is a fast reply with or without ssl filtering.

    I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

    1 Reply Last reply Reply Quote 0
    • M
      marcelloc
      last edited by May 17, 2013, 6:31 PM

      @wheelz:

      I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

      on console/ssh, remove squid package using pkg_delete and then install squid using

      amd64
      pkg_add -rf http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.4_1.tbz

      i386
      pkg_add -rf http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.4_1.tbz

      check if there is no missing libs using squid -v

      Then save config on gui and start tests.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • M
        markuhde
        last edited by May 18, 2013, 7:59 AM May 18, 2013, 7:44 AM

        For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

        P.S. I decided to mess with it anyways. I can't get it to start. I copyed the libs and now I get this when I try to start squid:

        [2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
        /libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

        1 Reply Last reply Reply Quote 0
        • A
          athurdent
          last edited by May 18, 2013, 9:46 AM May 18, 2013, 8:09 AM

          Hi, I wasn't able to setup a 2.0.x system, but I gave my 2.1 KVM IPv6 connectivity. Tailing squid cache.log and access.log simultaneuosly shows that squid dies and restarts after every request, even HTTP-only.
          Either my system needs a complete reinstall and is damaged somehow, or this may help:
          http://www.comfsm.fm/computing/squid/FAQ-11.html#ss11.48

          Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

          1 Reply Last reply Reply Quote 0
          • M
            marcelloc
            last edited by May 18, 2013, 9:54 PM

            @markuhde:

            [2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
            /libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

            You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • M
              marcelloc
              last edited by May 18, 2013, 9:57 PM

              @athurdent:

              Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

              What you get with squid -v on console?
              And with openssl version?

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • M
                markuhde
                last edited by May 19, 2013, 1:37 AM

                @marcelloc:

                @markuhde:

                [2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
                /libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

                You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

                Ooh you're right I did I forgot that system is i386! Thanks!

                1 Reply Last reply Reply Quote 0
                • Q
                  quetzalcoatl
                  last edited by May 19, 2013, 2:34 AM

                  @markuhde:

                  For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

                  P.S. I decided to mess with it anyways. I can't get it to start. I copied the libs and now I get this when I try to start squid:

                  [2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
                  /libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

                  I actually was able to make squid run with load balancing and you need to turn on some weird settings otherwise only one WAN will be used by squid.
                  I no longer do load balancing but i suggest you to do as following as it always works getting squid caching + load balancing:

                  Use a machine with pfsense to do load balancing with 2 or more WANs and 1 LAN output and all WITHOUT SQUID.  This will be machine (A)
                  Then use a secondary machine(B), real or virtual that will connect the wan coming from the LAN of machine (A).
                  This (B) machine will be a dedicated squid pfsense machine that will do caching and everything and all users will be connected to machine (B) LAN.
                  The (A) machine, the one that does load balancing, does not need much HDD and RAM. 1GB of RAM and 10GB of HDD should be enough.
                  The (B) machine, that does squid caching works, in my case with 8GB of RAM, 100GB HDD and 50GB reserved for Disk Caching.

                  This is an easy and rock solid configuration.
                  Since i don't have the money to buy more computers I used to do all this with virtual machines.

                  1 Reply Last reply Reply Quote 0
                  • Q
                    quetzalcoatl
                    last edited by May 19, 2013, 3:01 PM

                    After ading the missing library files and setting everything up, the squid service starts and stays up and running but no caching is being done.

                    I always measure byte hit ration dividing LAN output by WAN input in megabytes or gigabytes and i get the Byte Hit Ratio %

                    I usually get from 4% to 20% but since i installed squid 3.3.4 i could never get any hit.

                    I noticed also that since yesterday I'm actually getting more data from the WAN input than the data is being sent to LAN.

                    It looks like incomplete downloads are getting fully downloaded but not stored in cache, and if stored in cache, not served to LAN from cache.

