Squid random disconnects random webpages



  • Dear pfSense masters

    I have installed pfSense 2.4.4 running squid, squidguard and snort, I have configured them, squid is currently configured on transparent mode, and so far it works... but my users get random disconnects from webpages such as gmail, and sometines they receive an error stating SSL_ERROR after this, they keep reloading the page and after a while they manage to access to the site, my pfsense is currently using DNS resolver... and I have configured 1.1.1.1 and 1.0.0.1 dns servers configured on the general configuration tab. any ideas for this issue?

    I have configured DNS resolver configured this way:

    0_1542032190357_de540506-bc3c-474d-b78e-5b0addd19c06-image.png

    0_1542032211809_dc1f52a6-a00c-456c-b11d-15136062b7cd-image.png

    0_1542032238407_603d19bd-0edf-445f-9179-5338f79b2f1c-image.png

    0_1542032289826_699e31c3-df10-4237-b80c-c4a9ce6287e4-image.png

    0_1542032329604_b924111c-fc9d-435e-ba31-5a5ff748bfb0-image.png

    and squid configured this way:

    0_1542032370826_f50f4857-ea44-4f3b-85d1-8084f286d155-image.png

    0_1542032394352_f6d092e0-1eaf-41e2-9109-ccc3648d100e-image.png

    0_1542032416996_ef09be2e-2c57-49e6-adfd-6f5c9027f4a6-image.png

    0_1542032440514_f98e3940-3a4c-4cf5-af0f-a677255eff9c-image.png

    0_1542032466749_e8c987be-7e3f-4b7c-af47-34d4c2b4b4ae-image.png

    I hope you can help me with this issue, it's been a rough month trying to give my pfsense complete stability



  • What is the main purpose of squid in your setup? Is it URL filtering via squid guard?
    If you disable squid, do your problems go away?

    On a separate note, I don't think you need 1.1.1.1 or 1.0.0.1 in the System > General Setup. You don't have forwarding mode enabled in Resolver so pfSense should still be the first option. That's a good thing. pfSense (Unbound) is going to generally be the best option for DNS resolution. That's my personal opinion, but I rather not use external servers. The main reason being security. External servers are much bigger targets for an attack. Privacy is another one. I don't care but some people who are also concerned about privacy avoid external servers. You don't know what they're doing with the information that goes to their DNS servers. Oh and it's not really going to be speeding up queries anyway. Unbound will be caching the sites you visit so the external servers will not be used for the most part. The majority of the time Unbound should resolve almost instantly from cache.



  • Yes I am using squid along with squidguard for web filtering and yes If I stop squid it works fine... with squid I randomly get issues like no DNS resolutions or the SSL_ERROR, I have deleted both DNS servers on my general and overrides on the DNS resolver, I will check how it performs



  • That's good to know. For URL filtering, I would suggest giving the package pfblockerNG-devel a try. It's very easy to setup, very effective and doesn't require squid. SSL filtering via squid can cause problems, so avoiding it if possible would be best.



  • I did considered pfblocker but the thing is... I have several subnets with different kinds of web access permissions, Maybe I did not looked for the whole information... but... Is it possible to set this kind of web access groups?



  • still having the same issue, lots of pages are failing :(



  • How many users in your environment? You are probably having an issue with a low number of rewrite & SSL child threads. Look into sslcrtd_children and url_rewrite_children which are configured under Services - Squid proxy server - General - Advanced Options - Integrations.



  • around 500 users at this time, I have SSL Certificate Deamon Children set to 20 and url_rewrite_children 64 startup=32 idle=16 concurrency=0



  • What do you mean? You already had those set, or you just set them now?



  • I had them configured that way already



  • Perhaps not enough?



  • I have increeased besides I am currently using just 1 pc for testing purposes... and I still received error err_ssl_protocol_error, any ideas? :(



  • currently testing with just squid... squidguard is currently disabled, still getting SSL errors



  • @la6er said in Squid random disconnects random webpages:

    err_ssl_protocol_error

    Post the squid access.log details from the time that the error happens. You may need to increase the default level of logging via the debug_options directive.



