Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.3.4 package for pfsense with ssl filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    305 Posts 72 Posters 304.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pubmsu
      last edited by

      With squid-devel pf 2.1 multi-WAN loadbalancing doesn't work. Failover works because default WAN gets switched.

      More specifically, the floating rule-based setup that used to work for pfsense 2.0.x doesn't work any more. Squid only sends through default WAN, whatever that is at any point.

      Marcello, can you please shed light on this? Whether this is squid-side issue or any nuance of 2.1.x?

      Also, will it be possible to do loadbalancing with transparent SSL proxy?

      1 Reply Last reply Reply Quote 0
      • P
        pubmsu
        last edited by

        Another question: does delay pooling-based traffic management work with transparent SSL proxy'ing?

        1 Reply Last reply Reply Quote 0
        • S
          speedy3k
          last edited by

          Hi everyone.  I hope you all are having  a good night.  I'm a newbie with pfsense. For the life of me, I can't even the the squid3 dev package to work at all.  It won't work in transparent mode or anything, but the non dev squid3 works like a champ.  Any thoughts on where to start to looking?
          I'm currently running
          pfsense 2.1.2
          (works)squid3 3.1.20 pkg 2.0.6 works
          (doesn't seem to work at all) 3.3.10 pkg 2.2.2

          Thanks

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            did you followed some squid posts to get it working?

            check missing libs?
            ipv6 enabled?
            netstat -an to see if squid port is closed or listening…

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • belleraB
              bellera
              last edited by

              Bug at squid3-dev 3.3.10 pkg 2.2.2
              http://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762

              1 Reply Last reply Reply Quote 0
              • belleraB
                bellera
                last edited by

                Steps for SSL interception. In Spanish, please use translate.google.com
                https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349

                1 Reply Last reply Reply Quote 0
                • P
                  Pistolero
                  last edited by

                  Hello!

                  Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    @Pistolero:

                    Hello!

                    Anyone know how to make the built-in antivirus work? c-icap keeps crashing with error signal 11 whenever I enable the AV functions. Or, is there any way to make squid not use c-icap and just use clamav, just like Dansguardian?

                    Thanks!

                    You can try old havp or test your squid in i386 pfsense version.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • C
                      cheonne
                      last edited by

                      i tried installing squid 3.3.10 dev in 2.1.3v i386
                      no issues found yet
                      squid starts after configuration.
                      looks like the missing lib before where now incorporated in the new version

                      1 Reply Last reply Reply Quote 0
                      • A
                        asterix
                        last edited by

                        Anyone has issues while using transparent mode in squid3-dev on amd64? I keep getting Access Denied.

                        If I configure proxy settings in the browser then it works fine. Just can't use transparent mode. Switching back to squid 3.1.20 works fine.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dig1234
                          last edited by

                          I think there is a mistake in the reverse proxy config, I was having trouble so I read the squid.conf in pbi/…/etc and I found the directive
                          round-robin
                          even though I don't want that since my servers are independent of each other. I suggest either add a checkbox for that or remove that directive. Thanks!

                          1 Reply Last reply Reply Quote 0
                          • S
                            smar
                            last edited by

                            @periko:

                            The 2nd issue I found was with ebay, went I wanted to pay I receive this error:

                            The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443

                            Failed to establish a secure connection to site-ip

                            The system returned:

                            (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
                            SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3

                            This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

                            What I did was to clear certs folders, empty index.txt, size folder value to 0, latter remove my ca from the browsers, create a new one and start over.

                            I could pay on ebay, the only issue I have is with my bank now, I will try to add the option that skip some sites from ssl-bump.

                            I still nervous if I can send this to production.

                            Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.

                            Many thanks.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dig1234
                              last edited by

                              For what it's worth, I'm using latest Squid3-dev (3.3.10 pkg 2.2.2) with ssl intercept and am able to browse to that moto360 site with no error.

                              Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.

                              Many thanks.