                    These following lines are my aggressive custom config, maybe someone can improve it.
                    Anyways with or without this custom options I'm never getting cache hits.
                    I know that some of those options are already included into the GUI but i added them into the custom config section as well just in case i forget to set them from the GUI.
                    Help me improve that please! Looking forward for the most efficient and aggressive squid caching.

                    refresh_pattern -i .$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://. 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://.-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://.-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    .-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://... 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://...-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://...-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    ...-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://....* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://....- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://....net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    ...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://.co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    .com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://.gg.in.th 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    .in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://
                    .org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www.....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www.....net 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www.
                    ...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www...co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www...in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www...org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www.
                    .com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www.
                    .net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^http://www..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^https://
                    .com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^https://.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^https://www.
                    .com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i ^https://www.*.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(3g2|3gp|asf|asx|avi|divx|flv|iff|ifo|m3u|m4a|m4v|mov|mpa|mpeg|mpe|qt|qtm|viv|mpg|ogg|rm|rmvb|scr|swf|vob|wmv|x-flv|xvid)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(aif|aiff|amr|cda|mid|wav|wma|midi|au|ram|ra|snd|mp2|mp3|mp4)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(3dm|ai|ani|art|bmp|cdr|cdt|cmf|cur|drw|dwg|dxf|eps|eps2|gif|icl|icm|ico|indd|jpeg|jpg|jpe|max|pct|pcx|png)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(ps|psd|psp|qxd|qxp|rels|svg|tga|thm|tif|tiff|wmf|wrl|xbm|xcf|xif|yuv|pnm|pbm|pgm|ppm|rgb|xpm|xwd|pic|pict)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(accdb|bfc|cbr|chm|csv|db|dbf|doc|docx|dot|hlp|kml|Kmz|lab|log|mdb|msg|odt|ost|pages|pdb|pdf|pps|txt|ppt|pptx|pst|pub|rtf|wpd|wps|wri|xlr|xls|xlsx|xlt)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(app|bat|cmd|com|exe|gadget|msi|pif|vb|wsf|torrent)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(8bi|bin|cat|cpl|dbx|dll|drv|gam|hex|hqx|lnk|nes|plugin|reg|rom|sav|sys|xll)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(arj|sit|zip|rar|rgz|psf|lzh|lha|cab|tar|tgz|gz|Z|wp|wp5|7z|pkg|rpm|sea|sitx|tar.gz|zipx|prn|srf|tex|latax|gpf|upd|jar|bz2|gzip|ace|kf|a[0-9][0-9]|r[0-9][0-9])$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(fnt|fon|otf|ttf)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(dmg|iso|toast|vcd)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(api|bas|c|cbl|class|cpp|cs|dtd|fla|java|m|pl|py|vbx)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(bak|bup|cdl|cfg|dat|deb|dss|dvf|efx|emf|eml|gho|gpx|ini|key|keychain|m4b|m4p|mcd|mim|mswmm|ori|prf|ptb|qbb|qbw|raw|sdf|ses|sql|ss|tmp|uue|uxx|vcf|xml|xsl|xtm)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i .(ht|htm|html|shtml|xhtml|css|js|jsp|asp|cer|cgi|csr|part|php|phtml|rss)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern ^gopher: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern ^ftp: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern . 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
                    refresh_pattern -i (/cgi-bin/|?)$ 0 0% 0
                    tcp_outgoing_address 127.0.0.1
                    max_filedescriptors 65536
                    quick_abort_min 0 KB
                    quick_abort_max 0 KB
                    quick_abort_pct 0
                    ie_refresh off
                    client_db off
                    range_offset_limit 0
                    reload_into_ims on
                    retry_on_error on
                    via off
                    cache allow all
                    refresh_all_ims on
                    half_closed_clients off
                    vary_ignore_expire on
                    strip_query_terms on
                    server_persistent_connections on
                    ipcache_size 16384
                    fqdncache_size 16384
                    log_fqdn off
                    positive_dns_ttl 999 hours
                    negative_dns_ttl 999 hours
                    negative_ttl 999 hours
                    dns_v4_first on
                    pipeline_prefetch on
                    maximum_object_size_in_memory 8 MB

                    1 Reply Last reply Reply Quote 0
                    • F
                      Fehler20
                      last edited by May 19, 2013, 9:17 PM May 19, 2013, 9:12 PM

                      What do you want to do exactly? Because if this Cache rules should work, you nearly block all dynamic content (included google etc.).

