Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.3.4 package for pfsense with ssl filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    305 Posts 72 Posters 306.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      quetzalcoatl
      last edited by

      at last getting some hits.

      I don't even know how to see squid logs, except than going to diagnostics, edit file, /var/squid/logs/cache.log but i don't see any miss/hit statistics there.

      anyways as soon as i disabled dynamic caching the "LAN out" number is growing faster than "WAN in" in interface statistics.

      So at last my squid cache is working.

      Maybe i got confused because the previous squid 3.3.4 release was not caching for some reason even when dynamic content caching was off.

      Thanks marcelloc

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @quetzalcoatl:

        I don't even know how to see squid logs

        There is a realtime tab on gui.

        You can also go via console/ssh and do a tail -f /var/squid/logs/access.log

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • Q
          quetzalcoatl
          last edited by

          The only file i have in the "/var/squid/logs" folder is "cache.log"

          Also if i go to the "real time" tab in the GUI i see this stuff:


          Max lines: Max. lines to be displayed.
          String filter:  Enter a grep like string/pattern to filterlog.
          eg. username, ip addr, url.
          Use ! to invert the sense of matching, to select non-matching lines.

          Squid Logs
          Date IP Status Address User Destination

          SquidGuard Logs
          Date-Time ACL Address Host User


          but everything is empty and i see no data or statistics, just the section titles i just pasted here.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Did you enabled logging on squid GUI configuration?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • F
              Fehler20
              last edited by

              I have to report another bug and a problem:

              1.) If you enable transparent proxy an disable SSL-interception, transparent mode does not work. It seems that there is a problem with the intercept command with transparent connections at the config file. If you change from "192.168.x.x:8080 intercept" to "192.168.x.x:8080 transparent" everything is ok.

              2.) If you enable the proxy for more than one interface only the first gets access to the internet. For every other interface, access is denied, regardless wether you define an acl or check the option "Allow users on interface".

              1 Reply Last reply Reply Quote 0
              • P
                packeteer
                last edited by

                I have a strange issue with this version of squid. Squid service is running but unable to connect on the designated port (3128).

                Reverted back to the older version.

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  @packeteer:

                  I have a strange issue with this version of squid. Squid service is running but unable to connect on the designated port (3128).

                  If you are on 2.0.x, you need to enable ivp6 or update package via pkg_delete and pkg_add from my repo.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Util freebsd ports are updated, I've pushed squid-3.3.5 pbi files to my repo.

                    This way you can test/use squid3 package on latest 2.1-rc0

                    pfsense 2.1 amd64
                    pbi_delete squid-3.3.4-amd64
                    fetch  http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5-amd64.pbi
                    fetch  http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5-amd64.pbi.sha256
                    pbi_add –no-checksig squid-3.3.5-amd64.pbi
                    rehash

                    pfsense 2.1 i386
                    pbi_delete squid-3.3.4-i386
                    fetch  http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5-i386.pbi
                    fetch  http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5-i386.pbi.sha256
                    pbi_add –no-checksig squid-3.3.5-i386.pbi
                    rehash

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • Q
                      quetzalcoatl
                      last edited by

                      Fehler20 says that if he keeps SSL-interception disabled the transparent proxy doesn't work.

                      That is the same issue that i believe is happening to me.

                      I will try to turn on SSL-interception, but i don't know if i have to configure something to make it work properly with the transparent proxy.

                      And yes, i did forget to turn squid logging on!
                      Sorry!

                      1 Reply Last reply Reply Quote 0
                      • W
                        wheelz
                        last edited by

                        I set up my 2.0.3 version to try the SSL filtering.  I got the HTTP traffic going through squid so that works.  I generated a Test CA cert in Cert Manager and installed in on my test workstation.  However when I go to https://www.google.com it just spins at connecting…  I can telnet to port 3129 and something answers so I think the traffic is getting through the firewall.  Squid service appears to be running but I don't see anything in the logs about the request.  Any help?

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @wheelz:

                          Any help?

                          Did you replaced squid to 3.3.5 from my repo?

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • W
                            wheelz
                            last edited by

                            @marcelloc:

                            Did you replaced squid to 3.3.5 from my repo?

                            I have now but I'm not sure if I did it right.  I'm getting this when I'm try to run squid:

                            /libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout

                            I wasn't sure if I needed to do that pbi command either since I'm on 2.0.3.  I tried to see if it would execute but it wasn't there.

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @wheelz:

                              /libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout

                              on 2.0.3, use pkg_add and pkg_delete to get squid 3.3.5

                              i386
                              pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

                              amd64
                              pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • W
                                wheelz
                                last edited by

                                @marcelloc:

                                @wheelz:

                                /libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout

                                on 2.0.3, use pkg_add and pkg_delete to get squid 3.3.5

                                i386
                                pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

                                amd64
                                pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

                                Hmm… that's what I did.  It complained about perl and openssl (I think) so I deleted them and let the pkg_add -r install the versions it wanted.  After that it was successfull, however squid -v won't run with the error above.

