Any chance of getting a working transparent proxy again?

Supermule

When using Squid3 then ClamAV is good to have.

Can anyone post a working c-icap.conf file??

notaduck

i don't think so :S
i have seen so many topics without a solution :S

peter808

@notaduck:

This is theexact way i did my squid configuration http://techknight.eu/2015/03/13/pfsense-setup-and-configure-squid3-transparent-proxy/

Thanks, but I already knew about that article.

Still no working transparent mode here  :'(

notaduck

@peter808:

@notaduck:

This is theexact way i did my squid configuration http://techknight.eu/2015/03/13/pfsense-setup-and-configure-squid3-transparent-proxy/

Thanks, but I already knew about that article.

Still no working transparent mode here  :'(

hmmmm…. I just don't understand why it shouldn't work for you.
can you try to post your squid slog?

btw. it annoys me that it isn't working because i am the one who wrote the article -_- and it works just fine for me

peter808

http_port 172.23.200.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
cache_effective_user proxy
cache_effective_group proxy
error_default_language de
icon_directory /usr/pbi/squid-i386/local/etc/squid/icons
visible_hostname firewall
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/local/libexec/squid/pinger

logfile_rotate 14
debug_options rotate=14
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  172.23.200.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 1024 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 500 16 256
minimum_object_size 0 KB
maximum_object_size 400 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localh
ost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
acl sslports port 443 563

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localh
ost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 172.23.200.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Custom options before auth

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

peter808

cache.log.0

2015/04/06 23:55:45| pinger: Unable to start ICMP pinger.
2015/04/06 23:55:45|  icmp_sock: (1) Operation not permitted
2015/04/06 23:55:45| pinger: Unable to start ICMPv6 pinger.
2015/04/06 23:55:45| FATAL: pinger: Unable to open any ICMP sockets.

No entries in access.log in transparent mode.

messerchmidt

working for non https transparent mode

do a fresh install of 2.2.1 @ x64

install squid3 and squidguard dev

create the necessary wdap files as per https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

use urlresolver instead of dhcp forwarder in 2.2.1! - same idea and setup

using the file manager and editor

create a /cache directiory and set it to 30gb or so in squid 3

configure squidguard

start squid 3 and put on transparent mode

do not sue the antivirus atm as it gives icamp errors

you may want to use the service watch to retreat squid3 if it stops,etc

tester_02

I played around quite a bit and held off upgrading from 2.1.5 until just this week.  I've tried many times and always had to roll back to 2.1.5
vmware workstation environment, 64bit pfsense.
Uninstalled squid/squidguard.  Then ran the update.
install squid 3
install squidguard development (could never get the main version running).
download blacklist.
enable clamav in squid.  Then disable it.
re-download blacklist.

Seems to work now.  The main issue now is that after a reboot, everything crashes and fails to restart.
Fix is to enable then disable clamav in squid.  Then re-download blacklist and it stays up and running.

Definitely not good, but at least it's working.  Nowhere near as stable as when we were on 2.1.5 (or any previous version for that matter back to 1.2)

Not pushing my luck on https proxy until this part is better.

peter808

@messerchmidt:

working for non https transparent mode

do a fresh install of 2.2.1 @ x64

install squid3 and squidguard dev

With squidguard dev installed and starting, squid now always crashes:

Apr 7 07:53:07	squid[60452]: Squid Parent: (squid-1) process 69996 will not be restarted due to repeated, frequent failures
Apr 7 07:53:07	squid[60452]: Squid Parent: (squid-1) process 69996 exited with status 1
Apr 7 07:53:07	(squid-1): The redirector helpers are crashing too rapidly, need help!
Apr 7 07:53:06	squid[60452]: Squid Parent: (squid-1) process 69996 started

@messerchmidt:

create the necessary wdap files as per https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

The howto you mentioned says: "To use squid authentication, squid cannot be used in transparent mode. "

The rest you suggested does not seem to be related to the transparent proxy-problem, I guess, but thanks though.

peter808

@tester_02:

I played around quite a bit and held off upgrading from 2.1.5 until just this week.  I've tried many times and always had to roll back to 2.1.5
vmware workstation environment, 64bit pfsense.
Uninstalled squid/squidguard.  Then ran the update.

Did I get you right that squid transparent mode only seems to be running on pfsense 2.15?

So what did you mean with "ran the upgrade"? You upgraded to the recent 2.2 after all, anyway?

notaduck

Well i have it running on 2.2.1
have you disabled icmp?

peter808

yep.

kejianshi

"Any chance of getting a working transparent proxy again?"

Seems to depend on who you ask.

Steve Evans

Having another go at this, taking things slowly and making sure I've not overlooked anything.

I'm seeing the following in cache.log on startup.

2015/04/07 22:04:13 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
2015/04/07 22:04:14| pinger: Initialising ICMP pinger ...
2015/04/07 22:04:14|  icmp_sock: (1) Operation not permitted
2015/04/07 22:04:14| pinger: Unable to start ICMP pinger.
2015/04/07 22:04:14|  icmp_sock: (1) Operation not permitted
2015/04/07 22:04:14| pinger: Unable to start ICMPv6 pinger.
2015/04/07 22:04:14| FATAL: pinger: Unable to open any ICMP sockets.
2015/04/07 22:04:16 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
2015/04/07 22:04:16| pinger: Initialising ICMP pinger ...
2015/04/07 22:04:16|  icmp_sock: (1) Operation not permitted
2015/04/07 22:04:16| pinger: Unable to start ICMP pinger.
2015/04/07 22:04:16|  icmp_sock: (1) Operation not permitted
2015/04/07 22:04:16| pinger: Unable to start ICMPv6 pinger.
2015/04/07 22:04:16| FATAL: pinger: Unable to open any ICMP sockets.

Is this normal. Do I need to disable IPv6?

Steve

Supermule

I did this… not getting through to HTTP sites but only HTTPS as expected.

Unchecked Suppress Squid Version -> clicked save.

Rebooted.

Now it worked with HTTP sites like it should.

Squid version is 2.7.9 pkg v.4.3.6

EDIT: pretty scary shit. It works for a short time, then it stops working again.

And nothing in the logs at all!

KOM

Squid2 was crap from what I understand.  Have you tried Squid3?

Supermule

Yes. But I cant get the damned ClamAV working….

V3 doesnt have the same issue.

KOM

When using Squid3, I just ignored or disabled the AV crap.  We already have a better solution running on the desktops, and it just slowed everything down when running on the router.

Supermule

It annoys me when disabled it still shows in services as not running together with the ICAP crap….

Can someone tell me how to get rid of that so it doesnt trick my OCD all the time?? :D

KOM

If you know PHP you could take a look through /usr/local/www/status_services.php and do something with that.

And yes, I fully agree that any services that are not enabled should not even show in the Service Status widget.  I don't know if they can programmatically distinguish between an enabled service that's stopped versus a disabled service.  Either way, it bugs me too that my eye keeps tripping on those little red icons.