Squid-dev 3.3.8 Setup HOW TO! [SOLVED]
-
EDIT: I JUST REBOOT THE MACHINE AFTER THE chown -R proxy:proxy /var/squid/lib/ and ssld_crtd en Just Work Smooth
This Could be a HOW TO PROCEDURE :D xDHello! i have an issue setting up squid-dev 3.3.8 on https filtering, here is my config, got 26 vlans,
xxx.xxx.xxx.xxx (ip show are not real ones, just to be graphical)
my setup
2.1-RELEASE (amd64) built on Wed Sep 11 18:17:48 EDT 2013 FreeBSD 8.3-RELEASE-p11
My Equipment:
Intel(R) Xeon(R) CPU 5120 @ 1.86GHz 2 CPUs: 1 package(s) x 2 core(s)
ok now, i been trying to use https filtering with interception, for the moment the proxy works smooth with non transparent config, i cant intercept https: and filer and so on, when i check the mark of proxy transparent can make it work, first ask for the ssl-bump option and squid can run says that the options is missing,so searching over internet made with a solution
2013/10/01 16:21:06| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 24: https_port 127.0.0.1:3129 intercept abnormally. Squid Cache (Version 3.3.8): Terminated abnormally. CPU Usage: 0.019 seconds = 0.019 user + 0.000 sys Maximum Resident Size: 30576 KB Page faults with physical i/o: 0
that is
https_port 127.0.0.1:3129 intercept ssl-bump key=/path/to/my/cerfile/serverkey.pem cert=/path/to/my/cerfile/serverkey.pem clientca=/path/to/my/cerfile/serverkey.pem cafile=/path/to/my/cerfile/serverkey.pem capath=/path/to/my/cerfile/
after added that config not error shown about that, the next err that i have is
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
dig over in google and i found that some guy on the main squid forum has a solution, checkit here http://www.squid-cache.org/mail-archive/squid-users/201209/0086.html
in the thread of this forum @hisoka01 has a similar issues so… i try...
http://forum.pfsense.org/index.php?topic=48347.165(ssl_crtd): Uninitialized SSL certificate database directory: /var/squid/lib/ssl_db. To initialize, r
un "ssl_crtd -c -s /var/squid/lib/ssl_db".so i delete the
/var/squid/lib/ssl_db folder
did the command
ssl_crtd -c -s /var/squid/lib/ssl_db". (the "ssl_crtd" was in /usr/pbi/squid-amd64/libexec/squid)
then
chown -R proxy:proxy /var/squid/lib/
NOTHING, i think that in the last thread @marcelloc says something about dns4v on or something like that so, i turned off, reboot the machine and nothing happend,
(Btw if marcelloc wasnt sorry, i think that was u, i'll check later)i have the problem with the missing libraries libheimntlm.so.10 and so on
i have fetch from http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/ here….
http://forum.pfsense.org/index.php/topic,62256.0.htmlhere is my config file
# This file is automatically generated by pfSense # Do not edit manually ! http_port xxx.xxx.10.1:3128 http_port xxx.xxx.19.1:3128 http_port xxx.xxx.20.1:3128 http_port xxx.xxx.21.1:3128 http_port xxx.xxx.22.1:3128 http_port xxx.xxx.23.1:3128 http_port xxx.xxx.30.1:3128 http_port xxx.xxx.31.1:3128 http_port xxx.xxx.33.1:3128 http_port xxx.xxx.40.1:3128 http_port xxx.xxx.41.1:3128 http_port xxx.xxx.11.1:3128 http_port xxx.xxx.12.1:3128 http_port xxx.xxx.13.1:3128 http_port xxx.xxx.14.1:3128 http_port xxx.xxx.15.1:3128 http_port xxx.xxx.16.1:3128 http_port xxx.xxx.17.1:3128 http_port xxx.xxx.18.1:3128 http_port 127.0.0.1:3128 intercept https_port 127.0.0.1:3128 intercept ssl-bump key=/path/to/certfile/serverkey.pem cert=/path/to/certfile/serverkey.pem clientca=/path/to/certfile/serverkey.pem cafile=/path/to/certfile/serverkey.pem capath=/path/to/certfile/ icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language es icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname proxyserver cache_mgr mail@domain.org access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 50 logfile_rotate 15 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src xxx.xxx.10.0/24 xxx.xxx.19.0/24 xxx.xxx.20.0/24 xxx.xxx.21.0/24 xxx.xxx.22.0/24 xxx.xxx.23.0/24 xxx.xxx.30.0/24 xxx.xxx.31.0/24 xxx.xxx.33.0/24 xxx.xxx.40.0/24 xxx.xxx.41.0/24 xxx.xxx.11.0/24 xxx.xxx.12.0/24 xxx.xxx.13.0/24 xxx.xxx.14.0/24 xxx.xxx.15.0/24 xxx.xxx.16.0/24 xxx.xxx.17.0/24 xxx.xxx.18.0/24 httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 10000 16 256 minimum_object_size 0 KB maximum_object_size 4 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src xxx.xxx.0.0/24 xxx.xxx.11.0/24 xxx.xxx.12.0/24 acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings always_direct allow whitelist ssl_bump none whitelist # Custom options # Always allow access to whitelist domains http_access allow whitelist # Block access to blacklist domains http_access deny blacklist always_direct allow all ssl_bump server-first all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc
-
How to fech the libraries!
fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10 -
I think that in the dozens of posts scattered about here on how to get Squid 3.3.8 Dev working Marcelloc has added that you need to enable IPV6 on Squid 2.1.
Someone should consider putting together a coherent How To on Squid 3.3.8 Dev on a Wiki or somewhere until this package is properly configured for install on the PFSENSE Package Installer.
-
pfsense 2.1 has enabled by default ipv6, so that is why i dont mention that!, let put this things clear and make a "decent how to"
-
The point is if you do not enable this options, squid3.3.x does not listen configured port. This is not related to package gui I'm doing but on ipv6=yes squid compile option.