Squid3 - New GUI with sync, normal and reverse proxy

zang3tsu

I actually found this while fixing another issue. The issue is fixed now and squid is running even with the error.

Cino

was the fix copying over some files? I've been meaning to switch over to amd64 but haven't since other installs have had issues with squid and dansguardian

zang3tsu

Uh no. It's not actually fixed per the above error message. I just had an issue with my settings in the reverse proxy and that issue is fixed now. Otherwise, squid is running good with squidGuard. I think I tried dansguardian before but SSL filtering doesn't seem to work so I just opted for squidGuard.

mhab12

I was getting the previously discussed msgget failed error and the squid service would not stay running.  The issue only appeared about a week after installing lightsquid, probably when the files were set to update.  I uninstalled lightsquid but that didn't seem to help.  I cleared the squid cache but that didn't seem to help.  The only fix I found was to reboot the box after removing lightsquid and now everything is up and running smoothly.

DavidMcQueenLPS

Recently we install the following:

• pfSense 2.1.5 VM
• Squid3dev 3.3.10 pkg 2.2.6
• Diladele 3.3.0.E807

We are running in transparent mode with HTTPS bumping.

Lately we have been getting icap errors:

The message is coming from Squid:

ICAP protocol error.
The system returned: [No Error]

Is there anywhere I can look for more detail?

Also, while looking in the /var/squid/logs/cache.log I have been seeing many:

parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/templates/error-details.txt
WARNING: failed to find or read error text file error-details.txt

This file does exist:

-r–r--r--  1 proxy  proxy  7151 Nov 26  2013 error-details.txt

eldersouza

Hi guys,

I configured pfSync + CARP and both server are running ok. But Squid "Sync to configured system backup server" does not work. I'm getting this message in system logs

php: /pkg_edit.php: [squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config.

But, if I change this configuration to "Sync to hosts defined below" and put IP address from backup server everything works fine.

This is a bug or I forgot some configuration?

Thanks

edanpedragosa

Hi!

With HTTPS/SSL interception enabled, some desktop apps like google drive does not work.

Any easy workaround for this?

Thanks!

dooldeniya

Hello,

I am attempting to install squid3 from the packages menu and getting the following error:
pfsense version: 2.2-BETA (amd64) built on Tue Oct 21 13:21:00 CDT 2014 FreeBSD 10.1-RC2

Installation of squid3 FAILED!

Beginning package installation for squid3 .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading squid3 and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/10/All/squid-3.1.22_1-amd64.pbi ...  could not download from there or https://files.pfsense.org/packages/10/All//squid-3.1.22_1-amd64.pbi.
of squid-3.1.22_1-amd64 failed!

Installation aborted.Removing package...
Starting package deletion for squid-3.1.22_1-amd64...done.
Removing squid3 components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file squid.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.

Installation halted.

Is this not available on 2.2 as a pbi? Do I need to install manually via CLI?

edanpedragosa

Hi!

Is there a way to revert back to 3.3.10 pkg 2.2.6 from the current 3.3.10 pkg 2.2.8?

Thanks!

finalcut

why do you want to revert back ,, i'm about to update ?

edanpedragosa

It seems that after the update, the squid real-time monitoring does not work anymore.

Also, the tweak to allow large downloads in cache also stopped working.

With that note, I want to revert to see if the issue was with this update or not.

finalcut

clear old cash
or
from console squid -k rotate

stuntshell

Hi,
I set it to portuguese pt-br and I receive the following error messages on startup:

2014/11/10 08:39:29 kid1|  parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/pt-br/error-details.txt
2014/11/10 08:39:29 kid1| Unable to load default error language files. Reset to backups.
2014/11/10 08:39:29 kid1|  parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/templates/error-details.txt
2014/11/10 08:39:29 kid1| WARNING: failed to find or read error text file error-details.txt

Thanks,

edanpedragosa

I already cleared the cache many times, even uninstalled and reinstalled all the packages with the same effect.

