Squid 3.4.9 no traffic in transparent mode.

Escorpiom

Chris said:

"Disable transparent proxy in Squid and add your own port forward to do it, then edit the associated rule and apply the limiter."

Cheers.

Edit: Sorry about that, the port forward rule are actually TWO rules. This is what I found out in the ruleset:

no rdr on igb1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on igb1 proto tcp from any to !(igb1) port 80 -> 127.0.0.1 port 3128

That's the idea, I've got a couple of vlans and the principle is the same.
I don't understand why we need the first rule, but it only works like this, a single rule does not work.

Topper727

@rubinho:

@Escorpiom
Transparent proxy does not works for me too. (Invalid URL)

The problem with closed ports was already in general Proxy operating.
But the problem is now solved (Closed Ports)

Excuse the Mess

Same for me RC 64 bit Pfsense and squid 3.4.10

I will say that I can go to some sites though.. like www.yahoo.com and not sure how many others but most do not work.
Ahh not thought of this.. maybe the sites that work are https: sites secure ones ::: Confirmed HTTPS are able to be browsed with Transparent on but http is not.

Also note: CPU usage on my Intel is 100% cause of squid..

ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: /2015/01/15/byron-scott-divorce-wife-demands-baller-lifestyle-i-cant-live-without-my-gucci/

Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

Missing or incorrect access protocol (should be http:// or similar)

Missing hostname

Illegal double-escape in the URL-Path

Illegal character in hostname; underscores are not allowed.

Your cache administrator is webmaster.

Generated Fri, 16 Jan 2015 04:27:47 GMT by pfSense.localdomain (squid/3.4.10)

Tikimotel

Could it be that the syntax changed from Squid2 tot Squid3++.
Instead of the tickbox option to disable "Disable X-Forward", I use "forwarded_for transparent" in the "Custom ACLS (Before_Auth)" box.

Can't test on 2.2, maybe the forward_for options should become a pull-down list in place of a tickbox.

http://www.squid-cache.org/Versions/v3/3.4/cfgman/forwarded_for.html

X-Forwarded-For: unknown

If set to "transparent", Squid will not alter the
X-Forwarded-For header in any way.

If set to "delete", Squid will delete the entire
X-Forwarded-For header.

If set to "truncate", Squid will remove all existing
X-Forwarded-For entries, and place the client IP as the sole entry.

marcelloc

Check squid config gui options on all tabs and/or run squid -k parse on console

Tikimotel

What I meant was with forward_for you used to have "on" or "off".
Now with 3.3 and 3.4 you have multiple settings. (since 3.1)


forward_for "on" # (default, send client IP info in forward for header)
forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!)
forward_for "transparant" # (do not touch anything, more private?)
forward_for "delete" # (remove the header info entirely)
forward_for "truncate" # (single, last, client IP info in the forward for header)

Topper727

The recent 3.4.10_2 pkg 0.2.5 just installed problem still seems there. I thought worked but maybe I didn't pay attention to what pages where ssl or not. I did turn on the icap just a second ago maybe that had something to do with it.

[2.2-RC][admin@pfSense.localdomain]/root: squid -k parse
2015/01/16 09:19:43| Startup: Initializing Authentication Schemes …
2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'basic'
2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'digest'
2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'negotiate'
2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'ntlm'
2015/01/16 09:19:43| Startup: Initialized Authentication.
2015/01/16 09:19:43| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2015/01/16 09:19:43| Processing: http_port 192.168.1.1:3128
2015/01/16 09:19:43| Processing: http_port 127.0.0.1:3128 intercept
2015/01/16 09:19:43| Starting Authentication on port 127.0.0.1:3128
2015/01/16 09:19:43| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2015/01/16 09:19:43| Processing: icp_port 0
2015/01/16 09:19:43| Processing: dns_v4_first off
2015/01/16 09:19:43| Processing: pid_filename /var/run/squid/squid.pid
2015/01/16 09:19:43| Processing: cache_effective_user proxy
2015/01/16 09:19:43| Processing: cache_effective_group proxy
2015/01/16 09:19:43| Processing: error_default_language en
2015/01/16 09:19:43| Processing: icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
2015/01/16 09:19:43| Processing: visible_hostname Wholesale-florida.com
2015/01/16 09:19:43| Processing: cache_mgr sales@wholesale-florida.com
2015/01/16 09:19:43| Processing: access_log /var/squid/logs/access.log
2015/01/16 09:19:43| Processing: cache_log /var/squid/logs/cache.log
2015/01/16 09:19:43| Processing: cache_store_log none
2015/01/16 09:19:43| Processing: netdb_filename /var/squid/logs/netdb.state
2015/01/16 09:19:43| Processing: pinger_enable on
2015/01/16 09:19:43| Processing: pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
2015/01/16 09:19:43| Processing: logfile_rotate 0
2015/01/16 09:19:43| Processing: debug_options rotate=0
2015/01/16 09:19:43| Processing: shutdown_lifetime 3 seconds
2015/01/16 09:19:43| Processing: acl localnet src 192.168.0.0/16
2015/01/16 09:19:43| Processing: uri_whitespace strip
2015/01/16 09:19:43| Processing: acl dynamic urlpath_regex cgi-bin ?
2015/01/16 09:19:43| Processing: cache deny dynamic
2015/01/16 09:19:43| Processing: cache_mem 8 MB
2015/01/16 09:19:43| Processing: maximum_object_size_in_memory 32 KB
2015/01/16 09:19:43| Processing: memory_replacement_policy heap GDSF
2015/01/16 09:19:43| Processing: cache_replacement_policy heap LFUDA
2015/01/16 09:19:43| Processing: cache_dir ufs /var/squid/cache 100 16 256
2015/01/16 09:19:43| Processing: minimum_object_size 0 KB
2015/01/16 09:19:43| Processing: maximum_object_size 4 KB
2015/01/16 09:19:43| Processing: offline_mode off
2015/01/16 09:19:43| Processing: cache_swap_low 90
2015/01/16 09:19:43| Processing: cache_swap_high 95
2015/01/16 09:19:43| Processing: cache allow all
2015/01/16 09:19:43| Processing: acl allsrc src all
2015/01/16 09:19:43| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
2015/01/16 09:19:43| Processing: acl sslports port 443 563
2015/01/16 09:19:43| Processing: acl purge method PURGE
2015/01/16 09:19:43| Processing: acl connect method CONNECT
2015/01/16 09:19:43| Processing: acl HTTP proto HTTP
2015/01/16 09:19:43| Processing: acl HTTPS proto HTTPS
2015/01/16 09:19:43| Processing: http_access allow manager localhost
2015/01/16 09:19:43| Processing: http_access deny manager
2015/01/16 09:19:43| Processing: http_access allow purge localhost
2015/01/16 09:19:43| Processing: http_access deny purge
2015/01/16 09:19:43| Processing: http_access deny !safeports
2015/01/16 09:19:43| Processing: http_access deny CONNECT !sslports
2015/01/16 09:19:43| Processing: request_body_max_size 0 KB
2015/01/16 09:19:43| Processing: delay_pools 1
2015/01/16 09:19:43| Processing: delay_class 1 2
2015/01/16 09:19:43| Processing: delay_parameters 1 -1/-1 -1/-1
2015/01/16 09:19:43| Processing: delay_initial_bucket_level 100
2015/01/16 09:19:43| Processing: delay_access 1 allow allsrc
2015/01/16 09:19:43| Processing: http_access allow localnet
2015/01/16 09:19:43| Processing: http_access deny allsrc
2015/01/16 09:19:43| Initializing https proxy context

