Squid not listening on port 80
-
I'm getting the same error after the upgrade to 2.2-RELEASE (amd64)
-
Try to set it via console too and/or reboot to get it working.
-
Reboot doesn't change anything
How to set it via consol
Thank you for your commitment :D
-
first check what you get applied
sysctl net.inet.ip.portrangethen change if not applied during boot
sysctl net.inet.ip.portrange.first=0EDIT
You can try this toosysctl net.inet.ip.portrange.reservedhigh=79Reference: http://segfault.in/2010/10/freebsd-net-inet-ip-sysctls-explained/
net.inet.ip.portrange.reservedlow, net.inet.ip.portrange.reservedhigh
The range of privileged ports which only may be opened by root-owned processes may be modified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl settings. The values default to the traditional range, 0 through IPPORT_RESERVED – 1 (0 through 1023), respectively. Note that these settings do not affect and are not accounted for in the use or calculation of the other net.inet.ip.portrange values above. Changing these values departs from UNIX tradition and has security consequences that the administrator should carefully evaluate before modifying these settings.
-
Either way doesn't work
$ sysctl net.inet.ip.portrange.first=0
net.inet.ip.portrange.first: 1024 -> 1024$ sysctl net.inet.ip.portrange.reservedhigh=79
net.inet.ip.portrange.reservedhigh: 1023 -> 79net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.reservedhigh: 79
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomtime: 45Then I restart Squid and same issue
If I restard pFsense the setting reverses to 1024 ..???
-
I installed a new pfsense in a VM directly from CD
Impossible to change
net.inet.ip.portrange.first=0Out of the box …
The previous version 2.1 is impossible to change too BUT the old squid package doesn't care for it.
-
The previous version 2.1 is impossible to change too BUT the old squid package doesn't care for it.
pfsense, not squid…
-
While fixing the package to 2.2, it was working.
Use old workaround instead until we find a way to fix it again.
Listen squid on a high port and nat it from 80/443 to configured port.
If you preffer, you can (re)open a redmine ticket for it.
-
Thats the workaround I had in mind ;D
Many thanks for your help
-
I've officially upgraded my box to 2.2 today and if you use a higher port with a nat redirect; it works with not issues from what I can tell.
-
Cino,
Can you elaborate about how to configure the NAT redirect as a work around?
I am configuring a reverse proxy to use with Lync and need to use port 443.
Thanks,
Rody.
-
Have squid reverse proxy listen to lets say port 8443, using loopback for its interface. Then create a WAN NAT to redirect all incoming traffic from port 443 to 8443.
e.g here is my NAT for port 80
WAN TCP * * WAN address 80 (HTTP) 127.0.0.1 9080 HTTP squid-reverse redirect
squid is setup for loopback listen on port 9080
-
Have squid reverse proxy listen to lets say port 8443, using loopback for its interface.
Until we find a another way to workaround non root users listening on low ports security rule.
-
Thanks Cino,
I created the WAN NAT to redirect incoming traffic from port 443 to the port 1443:
WAN TCP * * WAN address 443 (HTTPS) 127.0.0.1 1443
Then have Squid Reverse Proxy listen on 1443 on "reverse HTTPS port" under "Squid Reverse HTTPS Settings" but that does not work.
I don't get the part where you said "squid is setup for loopback listen on port 9080" Is this port 9080 something that I have to configure some place else for the loopback address? Then change 1443 for 9080?
I don't think this is a default port, so where in Squid Reverse Proxy is this lookback port configured?
Thanks,
Rody.
-
@rody:
Then have Squid Reverse Proxy listen on 1443 on "reverse HTTPS port" under "Squid Reverse HTTPS Settings" but that does not work.
Did you also change the 'Reverse Proxy interface' from WAN to LAN? That took me a while to find out.
-
'Reverse Proxy interface' - select loopback as the interface… use a higher port like 8443 or 9443 for 'reverse HTTPS port'
-
'Reverse Proxy interface' - select loopback as the interface… use a higher port like 8443 or 9443 for 'reverse HTTPS port'
In stead of using loopback I first set up the NAT to redirect WAN 443 to port 8443 on the LAN-IP of pfSense and had Squid listen to the LAN interface. This works fine.
Now I changed the NAT to redirect to 127.0.0.1 and have Squid listen to loopback. This also work fine.
Is there a reason to prefer one method over the other?
-
Is there a reason to prefer one method over the other?
If you do not need to listen on lan, listen on a interface that nobody has direct access to.
-
Gah! I just got hit with this one. I just got my authetication issues figured out and decided to tighten up my proxy setup. So, the first and only thing I did was try to set my proxy to a port lower than 1024.
Checking the logs, it appears the squid process isn't able to open ports below 1024 since they are reserved ports…only root can.
But, Squid 2 is able to open ports below 1024 without any issues. Squid3 isnt.
Has there been much movement on allowing squid to open ports below 1024? I have tried adjusting the sysctl parameters with no luck.
-
Actually,
I was able to get the kernel to allow non-root users to open ports below 1024 by tweaking this kernel parameter:net.inet.ip.portrange.reservedhigh=20I just added that line to my /etc/sysctl.conf file. Be sure to adjust the port to whatever you like. I did 15 just for testing, and put squid on port 30.
Once you edit that file, you will need to reload the parameters by doing asysctl -afrom the command line.
Or, you can actually do this from the systems tuneables menu on the web page.
Goto System > Advanced then click on the "System Tuneables" tab.
Scroll to the bottom, and click the little "+" icon to add a new tuneable rule.
For the Tuneable field use:net.inet.ip.portrange.reservedhighAnd for the value field, put what ever the lowest port you want to allow normal users to open. I did 15 in my example. Then hit save.
Here is what it looks like:
http://i.imgur.com/5XXNsI1.pngWhile this isn't a good thing to do for security, I have honestly felt that the reserved ports in Linux is a dinosaur. This is a good workaround.