I'm not pretty sure if rotating logs will make a difference, anyway, I'll try again later.

SARG can still display the realtime logs but squid realtime is not working.

I hope the next update will fix it.

edanpedragosa

It seems that squid does not cache anything at all.

I only get TCP_MISS/200 in the access log.

Here's my current squid config settings:

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 177.7.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

http_port 172.16.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

https_port 127.0.0.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

icp_port 0
dns_v4_first on
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname AIMSNet_Gateway
cache_mgr edan@aims.ac.th
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
netdb_filename /var/squid/log/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger
sslcrtd_program /usr/pbi/squid-amd64/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 32
sslproxy_capath /usr/pbi/squid-amd64/share/certs/

logfile_rotate 180
debug_options rotate=180
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  177.7.0.0/16 172.16.0.0/16
forwarded_for off
via off
httpd_suppress_version_string on
uri_whitespace encode

# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

# Let the clients favorite video site through with full caching
acl youtube dstdomain .youtube.com
cache allow youtube

# Windows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

# Symantec refresh_pattern
range_offset_limit -1
refresh_pattern liveupdate.symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

# Avast refresh_pattern
range_offset_limit -1
refresh_pattern avast.com/.*.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

# Avira refresh_pattern
range_offset_limit -1
refresh_pattern personal.avira-update.com/.*.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims

cache_dir aufs /var/squid/cache 77777 256 256
cache_mem 15777 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 1000000 KB
offline_mode on
cache_swap_low 90
cache_swap_high 95
cache allow all

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 172.16.0.1
acl ext_manager src 177.7.0.1
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 70
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 5

# Custom options before auth
always_direct allow all
ssl_bump server-first all

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

What could be wrong with it? Note that it was working fine with squid3-dev 3.3.10 pkg 2.2.6

Packages installed:
Cron
pfBlocker
Sarg
squid3-dev
squidGuard-squid3
System Patches

My hardware/software config is:

Dell PowerEdge T110 II
Intel Xeon processor E3-1200 V2 product family
32GB Server RAM
256GB SSD Drive

Version 2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16

Platform pfSense
CPU Type
Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)

DNS server(s)
208.67.222.222
208.67.220.220

State table size
0% (1367/1777777)

MBUF Usage
4% (6292/177778)

Temperature 29.8°C

Load average
0.20, 0.14, 0.15

CPU usage
0%

Memory usage
7% of 32716 MB

SWAP usage
0% of 65536 MB

Disk usage
1% of 169G

finalcut

i made update it work flawless ,, thanks for update

sunghost

Hello,
first you make a very good job. Pfsense as well all package developer. I look since weeks for a solution to use an webproxy with antivirus and contentfilter. First i want to use dansguardian, but the last version is from 2012 - very old. than i wanted to use havp, but this version is from 2010! and it looks like the latest security fix is not included in pfsense havp package. I use always stable version for my production environment so squid whould a good choice, but the version of the package is from 2008-2010! and the squid3 beta is also old 2012!

After reading lots of post here in this forum and the most of this over 23 pages in this thread i am not alight with a positiv feeling of using it. The package Info link of squid3 in pfsense leads also to this thread which is a bad overview for information to this package. In my eyes this part must created new with infos over the package and not to a thread with errors and other parts of an information to a package. So in short why are the packages old and what whould be the choice of using a webproxy with antivirus and content filter/security?
thx and this is no offense to anybody just my impression.

finalcut

then push $$$$upport to programmer for those updates
i try to send him donation for his great job but my country is blocked

Tikimotel

@finalcut:

then push $$$$upport to programmer for those updates
i try to send him donation for his great job but my country is blocked

My country wasn't blocked, so I donated today!

finalcut

i am not kidding
also it happen with pfsense i try to buy two stickers (as simple first  donation) and they send the money back to me

any way i try to encourage my company to get pfsense support , they can buy any thing from anywhere