                              1 Reply Last reply Reply Quote 0
                              • S
                                smar
                                last edited by

                                @dig1234:

                                For what it's worth, I'm using latest Squid3-dev (3.3.10 pkg 2.2.2) with ssl intercept and am able to browse to that moto360 site with no error.

                                Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.

                                Many thanks.

                                That's very odd, as I'm on exactly the same build, and using ssl intercept/transparent. Is there any specific configuration parameters you've changed/added in your squid setup?

                                Also do you have any problems in posting messages to https sites (e.g. this forum) when going through the proxy? I keep getting an error in posting, and thus have to use a machine that doesn't go through the proxy.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dig1234
                                  last edited by

                                  Ah, I actually had "do not verify remote cert" set, I did not realize. When I set that I get the same error at moto360.
                                  Perhaps that particular root is not in the store that the squid package is using, if that's the case this should not be difficult to correct..

                                  @smar:

                                  @dig1234:

                                  For what it's worth, I'm using latest Squid3-dev (3.3.10 pkg 2.2.2) with ssl intercept and am able to browse to that moto360 site with no error.

                                  Can you give me a bit more details on how you resolved this. My SSL intercept seems to be working for most sites, but a few such as the ebay payments, or even the moto360 site (https://moto360.motorola.com/) fail with the same error about not recognising the CA.

                                  Many thanks.

                                  That's very odd, as I'm on exactly the same build, and using ssl intercept/transparent. Is there any specific configuration parameters you've changed/added in your squid setup?

                                  Also do you have any problems in posting messages to https sites (e.g. this forum) when going through the proxy? I keep getting an error in posting, and thus have to use a machine that doesn't go through the proxy.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    smar
                                    last edited by

                                    @dig1234:

                                    Ah, I actually had "do not verify remote cert" set, I did not realize. When I set that I get the same error at moto360.
                                    Perhaps that particular root is not in the store that the squid package is using, if that's the case this should not be difficult to correct..

                                    Thanks for spotting that and yes selecting that option allows me to visit such sites. With regards to the certificate squid is complaining about, it is from Thawte, and so one would have assumed it would be included. However, I did notice that the certificate's CN was "Thawte Inc", but non of the Thawte certificates in /usr/local/share/certs had exactly the same CN (the ones there are Thawte Premium Server, Thawte Primary Root etc).

                                    Also are you able to post to https sites, such as this forum, when going through squid? I am still getting the following message unless I use a PC that bypasses the proxy:

                                    Error 403

                                    We're sorry, but we could not fulfill your request for /index.php?action=post2;start=270;board=15 on this server.

                                    You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-    spyware software and remove any viruses and spyware from your computer.

                                    Your technical support key is: 5688-9cbf-b40c-8ddc

                                    You can use this key to fix this problem yourself.

                                    If you are unable to fix the problem yourself, please contact the WEBMA5TER and be sure to provide the technical support key shown above.

                                    UPDATE: Actually the above posting error seems to be an issue with my Chrome setup, as posting is working fine from IE.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      dig1234
                                      last edited by

                                      I do not have any issue posting from firefox.
                                      Should be pretty simple to just drop that root CA cert in the folder /usr/pbi/squid-amd64/share/certs. I'm just not sure about the naming convention used, seems to be based on a hash. Likely squid uses the filename to locate the correct cert. Just guessing here.

                                      @smar:

                                      UPDATE: Actually the above posting error seems to be an issue with my Chrome setup, as posting is working fine from IE.

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pubmsu
                                        last edited by

                                        Anyone figured out how to do load-balancing of squid traffic for 2.1.x or 2.2 alpha?

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          eyditharen
                                          last edited by

                                          I already running squid3 ver 3.3.4, working normal can cache http/https with 1 interface ( use as proxy box ), how to  use squid3 working with mikrotik ..

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            gar2k
                                            last edited by

                                            new rds protocol 8.0 not work more, any ideas?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.