                      I've selected cache dynamic content and use some custom pattern to cache exe, gif, png etc. (those content does normally not change often without changing URL). I use slightly different override options:

                      override-expire ignore-must-revalidate ignore-no-cache ignore-no-store ignore-private

                      (ignore-no-cache should not be noticed anymore but it doesn't create any error)

                      I get hit rates about 20%

                      Moreover there seems to be a problem, if Minimum Disk Cache Size is not set to 0. In that case no caching happens to me.

                      Maybe you should change your cache-time, too: http://www.squid-cache.org/mail-archive/squid-users/201211/0279.html

                      1 Reply Last reply Reply Quote 0
                      • A
                        athurdent
                        last edited by May 20, 2013, 6:28 AM

                        @marcelloc:

                        @athurdent:

                        Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

                        What you get with squid -v on console?
                        And with openssl version?

                        [2.1-BETA1][root@pfsense-kvm.local-lan]/root(1): squid -v
                        Squid Cache: Version 3.3.4
                        configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/sbin' '--sbindir=/usr/pbi/squid-amd64/sbin' '--datadir=/usr/pbi/squid-amd64/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/pbi/squid-amd64/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP SASL NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-amd64' '--mandir=/usr/pbi/squid-amd64/man' '--infodir=/usr/pbi/squid-amd64/info/' '--build=amd64-portbld-freebsd8.3' 'build_alias=amd64-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-amd64/lib -L/usr/pbi/squid-amd64/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-amd64/lib -L/usr/lib' 'CPPFLAGS=-I/usr/pbi/squid-amd64/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience
                        [2.1-BETA1][root@pfsense-kvm.local-lan]/root(2): openssl version
                        OpenSSL 0.9.8y 5 Feb 2013
                        
                        1 Reply Last reply Reply Quote 0
                        • M
                          marcelloc
                          last edited by May 20, 2013, 1:41 PM

                          [quote]
                          OpenSSL 0.9.8y 5 Feb 2013
                          [/quote]
                          
                          I'll try to push the fix I've applied to 2.0.x to freebsd ports.
                          My snapshot is older then yours. On mine, squid does not crash with openssl version(OpenSSL 0.9.8q 2 Dec 2010).
                          
                          

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • M
                            marcelloc
                            last edited by May 20, 2013, 2:36 PM May 20, 2013, 2:30 PM

                            @marcelloc:

                            I'll try to push the fix I've applied to 2.0.x to freebsd ports.

                            Ports change request sent.

                            Since it's merged, I'll ask core team for another compile run.  :)

                            att,
                            Marcello Coutinho

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • Q
                              quetzalcoatl
                              last edited by May 24, 2013, 1:48 PM May 24, 2013, 1:42 PM

                              Squid no caching and getting more data in from WAN than what i get out of LAN (in interface statistics)

                              I download the missing files…
                              Then i install squid 3.3.4 dev
                              Then all in the GUI i just set resolve ipv4 first, enable transparent proxy, and set max object size in RAM 8192KB, Max RAM for squid 6000MB, max HDD 50GB max object size in disk 900MB, enable caching for dynamic stuff selecting youtube and windows updates and leave everything else as it is.
                              I don't even add any custom option.

                              and as soon as i start the squid service i start getting more data downloaded from WAN than what is served to LAN.

