Squid 3.3.4 package for pfsense with ssl filtering

wheelz

@marcelloc:

I've pushed to my repo a squid version that is working with 2.0.x (squid-3.3.4_1)

…

Can you test it on 2.0.x too? My tests result is a fast reply with or without ssl filtering.

I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

marcelloc

@wheelz:

I'd like to test on 2.0.3 but I'm not sure how I get it from your repo….

on console/ssh, remove squid package using pkg_delete and then install squid using

amd64
pkg_add -rf http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.4_1.tbz

i386
pkg_add -rf http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.4_1.tbz

check if there is no missing libs using squid -v

Then save config on gui and start tests.

markuhde

For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

P.S. I decided to mess with it anyways. I can't get it to start. I copyed the libs and now I get this when I try to start squid:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

athurdent

Hi, I wasn't able to setup a 2.0.x system, but I gave my 2.1 KVM IPv6 connectivity. Tailing squid cache.log and access.log simultaneuosly shows that squid dies and restarts after every request, even HTTP-only.
Either my system needs a complete reinstall and is damaged somehow, or this may help:
http://www.comfsm.fm/computing/squid/FAQ-11.html#ss11.48

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

marcelloc

@markuhde:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

marcelloc

@athurdent:

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

What you get with squid -v on console?
And with openssl version?

markuhde

@marcelloc:

@markuhde:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

You copied libs from wrong arch. I386 libs on amd64 or amd64 libs on i386 system.

Ooh you're right I did I forgot that system is i386! Thanks!

quetzalcoatl

@markuhde:

For some reason I thought 3.3 would add a way to do load balancing (I never could get Squid to work on multi-WAN). It looks like that wild thought was wrong? I can't find any way to do load balancing that's any different from the (broken) tutorials posted? I wish I could run Squid but I NEED to load-balance two DSL lines. Thanks!

P.S. I decided to mess with it anyways. I can't get it to start. I copied the libs and now I get this when I try to start squid:

[2.1-BETA1][admin@fire.glaciercamp]/root(1): squid -v
/libexec/ld-elf.so.1: /usr/local/lib/libgssapi.so.10: unsupported file layout

I actually was able to make squid run with load balancing and you need to turn on some weird settings otherwise only one WAN will be used by squid.
I no longer do load balancing but i suggest you to do as following as it always works getting squid caching + load balancing:

Use a machine with pfsense to do load balancing with 2 or more WANs and 1 LAN output and all WITHOUT SQUID.  This will be machine (A)
Then use a secondary machine(B), real or virtual that will connect the wan coming from the LAN of machine (A).
This (B) machine will be a dedicated squid pfsense machine that will do caching and everything and all users will be connected to machine (B) LAN.
The (A) machine, the one that does load balancing, does not need much HDD and RAM. 1GB of RAM and 10GB of HDD should be enough.
The (B) machine, that does squid caching works, in my case with 8GB of RAM, 100GB HDD and 50GB reserved for Disk Caching.

This is an easy and rock solid configuration.
Since i don't have the money to buy more computers I used to do all this with virtual machines.

quetzalcoatl

After ading the missing library files and setting everything up, the squid service starts and stays up and running but no caching is being done.

I always measure byte hit ration dividing LAN output by WAN input in megabytes or gigabytes and i get the Byte Hit Ratio %

I usually get from 4% to 20% but since i installed squid 3.3.4 i could never get any hit.

I noticed also that since yesterday I'm actually getting more data from the WAN input than the data is being sent to LAN.

It looks like incomplete downloads are getting fully downloaded but not stored in cache, and if stored in cache, not served to LAN from cache.

These following lines are my aggressive custom config, maybe someone can improve it.
Anyways with or without this custom options I'm never getting cache hits.
I know that some of those options are already included into the GUI but i added them into the custom config section as well just in case i forget to set them from the GUI.
Help me improve that please! Looking forward for the most efficient and aggressive squid caching.