  • this are the logs I received when a wp fails

    1542122446.776 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
    1542122446.946 11 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- -
    1542122446.947 0 10.16.20.191 TAG_NONE/409 3938 CONNECT twitter.com:443 - HIER_NONE/- text/html
    1542122446.960 9 10.16.20.191 TAG_NONE/200 0 CONNECT 104.244.42.65:443 - HIER_NONE/- -



  • currently the main issue looks to be sites related to google, but sometimes if I wait just a few minutes without doing anything they work after I refresh



  • A 409 is a conflict. Strange. I don't have a definitive answer for you but start by Googling 'squid 409 conflict err_ssl_protocol_error'



  • I have, I disabled 2 different things on my browsers, and so far looks stable, but it means I have to do that on over a 1000 pcs



  • Does the problem occur when the proxy is running in explicit mode? I've always hated transparent mode for the issues it has always caused me. Explicit + WPAD has worked for me for years now.



  • I indeed have it configured using transparent mode, everytime I tried using WPAD it does not let me download the files on the browser so I asummed it is not working properly in that way



  • The wpad.dat and proxy.pac files must reside on an HTTP server, not HTTPS. They must have correct contents. Clients on your network must be able to resolve wpad.your.domain.



  • what if my computer does not have any domain? I have set the files on another pfsense solution with the following script

    function FindProxyForURL(url,host)
    {
    return "PROXY 10.30.251.61:3128";
    }

    they are located on usr/local/www/ but if I set autodetect proxy it does not work, if I set manually http://10.30.251.59/proxy.pac (which is the ip of my http pfsense) on my browser it does not work, however if i set manually the proxy conf on the browser it works perfectly, I have set a host override on my dns resolver, and I am also using static ips on my clients



  • WPAD relies on DNS having an entry for wpad on the default domain. I believe you can use a workgroup in place of a domain if you're using Windows clients. I haven't tried it but if you truly have no domain nor workgroup, you could still create an A record for wpad on your DNS and point it to pfSense LAN IP.



  • lets asume that is working properly.... my browser behavior will be... ask for the file, go to 10.30.251.59/proxy.pac and then overwrite it's own configuration with the proxy info I have set, correct? in this case 10.30.251.61:3128... in order to test if this is working I need to go to http://10.30.251.59/proxy.pac on my browser and a file should start downloading, correct? if that is the case I am not able to acomplish it, for some reason I am no able to download the file



  • Yes to all. What error do you get when you try to download the wpad file?



  • 0_1542142504026_7aa2bb21-b113-4298-bd67-2195aef06493-imagen.png

    this is the error



  • I have static IPs on my clients...

    is this script correct?

    function FindProxyForURL(url,host)
    {
    return "PROXY 10.30.251.61:3128";
    }



  • Perhaps you should figure out why your web server at 10.30.251.59 isn't responding.

    Yes, your wpad.dat is correct, but it will force the proxy even for local connections. I use:

    function FindProxyForURL(url,host)
    {
    // If the requested website is hosted within the internal network, send direct.
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
            isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
            isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
            return "DIRECT";
    // Else use the proxy
        return "PROXY 10.10.4.1:3128";
    }
    


  • Thanks for all your help, I created a second instance of the nginx using this guide https://nguvu.org/pfsense/pfSense-2.3-WPAD-PAC-proxy-configuration-guide/

    Everything related to nagivations seems to be working perfectly fine now...

    but I have another tiny issue, when using the proxy mi clients are not able to use nat rules set on the firewall... as soon as I stop the squid they work perfectly, any ideas about this?



  • Not off the top of my head with no detail about your config.

    Try posting a new topic for that issue.



  • alright, will do, thanks a lot for your support on this, I really appreciate it