                              in fact:

                              interface statistics before starting squid service: WAN in: 2.12GB - LAN OUT 2.12GB
                              interface statistics after starting squid service: WAN in: 2.93GB - LAN OUT 2.59GB

                              I always got more LAN out than WAN in when Squid is caching properly.

                              I remember those manual settings that made me get more WAN in than LAN out:
                              quick_abort_min
                              quick_abort_max
                              quick_abort_pct

                              but even if i don't use them i get more WAN in than LAN out.

                              I even set them as:
                              quick_abort_min 0 KB
                              quick_abort_max 0 KB
                              quick_abort_pct 0

                              but nothing improves.

                              I can roughly say that with squid 2.7(lusca) i was getting a 15% byte hit ratio, with squid 2.1 a 5% byte hit ratio, and with 3.3.4 0% hit ratio...or should i say -3% hit ratio? (note the negative value)

                              it looks that the newer the squid is, the less caching it does.........
                              i miss the good days when 100% of windows and office updates were downloaded from the squid cache at 100 megabit speeds!
                              at that time it took more to install updates than to download 1Gb of updates from pfsense. even with internet speeds of just 1 megabit!!!!!
                              i wonder where is going all this effort to update squid with these results..........or am i just doing massive configuration errors?

                              1 Reply Last reply Reply Quote 0
                              • M
                                marcelloc
                                last edited by May 24, 2013, 2:01 PM

                                Disabling dynamic content option on gui and check if on log files you get only TCP_MISS or you start seeing some TCP_HIT.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • Q
                                  quetzalcoatl
                                  last edited by May 24, 2013, 7:42 PM

                                  at last getting some hits.

                                  I don't even know how to see squid logs, except than going to diagnostics, edit file, /var/squid/logs/cache.log but i don't see any miss/hit statistics there.

                                  anyways as soon as i disabled dynamic caching the "LAN out" number is growing faster than "WAN in" in interface statistics.

                                  So at last my squid cache is working.

                                  Maybe i got confused because the previous squid 3.3.4 release was not caching for some reason even when dynamic content caching was off.

                                  Thanks marcelloc

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    marcelloc
                                    last edited by May 24, 2013, 11:04 PM

                                    @quetzalcoatl:

                                    I don't even know how to see squid logs

                                    There is a realtime tab on gui.

                                    You can also go via console/ssh and do a tail -f /var/squid/logs/access.log

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • Q
                                      quetzalcoatl
                                      last edited by May 25, 2013, 12:55 AM

                                      The only file i have in the "/var/squid/logs" folder is "cache.log"

                                      Also if i go to the "real time" tab in the GUI i see this stuff:


                                      Max lines: Max. lines to be displayed.
                                      String filter:  Enter a grep like string/pattern to filterlog.
                                      eg. username, ip addr, url.
                                      Use ! to invert the sense of matching, to select non-matching lines.

                                      Squid Logs
                                      Date IP Status Address User Destination

                                      SquidGuard Logs
                                      Date-Time ACL Address Host User


                                      but everything is empty and i see no data or statistics, just the section titles i just pasted here.

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        marcelloc
                                        last edited by May 26, 2013, 12:52 PM

                                        Did you enabled logging on squid GUI configuration?

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          Fehler20
                                          last edited by May 26, 2013, 7:22 PM

                                          I have to report another bug and a problem:

                                          1.) If you enable transparent proxy an disable SSL-interception, transparent mode does not work. It seems that there is a problem with the intercept command with transparent connections at the config file. If you change from "192.168.x.x:8080 intercept" to "192.168.x.x:8080 transparent" everything is ok.

                                          2.) If you enable the proxy for more than one interface only the first gets access to the internet. For every other interface, access is denied, regardless wether you define an acl or check the option "Allow users on interface".

                                          1 Reply Last reply Reply Quote 0
                                          66 out of 305
                                          • First post
                                            66/305
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received