refresh_pattern -i .$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http:// 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://. 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://... 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...-.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....* 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....- 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://....net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.gg.in.th 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://.org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www.....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www.....net 99999 100% 99999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www....com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www....net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www...org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..co.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..net 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^http://www..org 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://.com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://www..com 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i ^https://www.*.in.th 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(3g2|3gp|asf|asx|avi|divx|flv|iff|ifo|m3u|m4a|m4v|mov|mpa|mpeg|mpe|qt|qtm|viv|mpg|ogg|rm|rmvb|scr|swf|vob|wmv|x-flv|xvid)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(aif|aiff|amr|cda|mid|wav|wma|midi|au|ram|ra|snd|mp2|mp3|mp4)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(3dm|ai|ani|art|bmp|cdr|cdt|cmf|cur|drw|dwg|dxf|eps|eps2|gif|icl|icm|ico|indd|jpeg|jpg|jpe|max|pct|pcx|png)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(ps|psd|psp|qxd|qxp|rels|svg|tga|thm|tif|tiff|wmf|wrl|xbm|xcf|xif|yuv|pnm|pbm|pgm|ppm|rgb|xpm|xwd|pic|pict)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(accdb|bfc|cbr|chm|csv|db|dbf|doc|docx|dot|hlp|kml|Kmz|lab|log|mdb|msg|odt|ost|pages|pdb|pdf|pps|txt|ppt|pptx|pst|pub|rtf|wpd|wps|wri|xlr|xls|xlsx|xlt)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(app|bat|cmd|com|exe|gadget|msi|pif|vb|wsf|torrent)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(8bi|bin|cat|cpl|dbx|dll|drv|gam|hex|hqx|lnk|nes|plugin|reg|rom|sav|sys|xll)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(arj|sit|zip|rar|rgz|psf|lzh|lha|cab|tar|tgz|gz|Z|wp|wp5|7z|pkg|rpm|sea|sitx|tar.gz|zipx|prn|srf|tex|latax|gpf|upd|jar|bz2|gzip|ace|kf|a[0-9][0-9]|r[0-9][0-9])$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(fnt|fon|otf|ttf)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(dmg|iso|toast|vcd)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(api|bas|c|cbl|class|cpp|cs|dtd|fla|java|m|pl|py|vbx)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(bak|bup|cdl|cfg|dat|deb|dss|dvf|efx|emf|eml|gho|gpx|ini|key|keychain|m4b|m4p|mcd|mim|mswmm|ori|prf|ptb|qbb|qbw|raw|sdf|ses|sql|ss|tmp|uue|uxx|vcf|xml|xsl|xtm)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i .(ht|htm|html|shtml|xhtml|css|js|jsp|asp|cer|cgi|csr|part|php|phtml|rss)$ 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern ^gopher: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern ^ftp: 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern . 99999 100% 9999999 override-expire override-lastmod ignore-no-store ignore-reload ignore-private reload-into-ims refresh-ims store-stale
refresh_pattern -i (/cgi-bin/|?)$ 0 0% 0
tcp_outgoing_address 127.0.0.1
max_filedescriptors 65536
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 0
ie_refresh off
client_db off
range_offset_limit 0
reload_into_ims on
retry_on_error on
via off
cache allow all
refresh_all_ims on
half_closed_clients off
vary_ignore_expire on
strip_query_terms on
server_persistent_connections on
ipcache_size 16384
fqdncache_size 16384
log_fqdn off
positive_dns_ttl 999 hours
negative_dns_ttl 999 hours
negative_ttl 999 hours
dns_v4_first on
pipeline_prefetch on
maximum_object_size_in_memory 8 MB

Fehler20

What do you want to do exactly? Because if this Cache rules should work, you nearly block all dynamic content (included google etc.).

I've selected cache dynamic content and use some custom pattern to cache exe, gif, png etc. (those content does normally not change often without changing URL). I use slightly different override options:

override-expire ignore-must-revalidate ignore-no-cache ignore-no-store ignore-private

(ignore-no-cache should not be noticed anymore but it doesn't create any error)

I get hit rates about 20%

Moreover there seems to be a problem, if Minimum Disk Cache Size is not set to 0. In that case no caching happens to me.

Maybe you should change your cache-time, too: http://www.squid-cache.org/mail-archive/squid-users/201211/0279.html

athurdent

@marcelloc:

@athurdent:

Edit: Reinstalled and used amd64 now, still crashes at the first request as soon as I turn on SSL intercept.

What you get with squid -v on console?
And with openssl version?

