Any chance of getting a working transparent proxy again?

peter808

http_port 172.23.200.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
cache_effective_user proxy
cache_effective_group proxy
error_default_language de
icon_directory /usr/pbi/squid-i386/local/etc/squid/icons
visible_hostname firewall
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/local/libexec/squid/pinger

logfile_rotate 14
debug_options rotate=14
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  172.23.200.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 1024 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 500 16 256
minimum_object_size 0 KB
maximum_object_size 400 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localh
ost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
acl sslports port 443 563

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localh
ost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 172.23.200.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Custom options before auth

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

peter808

cache.log.0

2015/04/06 23:55:45| pinger: Unable to start ICMP pinger.
2015/04/06 23:55:45|  icmp_sock: (1) Operation not permitted
2015/04/06 23:55:45| pinger: Unable to start ICMPv6 pinger.
2015/04/06 23:55:45| FATAL: pinger: Unable to open any ICMP sockets.

No entries in access.log in transparent mode.

messerchmidt

working for non https transparent mode

do a fresh install of 2.2.1 @ x64

install squid3 and squidguard dev

create the necessary wdap files as per https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

use urlresolver instead of dhcp forwarder in 2.2.1! - same idea and setup

using the file manager and editor

create a /cache directiory and set it to 30gb or so in squid 3

configure squidguard

start squid 3 and put on transparent mode

do not sue the antivirus atm as it gives icamp errors

you may want to use the service watch to retreat squid3 if it stops,etc

tester_02

I played around quite a bit and held off upgrading from 2.1.5 until just this week. I've tried many times and always had to roll back to 2.1.5
vmware workstation environment, 64bit pfsense.
Uninstalled squid/squidguard. Then ran the update.
install squid 3
install squidguard development (could never get the main version running).
download blacklist.
enable clamav in squid. Then disable it.
re-download blacklist.

Seems to work now. The main issue now is that after a reboot, everything crashes and fails to restart.
Fix is to enable then disable clamav in squid. Then re-download blacklist and it stays up and running.

Definitely not good, but at least it's working. Nowhere near as stable as when we were on 2.1.5 (or any previous version for that matter back to 1.2)

Not pushing my luck on https proxy until this part is better.

peter808

@messerchmidt:

working for non https transparent mode

do a fresh install of 2.2.1 @ x64

install squid3 and squidguard dev

With squidguard dev installed and starting, squid now always crashes:

Apr 7 07:53:07	squid[60452]: Squid Parent: (squid-1) process 69996 will not be restarted due to repeated, frequent failures
Apr 7 07:53:07	squid[60452]: Squid Parent: (squid-1) process 69996 exited with status 1
Apr 7 07:53:07	(squid-1): The redirector helpers are crashing too rapidly, need help!
Apr 7 07:53:06	squid[60452]: Squid Parent: (squid-1) process 69996 started

@messerchmidt:

create the necessary wdap files as per https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

The howto you mentioned says: "To use squid authentication, squid cannot be used in transparent mode. "

The rest you suggested does not seem to be related to the transparent proxy-problem, I guess, but thanks though.

peter808

@tester_02:

I played around quite a bit and held off upgrading from 2.1.5 until just this week. I've tried many times and always had to roll back to 2.1.5
vmware workstation environment, 64bit pfsense.
Uninstalled squid/squidguard. Then ran the update.

Did I get you right that squid transparent mode only seems to be running on pfsense 2.15?

So what did you mean with "ran the upgrade"? You upgraded to the recent 2.2 after all, anyway?

notaduck