Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] squid3-dev (3.3.10 pkg 2.2) + Clamav Antivirus won't start

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    23 Posts 6 Posters 43.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      exograpix
      last edited by

      Neither squidguard nor antivirus start at the start up, I have to login and manually save squid setting, than voila it works, please see my log of startup and after I click save in squid.

      error1.txt

      1 Reply Last reply Reply Quote 0
      • U Offline
        usabug
        last edited by

        Can anyone please inform me why when i enable the antivirus then i cannot serf the web ?

        The following error appears :

        ==========quote============

        ERROR in the browser
        The following error was encountered while trying to retrieve the URL:
        http://google.com
            ICAP protocol error.

        The system returned: [No Error]

        This means that some aspect of the ICAP communication failed.

        Some possible problems are:

        *

        The ICAP server is not reachable.
            *

        An Illegal response was received from the ICAP server.

        ==================unquote =====================

        If i run the client to the console

        /usr/local/bin/c-icap-client
        ICAP server:localhost, ip:127.0.0.1, port:1344

        OPTIONS:
                Allow 204: Yes
                Preview: 1024
                Keep alive: Yes

        ICAP HEADERS:
                ICAP/1.0 200 OK:
                Methods:RESPMOD, REQMOD
                Service:C-ICAP/0.2.5 server - Echo demo service
                ISTag:CI0001-XXXXXXXXX
                Transfer-Preview:*
                Options-TTL:3600
                Date:Tue, 11 Mar 2014 13:54:59 GMT
                Preview:1024
                Allow:204
                X-Include:X-Authenticated-User, X-Authenticated-Groups
                Encapsulated:null-body=0

        and all the services seems that are running .

        I look forward for your responses .

        1 Reply Last reply Reply Quote 0
        • marcellocM Offline
          marcelloc
          last edited by

          usabug, can you try with pfsense 32 bits?

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • U Offline
            usabug
            last edited by

            @marcelloc:

            usabug, can you try with pfsense 32 bits?

            Dear Marcelloc ,

            I can try but if i use 32 bit operating system then i can only use only 4GB ram .

            The server right now has onboard 16G ram .

            If i use the 32 bit operating system i have to install a kernel with Physical address extension , witch these solution is not an option cause it makes too much crushes .

            But if you want me to do it just for test , i can do it

            1 Reply Last reply Reply Quote 0
            • O Offline
              Oliver_
              last edited by

              First i want to thank you guys for your work  @ Eduardo Gonçalves & marcelloc

              How can we help you with your work? Tomorrow my Testing-System should be running again and i have a little time for testing!

              1 Reply Last reply Reply Quote 0
              • marcellocM Offline
                marcelloc
                last edited by

                @Oliver_:

                How can we help you with your work?

                The problem is that c-icap is crashing when called by squid. you can check it on squid logs.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • belleraB Offline
                  bellera
                  last edited by

                  Working with squid3-devel in non-transparent mode, in transparent mode for http but when I activated transparent mode for https doesn't work.

                  Here is my /var/log/system.log

                  Mar 13 20:47:24 fw2 php: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
                  Mar 13 20:47:24 fw2 php: /pkg_edit.php: Reloading Squid for configuration sync
                  Mar 13 20:47:24 fw2 check_reload_status: Reloading filter
                  Mar 13 20:47:25 fw2 check_reload_status: Syncing firewall
                  Mar 13 20:47:25 fw2 php: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
                  Mar 13 20:47:25 fw2 php: /pkg_edit.php: Reloading Squid for configuration sync
                  Mar 13 20:47:25 fw2 squid: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept 
                  Mar 13 20:47:25 fw2 php: /pkg_edit.php: The command '/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was '2014/03/13 20:47:25| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 28544 KB Page faults with physical i/o: 0'
                  

                  Similar problem and clamav is not yet activated. I'm implementing squid3-devel step-by-step…

                  I tried stop/start squid and same result.

                  FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally.

                  1 Reply Last reply Reply Quote 0
                  • belleraB Offline
                    bellera
                    last edited by

                    My system is 32 bit…

                    Differences in squid.conf when applying for transparent SSL mode:

                    diff squid.conf_transparent.txt squid.conf_transparent_ssl.txt 
                    4,5c4,6
                    < http_port 192.168.1.1:3128
                    < http_port 127.0.0.1:3128 intercept
                    ---
                    > http_port 192.168.1.1:3128 
                    > http_port 127.0.0.1:3128 intercept 
                    > https_port 127.0.0.1:3129 intercept 
                    87a89,90
                    > always_direct allow all
                    > ssl_bump server-first all
                    
                    1 Reply Last reply Reply Quote 0
                    • belleraB Offline
                      bellera
                      last edited by

                      Working, but…

                      Must I create my own CA?

                      Can I use an "official" CA or not?

                      diff squid.conf_transparent_ssl.txt squid.conf_transparent_ssl_myself.txt 
                      4,6c4,9
                      < http_port 192.168.1.1:3128 
                      < http_port 127.0.0.1:3128 intercept 
                      < https_port 127.0.0.1:3129 intercept 
                      ---
                      > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
                      > 
                      > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
                      > 
                      > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
                      > 
                      18a22,25
                      > sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
                      > sslcrtd_children 5
                      > sslproxy_capath /usr/pbi/squid-i386/share/certs/
                      > sslproxy_cert_adapt setCommonName all
                      

                      I will like not do do this:

                      Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.

                      Could be, in fact, impossible. A lot of BYOD (http://en.wikipedia.org/wiki/Bring_your_own_device)…

                      1 Reply Last reply Reply Quote 0
                      • O Offline
                        Oliver_
                        last edited by

                        Yes you must create your own ca! I think it is not possible to use an "official" CA, because you are using a Man-In-The-Middle Attack to fetch and control https traffic.
                        Of course every https filter will use a MITM-attack so the client must have a trusted wildcard cert of the controling unit.

                        A Solution can be to have a non transparent SSL-Proxy and only devices that are under your control are forced to use Proxy.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.