Squid proxy NONE/503

kevindd992002

Not sure why but I have two pfsense boxes in different environment with very similar configuration (just a couple of VLAN differences and both use Squid 0.4.44_18) but one of them has a lot of NONE/503 error in the logs. And true enough, when accessing the websites that have those NONE/503 errors, they cannot be accessed. Sometimes, you have to refresh the website multiple times and it pushes through but most of the times it does not. What could be causing this?

kevindd992002

Here are my access logs:

https://www.dropbox.com/s/updd47g6q2tp7yb/access%20logs.zip?dl=0

It looks like I have lots of non-200 responses there too and I'm starting to notice difficulty in browsing other websites too. Example, just going to www.facebook.com or forums.freebsd.org won't load the page right away. Disabling the proxy altogether solves the issue completely so I don't have issues with my ISP connection. The same websites are working properly on my other box with the same configuration (including Squid's config).

C0RR0SIVE

I have been seeing the EXACT same thing here lately...

Browsing along just fine, decide to visit a website, and BAM, almost instant HTTP/503 error. Mind you, I am on sat-net, there should never, ever be an INSTANT error for me.

I have also noted that I am more frequently waiting on the proxy tunnel than normal.

I have done a full reinstall of PFSense and SQUID... Noted that this started happening right after 2.4.5 came along with a new version of SQUID, has been flaky since.

Restarting SQUID every 15 to 30 minutes on my network isn't fun. Speaking of restarting so frequently... Anyone know how to schedule a cron job to restart the service for me when I am out and about? I suspect this is something that may not be fixed for some time.

kevindd992002

Exactly! I had more problems with Squid than benefits so I researched and came to a conclusion that most sites have dynamic content that can't be cached anyway and that you really won't even notice the caching effect when used at home (less than 50 devices in network). So I decided to just be done with it and uninstall all Swuid stuff. Everything was smoother after that.

C0RR0SIVE

Ehh, I still use it for filtering some things, so having it work would be nice, mostly because of how mobile devices work. Don't really care much about the caching aspect of it, as it really is useless anymore in most scenarios.

kevindd992002

@C0RR0SIVE yeah, I was thinking of that use case too before I decided to get rid of it. What I thought though is that mobile devices, by default, don't use proxies when they connect to wifi SSID's. So it's still a manual step for everyone (especially guests) which made it just not worthwhile for me. Plus the fact that I use pihole as my DNS server and it blocks a significant amount of potentially bad traffic.

Are you using it for Squidguard?

C0RR0SIVE

Yeup, using it purely for SquidGuard, I really like having a nice fancy custom block page when someone tries to visit a blocked website. I don't particularly like blank pages that can result from DNS filtering.

I don't really worry about guests as I have setup a Guest VLAN and have a captive portal that requests they setup the proxy manually in their device. If they don't they just get blocked at the firewall and can't get out to the internet.

Another option could be to route the traffic for that VLAN straight to the proxy, but that's cumbersome at best IMO.

kevindd992002

@C0RR0SIVE said in Squid proxy NONE/503:

Yeup, using it purely for SquidGuard, I really like having a nice fancy custom block page when someone tries to visit a blocked website. I don't particularly like blank pages that can result from DNS filtering.

I don't really worry about guests as I have setup a Guest VLAN and have a captive portal that requests they setup the proxy manually in their device. If they don't they just get blocked at the firewall and can't get out to the internet.

Another option could be to route the traffic for that VLAN straight to the proxy, but that's cumbersome at best IMO.

I have to be honest, I haven't really tried using Squidguard yet but I had it installed together with Squid. If I don't necessarily want any custom websites blocked in my home, are the blacklists in Squidguard useful together with pihole? Or should you just use either of them?

I also have my own Guest VLAN. So in your captive portal you simply put a note there to request them to setup a proxy?

How do you route all traffic for the guest VLAN to the proxy? Policy-based routing? Will that work with https too? I know transparent proxy in Squid adds a hidden NAT rule that forwards http traffic to the proxy.

C0RR0SIVE

I just use Shallalist for my SquidGuard, it helps block some common annoyances really, don't think it has been updated in some time though. More useful if you have kids trying to get to porn sites more than anything IMO.

Yeah, I use Unifi AP's and a Captive Portal in my Unifi software that requests they setup the proxy on their device using a proxy.pac file that's stored on a local webserver. When they pull from that file they go through HTTP/S just fine. If they don't they just get rejected on 443/80. Haven't had an issue with guests doing that so far. I also make sure I link to instructions stored on the local web server so they can follow those.

I have done some testing, but nothing concrete yet... I was on 2.4.5, and have been having some other issues with it. I decided to compile a version of 2.4.4-p3 and installed that, then restored all my settings. So far SQUID + SquidGuard has been rather stable and fast. I suspect the issue isn't just SQUID, but 2.4.5. Can you confirm what version of PFSense you are on?

I still see 503 errors, but those look purely SquidGuard and PFBlocker related (as in, what I am seeing, the URL is in my SquidGuard list or tied to a list on PFBlocker).

kevindd992002

@C0RR0SIVE said in Squid proxy NONE/503:

I just use Shallalist for my SquidGuard, it helps block some common annoyances really, don't think it has been updated in some time though. More useful if you have kids trying to get to porn sites more than anything IMO.

Yeah, I use Unifi AP's and a Captive Portal in my Unifi software that requests they setup the proxy on their device using a proxy.pac file that's stored on a local webserver. When they pull from that file they go through HTTP/S just fine. If they don't they just get rejected on 443/80. Haven't had an issue with guests doing that so far. I also make sure I link to instructions stored on the local web server so they can follow those.

I have done some testing, but nothing concrete yet... I was on 2.4.5, and have been having some other issues with it. I decided to compile a version of 2.4.4-p3 and installed that, then restored all my settings. So far SQUID + SquidGuard has been rather stable and fast. I suspect the issue isn't just SQUID, but 2.4.5. Can you confirm what version of PFSense you are on?

I still see 503 errors, but those look purely SquidGuard and PFBlocker related (as in, what I am seeing, the URL is in my SquidGuard list or tied to a list on PFBlocker).

I see. I use Unifi AP's/controller too so we pretty have a similar setup. I have to play around with Squidguard when this issue gets fixed.

I'm also at pfsense 2.4.5 but I'm not sure when those 503 errors started showing up but I also highly suspect it's after the 2.4.5 upgrade.