[SOLVED] squid3-dev (3.3.10 pkg 2.2) + Clamav Antivirus won't start
-
Neither squidguard nor antivirus start at the start up, I have to login and manually save squid setting, than voila it works, please see my log of startup and after I click save in squid.
-
Can anyone please inform me why when i enable the antivirus then i cannot serf the web ?
The following error appears :
==========quote============
ERROR in the browser
The following error was encountered while trying to retrieve the URL:
http://google.com
ICAP protocol error.The system returned: [No Error]
This means that some aspect of the ICAP communication failed.
Some possible problems are:
*
The ICAP server is not reachable.
*An Illegal response was received from the ICAP server.
==================unquote =====================
If i run the client to the console
/usr/local/bin/c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344OPTIONS:
Allow 204: Yes
Preview: 1024
Keep alive: YesICAP HEADERS:
ICAP/1.0 200 OK:
Methods:RESPMOD, REQMOD
Service:C-ICAP/0.2.5 server - Echo demo service
ISTag:CI0001-XXXXXXXXX
Transfer-Preview:*
Options-TTL:3600
Date:Tue, 11 Mar 2014 13:54:59 GMT
Preview:1024
Allow:204
X-Include:X-Authenticated-User, X-Authenticated-Groups
Encapsulated:null-body=0and all the services seems that are running .
I look forward for your responses .
-
usabug, can you try with pfsense 32 bits?
-
usabug, can you try with pfsense 32 bits?
Dear Marcelloc ,
I can try but if i use 32 bit operating system then i can only use only 4GB ram .
The server right now has onboard 16G ram .
If i use the 32 bit operating system i have to install a kernel with Physical address extension , witch these solution is not an option cause it makes too much crushes .
But if you want me to do it just for test , i can do it
-
First i want to thank you guys for your work @ Eduardo Gonçalves & marcelloc
How can we help you with your work? Tomorrow my Testing-System should be running again and i have a little time for testing!
-
How can we help you with your work?
The problem is that c-icap is crashing when called by squid. you can check it on squid logs.
-
Working with squid3-devel in non-transparent mode, in transparent mode for http but when I activated transparent mode for https doesn't work.
Here is my /var/log/system.log
Mar 13 20:47:24 fw2 php: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no Mar 13 20:47:24 fw2 php: /pkg_edit.php: Reloading Squid for configuration sync Mar 13 20:47:24 fw2 check_reload_status: Reloading filter Mar 13 20:47:25 fw2 check_reload_status: Syncing firewall Mar 13 20:47:25 fw2 php: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no Mar 13 20:47:25 fw2 php: /pkg_edit.php: Reloading Squid for configuration sync Mar 13 20:47:25 fw2 squid: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Mar 13 20:47:25 fw2 php: /pkg_edit.php: The command '/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was '2014/03/13 20:47:25| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 28544 KB Page faults with physical i/o: 0'
Similar problem and clamav is not yet activated. I'm implementing squid3-devel step-by-step…
I tried stop/start squid and same result.
FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.3.10): Terminated abnormally.
-
My system is 32 bit…
Differences in squid.conf when applying for transparent SSL mode:
diff squid.conf_transparent.txt squid.conf_transparent_ssl.txt 4,5c4,6 < http_port 192.168.1.1:3128 < http_port 127.0.0.1:3128 intercept --- > http_port 192.168.1.1:3128 > http_port 127.0.0.1:3128 intercept > https_port 127.0.0.1:3129 intercept 87a89,90 > always_direct allow all > ssl_bump server-first all
-
Working, but…
Must I create my own CA?
Can I use an "official" CA or not?
diff squid.conf_transparent_ssl.txt squid.conf_transparent_ssl_myself.txt 4,6c4,9 < http_port 192.168.1.1:3128 < http_port 127.0.0.1:3128 intercept < https_port 127.0.0.1:3129 intercept --- > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > 18a22,25 > sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 > sslcrtd_children 5 > sslproxy_capath /usr/pbi/squid-i386/share/certs/ > sslproxy_cert_adapt setCommonName all
I will like not do do this:
Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.
Could be, in fact, impossible. A lot of BYOD (http://en.wikipedia.org/wiki/Bring_your_own_device)…
-
Yes you must create your own ca! I think it is not possible to use an "official" CA, because you are using a Man-In-The-Middle Attack to fetch and control https traffic.
Of course every https filter will use a MITM-attack so the client must have a trusted wildcard cert of the controling unit.A Solution can be to have a non transparent SSL-Proxy and only devices that are under your control are forced to use Proxy.