Squid 3.3.4 package for pfsense with ssl filtering

workingman

Hi marcelloc.

First thanks for all your work getting squid with ssl interception!  I currently have a hacked in squid 3.3.1 with it working on pfSense 2.1-BETA.

So I really would like to replace that as it prevents me from easily updating the system.

Trying the new 3.3.5 package on a virtual machine here I was able to get squid and squidguard installed and squid will run for me but refuses connections and netstat shows me:

tcp4      0      0 192.168.56.254.3128    .                    CLOSED

right IP:port but CLOSED..?  Let me know if you want to see cache.log or output from squid -NsXY or if you happen to know the fix?  ;)

workingman

Hi again.

I figured out how to get squid to start.  Disable pf :(

If I don't the squid cache.log stops at:

2013/07/24 13:29:21 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/07/24 13:29:21 kid1| sendto FD 25: (1) Operation not permitted
2013/07/24 13:29:21 kid1| ipcCreate: CHILD: hello write test failed

Once I run pfctl -d it starts up normally.

2013/07/24 13:32:34 kid1|  Completed Validation Procedure
2013/07/24 13:32:34 kid1|  Validated 325 Entries
2013/07/24 13:32:34 kid1|  store_swap_size = 5758.00 KB
2013/07/24 13:32:35 kid1| storeLateRelease: released 0 objects

As I mentioned this is running in a VM so that may be part of the problem but I have done similar setups in the past and did not have this issue.

avp

I had 3.3.5 working well with SG and HAVP.  i noticed the other day your pkg had been updated to 3.3.8.  i tried to upgrade to 3.3.8 by re-installing the pkg.  The re-install failed, and since then I can't get squid to work.  I've tried completely removing and re-installing the pkg, but no good.

here is the log:

Jul 25 14:51:37 squid[26589]: Squid Parent: will start 1 kids
Jul 25 14:51:37 squid[26589]: Squid Parent: (squid-1) process 26798 started
Jul 25 14:51:38 (squid-1): I don't handle this error well!
Jul 25 14:51:38 squid[26589]: Squid Parent: (squid-1) process 26798 exited with status 1
Jul 25 14:51:41 squid[26589]: Squid Parent: (squid-1) process 27792 started
Jul 25 14:51:43 (squid-1): I don't handle this error well!
Jul 25 14:51:43 squid[26589]: Squid Parent: (squid-1) process 27792 exited with status 1
Jul 25 14:51:46 squid[26589]: Squid Parent: (squid-1) process 32037 started
Jul 25 14:51:47 (squid-1): I don't handle this error well!
Jul 25 14:51:47 squid[26589]: Squid Parent: (squid-1) process 32037 exited with status 1
Jul 25 14:51:50 squid[26589]: Squid Parent: (squid-1) process 32672 started
Jul 25 14:51:51 Squid_Alarm[34792]: Squid has resumed. Reconfiguring filter.
Jul 25 14:51:51 (squid-1): I don't handle this error well!
Jul 25 14:51:51 squid[26589]: Squid Parent: (squid-1) process 32672 exited with status 1
Jul 25 14:51:51 check_reload_status: Reloading filter
Jul 25 14:51:54 squid[26589]: Squid Parent: (squid-1) process 35905 started
Jul 25 14:51:55 (squid-1): I don't handle this error well!
Jul 25 14:51:55 squid[26589]: Squid Parent: (squid-1) process 35905 exited with status 1
Jul 25 14:51:55 squid[26589]: Squid Parent: (squid-1) process 35905 will not be restarted due to repeated, frequent failures
Jul 25 14:51:55 squid[26589]: Exiting due to repeated, frequent failures
Jul 25 14:52:00 php: : SQUID is installed but not started. Not installing "nat" rules.
Jul 25 14:52:03 php: : SQUID is installed but not started. Not installing "pfearly" rules.

Any suggestions on how to proceed?