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  you need libs and package with same arch as you pfsense version

                                  if you installed pfsense 32 bits, you need i386 libs and packages
                                  if you installed pfsense 64 bits, you need amd64 libs and packages

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    wheelz
                                    last edited by

                                    ok, my fault.  I had copy pasted the wrong PACKAGESITE path.  I have that fixed now and squid starts fine, but still the same as before.  HTTP goes fine but HTTPS just sits trying to connect.  I just have HTTPS/SSL interception enabled on the loopback adapter, port 3129 (NAT rule to forward 3129 and firewall rule allowing it in).  My TestCA certificate is selected and I left the rest as the defaults.  My client has the TestCA certificate installed in the trusted CAs and I configured the SSL proxy to my pfsense on port 3129.

                                    Here is what squid says:

                                    squid -v
                                    Squid Cache: Version 3.3.5
                                    configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP SASL NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--disable-ipv6' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd8.3' 'build_alias=amd64-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath=/usr/lib:/usr/local/lib -L/usr/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp'
                                    
                                    

                                    Here is pkg_info:

                                    pkg_info
                                    arc-5.21p           Create & extract files from DOS .ARC files
                                    arj-3.10.22_4       Open-source ARJ
                                    bsdinstaller-2.0.2013.0412 BSD Installer mega-package
                                    ca_root_nss-3.14.1  The root certificate bundle from the Mozilla Project
                                    clamav-0.97.6       Command line virus scanner written entirely in C
                                    compat6x-amd64-6.4.604000.200810_3 A convenience package to install the compat6x libraries
                                    cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer)
                                    dansguardian-2.12.0.3 A fast, feature-rich web content filter for Squid proxy ser
                                    db41-4.1.25_4       The Berkeley DB package, revision 4.1
                                    gettext-0.18.1.1    GNU gettext package
                                    lha-1.14i_6         Archive files using LZSS and Huffman compression (.lzh file
                                    libecap-0.2.0_1     Library for module based network content analysis
                                    libiconv-1.14       A character set conversion library
                                    libltdl-2.4.2       System independent dlopen wrapper
                                    libwww-5.4.0_4      The W3C Reference Library
                                    nano-2.2.6          Nano's ANOther editor, an enhanced free Pico clone
                                    openldap-sasl-client-2.4.35 Open source LDAP client implementation with SASL2 support
                                    pcre-8.32           Perl Compatible Regular Expressions library
                                    perl-5.14.2_3       Practical Extraction and Report Language
                                    squid-3.3.5         HTTP Caching Proxy
                                    unzoo-4.4_2         A zoo archive extractor
                                    
                                    

                                    Port 3129 connect via telnet but HTTPS connections time out without anything mentioned in the sys logs or access.log.  Am I doing something wrong?

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      @wheelz:

                                      I just have HTTPS/SSL interception enabled on the loopback adapter, port 3129 (NAT rule to forward 3129 and firewall rule allowing it in).

                                      No need to create a nat rule.

                                      Remove your nat, enable SSL on interface other then loopback and let squid do the config for you.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        wheelz
                                        last edited by

                                        @marcelloc:

                                        No need to create a nat rule.

                                        Remove your nat, enable SSL on interface other then loopback and let squid do the config for you.

                                        I still need to have a firewall rule allowing port 3129 in on the interface IP, correct?  Also I'm explicitly setting the SSL proxy IP/port.  That will work right?  Currently my traffic is going through another firewall so it would be hard for me to test it via transparent.

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          @wheelz:

                                          I still need to have a firewall rule allowing port 3129 in on the interface IP, correct?  Also I'm explicitly setting the SSL proxy IP/port.  That will work right?  Currently my traffic is going through another firewall so it would be hard for me to test it via transparent.

                                          You need to configure ssl filtering port only on transparent mode.

                                          On normal proxy configuration, traffic(http and https) goes fine on default squid port.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • W
                                            wheelz
                                            last edited by

                                            @marcelloc:

                                            You need to configure ssl filtering port only on transparent mode.

                                            On normal proxy configuration, traffic(http and https) goes fine on default squid port.

                                            Ok, I got the explicit squid proxy to pass https with no problem now.  If I want to test the transparent https proxy then I just enable it with the CA cert I have?  The default port is 3129 but clients won't be sending on that port.  Do I need to change that to 443 then?  Or should I NAT redirect it instead?

                                            Also have some DG questions but I'll put then in the other thread.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.