Squid 3.3.4 package for pfsense with ssl filtering
-
Fehler20 says that if he keeps SSL-interception disabled the transparent proxy doesn't work.
That is the same issue that i believe is happening to me.
I will try to turn on SSL-interception, but i don't know if i have to configure something to make it work properly with the transparent proxy.
And yes, i did forget to turn squid logging on!
Sorry! -
I set up my 2.0.3 version to try the SSL filtering. I got the HTTP traffic going through squid so that works. I generated a Test CA cert in Cert Manager and installed in on my test workstation. However when I go to https://www.google.com it just spins at connecting… I can telnet to port 3129 and something answers so I think the traffic is getting through the firewall. Squid service appears to be running but I don't see anything in the logs about the request. Any help?
-
-
Did you replaced squid to 3.3.5 from my repo?
I have now but I'm not sure if I did it right. I'm getting this when I'm try to run squid:
/libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout
I wasn't sure if I needed to do that pbi command either since I'm on 2.0.3. I tried to see if it would execute but it wasn't there.
-
/libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout
on 2.0.3, use pkg_add and pkg_delete to get squid 3.3.5
i386
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbzamd64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz -
/libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout
on 2.0.3, use pkg_add and pkg_delete to get squid 3.3.5
i386
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbzamd64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbzHmm… that's what I did. It complained about perl and openssl (I think) so I deleted them and let the pkg_add -r install the versions it wanted. After that it was successfull, however squid -v won't run with the error above.
-
you need libs and package with same arch as you pfsense version
if you installed pfsense 32 bits, you need i386 libs and packages
if you installed pfsense 64 bits, you need amd64 libs and packages -
ok, my fault. I had copy pasted the wrong PACKAGESITE path. I have that fixed now and squid starts fine, but still the same as before. HTTP goes fine but HTTPS just sits trying to connect. I just have HTTPS/SSL interception enabled on the loopback adapter, port 3129 (NAT rule to forward 3129 and firewall rule allowing it in). My TestCA certificate is selected and I left the rest as the defaults. My client has the TestCA certificate installed in the trusted CAs and I configured the SSL proxy to my pfsense on port 3129.
Here is what squid says:
squid -v Squid Cache: Version 3.3.5 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--disable-ipv6' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd8.3' 'build_alias=amd64-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath=/usr/lib:/usr/local/lib -L/usr/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp'Here is pkg_info:
pkg_info arc-5.21p Create & extract files from DOS .ARC files arj-3.10.22_4 Open-source ARJ bsdinstaller-2.0.2013.0412 BSD Installer mega-package ca_root_nss-3.14.1 The root certificate bundle from the Mozilla Project clamav-0.97.6 Command line virus scanner written entirely in C compat6x-amd64-6.4.604000.200810_3 A convenience package to install the compat6x libraries cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer) dansguardian-2.12.0.3 A fast, feature-rich web content filter for Squid proxy ser db41-4.1.25_4 The Berkeley DB package, revision 4.1 gettext-0.18.1.1 GNU gettext package lha-1.14i_6 Archive files using LZSS and Huffman compression (.lzh file libecap-0.2.0_1 Library for module based network content analysis libiconv-1.14 A character set conversion library libltdl-2.4.2 System independent dlopen wrapper libwww-5.4.0_4 The W3C Reference Library nano-2.2.6 Nano's ANOther editor, an enhanced free Pico clone openldap-sasl-client-2.4.35 Open source LDAP client implementation with SASL2 support pcre-8.32 Perl Compatible Regular Expressions library perl-5.14.2_3 Practical Extraction and Report Language squid-3.3.5 HTTP Caching Proxy unzoo-4.4_2 A zoo archive extractorPort 3129 connect via telnet but HTTPS connections time out without anything mentioned in the sys logs or access.log. Am I doing something wrong?
-
I just have HTTPS/SSL interception enabled on the loopback adapter, port 3129 (NAT rule to forward 3129 and firewall rule allowing it in).
No need to create a nat rule.
Remove your nat, enable SSL on interface other then loopback and let squid do the config for you.
-
No need to create a nat rule.
Remove your nat, enable SSL on interface other then loopback and let squid do the config for you.
I still need to have a firewall rule allowing port 3129 in on the interface IP, correct? Also I'm explicitly setting the SSL proxy IP/port. That will work right? Currently my traffic is going through another firewall so it would be hard for me to test it via transparent.
-
I still need to have a firewall rule allowing port 3129 in on the interface IP, correct? Also I'm explicitly setting the SSL proxy IP/port. That will work right? Currently my traffic is going through another firewall so it would be hard for me to test it via transparent.
You need to configure ssl filtering port only on transparent mode.
On normal proxy configuration, traffic(http and https) goes fine on default squid port.
-
You need to configure ssl filtering port only on transparent mode.
On normal proxy configuration, traffic(http and https) goes fine on default squid port.
Ok, I got the explicit squid proxy to pass https with no problem now. If I want to test the transparent https proxy then I just enable it with the CA cert I have? The default port is 3129 but clients won't be sending on that port. Do I need to change that to 443 then? Or should I NAT redirect it instead?
Also have some DG questions but I'll put then in the other thread.
-
If I want to test the transparent https proxy then I just enable it with the CA cert I have?
Just enable it on LAN for example. Squid package will create rules to transparent proxy connections from 443 to localhost 3129.
do not select loopback on squid config while using transparent mode. -
Is it possible to run squid as explicit on one interface (like loopback or LAN) and also run it as transparent on a different interface like a guest net at the same time?
-
Is it possible to run squid as explicit on one interface (like loopback or LAN) and also run it as transparent on a different interface like a guest net at the same time?
On squid3-dev yes ;D
Remember to do not use loopback on any configuration while using transparent mode.
-
/libexec/ld-elf.so.1: /usr/lib/librt.so.1: unsupported file layout
on 2.0.3, use pkg_add and pkg_delete to get squid 3.3.5
i386
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbzamd64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbzHmm… that's what I did. It complained about perl and openssl (I think) so I deleted them and let the pkg_add -r install the versions it wanted. After that it was successfull, however squid -v won't run with the error above.
When I do that, it complains that perl is the wrong version.
-
When I do that, it complains that perl is the wrong version.
check all dependent libs from the beginning of this topic. The manual update works fine if applied on with same architecture as operating system.
-
I got this when I start Squid (that stops immediatly)
Jun 6 19:56:59 squid: No valid signing SSL certificate configured for https_port 127.0.0.1:443
Jun 6 19:57:04 php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2013/06/06 19:56:59| ERROR: Directive 'ignore_expect_100' is obsolete. FATAL: No valid signing SSL certificate configured for https_port 127.0.0.1:443 Squid Cache (Version 3.3.5): Terminated abnormally. CPU Usage: 0.013 seconds = 0.000 user + 0.013 sys Maximum Resident Size: 34816 KB Page faults with physical i/o: 0'
Jun 6 19:57:06 squid: No valid signing SSL certificate configured for https_port 127.0.0.1:443 -
I got this when I start Squid (that stops immediatly)
What config are you using? reverse proxy? normal proxy? did you configured a valid CA for squid?
While using transparent proxy, do not select loopback interface.
-
I have removed 3.3.4
I followed your commands line for 3.3.5. But no squid … after reinstallation, I'll see if I still have the error message.
Thanks for your help