Thanks

msi

Hi, I have problems too with the "3.3.8" package on 2.1 amd64 see system.log:

Jul 25 22:10:20 <hostname>php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libheimntlm.so.10" not found, required by "squid"'

Seems the PBI is missing this library yet to launch?</hostname>

workingman

Grab the libs from the first post and copy to /usr/local/lib

squid should run.. I'm just having weird issues where it looks like pf is blocking my squid port.

msi

Thanks @workingman, the thread just got a bit long (aka TL;DR) ;-)

So squid >3.3 is yet quite of a moving target. Anyhow thanks to the packager(s) for all their time put into this fine proxy.

Update:

• Since I'm on 2.1 (I have due to H/W support) with PBIs  I put the libs under /usr/pbi/squid-amd64/lib

• Although the libs work, the build dates suggest they are from FreeBSD 8.1 (base of 2.0.x), I consider

getting those libs from a patched 8.3 for my 2.1

stanthewizard

Hello

Since 2.1 RC1
Latest Squid doesn't works anymore:

Aug 6 08:54:33 (squid-1): I don't handle this error well!
Aug 6 08:54:33 squid[64384]: Squid Parent: (squid-1) process 71825 exited with status 1
Aug 6 08:54:36 squid[64384]: Squid Parent: (squid-1) process 76944 started
Aug 6 08:54:38 (squid-1): I don't handle this error well!
Aug 6 08:54:38 squid[64384]: Squid Parent: (squid-1) process 76944 exited with status 1
Aug 6 08:54:38 squid[64384]: Squid Parent: (squid-1) process 76944 will not be restarted due to repeated, frequent failures
Aug 6 08:54:38 squid[64384]: Exiting due to repeated, frequent failures

Is there a turnaround ?

marcelloc

Squid was updated to 3.3.8 but I'm having no time to test if it was working properly or not.

stanthewizard

It's working
juste had to save the settings (with no change)
Service restarted and didn't crashed

workingman

Pretty sure I just figured out why my port was CLOSED.

I had Allow IPv6 disabled under System -> Advanced -> Networking

After checking that box and restarting squid:

tcp4      0      0 192.168.56.254.3128  .                    LISTEN

Finally… a-testing I will go.

itman6770

hi
i want to install squid tahat support icap and integrate with anti virus.but i dont now.
can you help?

marcelloc

@itman6770:

hi
i want to install squid tahat support icap and integrate with anti virus.but i dont now.
can you help?

It's still under development on squid3-dev

packeteer

I was wondering if Dansguardian is suppose to be working on this version of squid?

I am on PFSense 2.1(AMD64). DG works with Squid3 but not the dev version.

For some reason DG is unable to connect with Squid3dev.

Squid3dev works perfectly on its own.

marcelloc

I use dansguardian with squid3-dev.

What errors are you getting?

packeteer

@marcelloc:

I use dansguardian with squid3-dev.

What errors are you getting?

Dansguardian: error connecting to proxy. Same error as Legion on page 2.

I have it upstream to a proxy server on port 3128.

works fine with squid3.

Thnx

marcelloc

Check if squid is listening(netstat -an | grep -i listen) on the port you have configured on dansguardian.

packeteer

@marcelloc:

Check if squid is listening(netstat -an | grep -i listen) on the port you have configured on dansguardian.

It is closed.

marcelloc

@packeteer:

It is closed.

Next step is to check why squid is not starting…

packeteer

@marcelloc:

@packeteer:

It is closed.

Next step is to check why squid is not starting…

The service is running, just doesn't listen to the port.

marcelloc

@packeteer:

The service is running, just doesn't listen to the port.

Enable ipv6 on pfsense and then killall and start squid daemon.

It's something on squid 3.3 version, I have a squid 3.3 version on my repo without ipv6 that works fine.

If you do not want to enable ipv6 on your server, install squid 3.3.4 form my repo using pkg_delete and pkg_add from console/ssh