[2.1-BETA1][root@pfsense-kvm.local-lan]/root(1): squid -v
Squid Cache: Version 3.3.4
configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/sbin' '--sbindir=/usr/pbi/squid-amd64/sbin' '--datadir=/usr/pbi/squid-amd64/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/pbi/squid-amd64/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP SASL NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-amd64' '--mandir=/usr/pbi/squid-amd64/man' '--infodir=/usr/pbi/squid-amd64/info/' '--build=amd64-portbld-freebsd8.3' 'build_alias=amd64-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-amd64/lib -L/usr/pbi/squid-amd64/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-amd64/lib -L/usr/lib' 'CPPFLAGS=-I/usr/pbi/squid-amd64/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-amd64/include -I/usr/pbi/squid-amd64/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience
[2.1-BETA1][root@pfsense-kvm.local-lan]/root(2): openssl version
OpenSSL 0.9.8y 5 Feb 2013

marcelloc

[quote]
OpenSSL 0.9.8y 5 Feb 2013
[/quote]

I'll try to push the fix I've applied to 2.0.x to freebsd ports.
My snapshot is older then yours. On mine, squid does not crash with openssl version(OpenSSL 0.9.8q 2 Dec 2010).

marcelloc

@marcelloc:

I'll try to push the fix I've applied to 2.0.x to freebsd ports.

Ports change request sent.

Since it's merged, I'll ask core team for another compile run.  :)

att,
Marcello Coutinho

quetzalcoatl

Squid no caching and getting more data in from WAN than what i get out of LAN (in interface statistics)

I download the missing files…
Then i install squid 3.3.4 dev
Then all in the GUI i just set resolve ipv4 first, enable transparent proxy, and set max object size in RAM 8192KB, Max RAM for squid 6000MB, max HDD 50GB max object size in disk 900MB, enable caching for dynamic stuff selecting youtube and windows updates and leave everything else as it is.
I don't even add any custom option.

and as soon as i start the squid service i start getting more data downloaded from WAN than what is served to LAN.

in fact:

interface statistics before starting squid service: WAN in: 2.12GB - LAN OUT 2.12GB
interface statistics after starting squid service: WAN in: 2.93GB - LAN OUT 2.59GB

I always got more LAN out than WAN in when Squid is caching properly.

I remember those manual settings that made me get more WAN in than LAN out:
quick_abort_min
quick_abort_max
quick_abort_pct

but even if i don't use them i get more WAN in than LAN out.

I even set them as:
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 0

but nothing improves.

I can roughly say that with squid 2.7(lusca) i was getting a 15% byte hit ratio, with squid 2.1 a 5% byte hit ratio, and with 3.3.4 0% hit ratio...or should i say -3% hit ratio? (note the negative value)

it looks that the newer the squid is, the less caching it does.........
i miss the good days when 100% of windows and office updates were downloaded from the squid cache at 100 megabit speeds!
at that time it took more to install updates than to download 1Gb of updates from pfsense. even with internet speeds of just 1 megabit!!!!!
i wonder where is going all this effort to update squid with these results..........or am i just doing massive configuration errors?

marcelloc

Disabling dynamic content option on gui and check if on log files you get only TCP_MISS or you start seeing some TCP_HIT.

quetzalcoatl

at last getting some hits.

I don't even know how to see squid logs, except than going to diagnostics, edit file, /var/squid/logs/cache.log but i don't see any miss/hit statistics there.

anyways as soon as i disabled dynamic caching the "LAN out" number is growing faster than "WAN in" in interface statistics.

So at last my squid cache is working.

Maybe i got confused because the previous squid 3.3.4 release was not caching for some reason even when dynamic content caching was off.

Thanks marcelloc

marcelloc

@quetzalcoatl:

I don't even know how to see squid logs

There is a realtime tab on gui.

You can also go via console/ssh and do a tail -f /var/squid/logs/access.log

quetzalcoatl

The only file i have in the "/var/squid/logs" folder is "cache.log"

Also if i go to the "real time" tab in the GUI i see this stuff:

---

Max lines: Max. lines to be displayed.
String filter:  Enter a grep like string/pattern to filterlog.
eg. username, ip addr, url.
Use ! to invert the sense of matching, to select non-matching lines.

Squid Logs
Date IP Status Address User Destination

SquidGuard Logs
Date-Time ACL Address Host User

---

but everything is empty and i see no data or statistics, just the section titles i just pasted here.

marcelloc

Did you enabled logging on squid GUI configuration?

Fehler20

I have to report another bug and a problem:

1.) If you enable transparent proxy an disable SSL-interception, transparent mode does not work. It seems that there is a problem with the intercept command with transparent connections at the config file. If you change from "192.168.x.x:8080 intercept" to "192.168.x.x:8080 transparent" everything is ok.

2.) If you enable the proxy for more than one interface only the first gets access to the internet. For every other interface, access is denied, regardless wether you define an acl or check the option "Allow users on interface".