Cino

@Tikimotel:


forward_for "on" # (default, send client IP info in forward for header)
forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!)
forward_for "transparant" # (do not touch anything, more private?)
forward_for "delete" # (remove the header info entirely)
forward_for "truncate" # (single, last, client IP info in the forward for header)

@marcelloc i'm going to try and added this to the GUI… I think its something I can handle :-)

Edit: https://github.com/pfsense/pfsense-packages/pull/789

Topper727

3.4.10_2 pkg 0.2.5
Seems to work properly now just the antivirus I wish would work

Cino

@Topper727:

3.4.10_2 pkg 0.2.5
Seems to work properly now just the antivirus I wish would work

It does. Follow the steps in the error message. I posted a screen shot of what needs to be added in another thread.

https://forum.pfsense.org/index.php?topic=86890.msg477058#msg477058

jeepster

While poking around looking for an issue not related to squid I saw something that looked out of place on the squid sockets. If you goto Diagnostics: Sockets there seems to be one squid setting that is outside the table. I don't notice any problems but cosmetic.
proxy squid 46690 14 udp4 6 *:60225 :

seems like there is something extra there…...??

sockets.JPG_thumb

Topper727

Well I got 503 error from UI and reinstalled pfsense now I get

Warning: dir(/usr/local/etc/squid/errors/): failed to open dir: No such file or directory in /etc/inc/pfsense-utils.inc on line 467 Fatal error: Call to a member function read() on a non-object in /etc/inc/pfsense-utils.inc on line 468

Found out that only the General Tab does that error.. I pulled up log and other tabs no problem in Squid 3.4.9

Guess I try another reinstall .. more problems with 2.2 then any other version I ever beta tested

marcelloc

@Topper727:

Well I got 503 error from UI and reinstalled pfsense now I get

I've got this when tried to install squid again without removing previous manual symlinks fixes.

The message tells that errors dir does not exists or points to a invalid dir.

Topper727

Well I reinstalled again and fixed that issue. And worked on LCDproc, put a request on github with fixes.

https://forum.pfsense.org/index.php?topic=83747.75#lastPost

Seems fingers crossed I got most working that I tried so far.. just I-cap won't start is all for me now.

So squid 3.4.10_2 pkg 0.2.5 works on my 1/16/15 64bit 2.2 version with clean install. I would guess this means that the problems that show maybe something to do with a bad install or other factors.

KOM

I would guess this means that the problems that show maybe something to do with a bad install or other factors.

Squid still doesn't work for me, and I'm thinking the same thing as you. Previous hacks trying to get things to work are giving me problems now. I think it's time for a fresh install.

asterix

Do you have loopback checked? If not, check it. In v2 Squid checking loopback never worked for me.. but it seems to do the trick in the latest v3.

marcelloc

Loopback is configured automatically on squid.conf when using transparent proxy.

JStyleG7X

My 5 cents: My "Invalid URL" issue was resolved by disabling the proxy from listening on the loopback adapter. The transparent proxy as marcelloc said is enabled by default which is fine.

Was not working.
http_port 192.168.x.1:3128
http_port 10.x.x.2:3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3128 intercept

Now Working.
http_port 192.168.x.1:3128
http_port 10.x.x.2:3128
http_port 127.0.0.1:3128 intercept

I also want to mention one side note if you're new to pfsense/squid and troubleshooting issues. If you are using any extra packages Dansguardian/Squidguard/HAVP etc… you might consider removing these until you ensure you have squid working just by itself. I've seen some packages when installed, even though they're disabled still add forwarding rules to squid in the integrations box - so basically it's forwarding to a proxy not running. This may give the illusion it's not working for those who are unfamiliar with what should normally be configured.

I'm always learning something new myself! :)

marcelloc

Thanks for the note :)

Topper727

I got my copy fixed of these issues and a friends now..

https://forum.pfsense.org/index.php?topic=85965.msg544817#msg544817