• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

New Secure Squid version 6.6 status page issues NAT Questions

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 1 Posters 455 Views 1 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    JonathanLee
    last edited by Jul 11, 2024, 11:41 PM

    Hello fellow Netgate community members, can you please help?

    I can't access

    squidclient -v -h 127.0.0.1 -U username -W redactedpassword mgr:info

    Shell Output - squidclient -v -h 127.0.0.1 -U cachemgr -W redacted mgr:info
Request:
GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
Host: 127.0.0.1:3128
User-Agent: squidclient/6.6
Accept: */*
Authorization: Basic redacted==
Connection: close


.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Thu, 11 Jul 2024 23:35:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3792
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: Lee_Family.home.arpa
Cache-Status: Lee_Family.home.arpa;detail=no-cache
Connection: close

    It does hit

    http://127.0.0.1:3128/squid-internal-mgr/info

    My cachemgr_password functions with https://192.168.1.1:8080/sqstat/sqstat.php

    Still accesses
    cache_object://localhost/active_requests

    However I was told cache_object was disabled in Squid 6.6 it is still working

    http://127.0.0.1:3128/squid-internal-mgr/info is called with the status page on the cache logs.

    I had to add my password. It does not allow my password for squidclient anymore...

    I am being asked to make sure my firewall has the following rules for squid

    https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

    Per Squid user support
    "...and check your firewall has all the rules listed at https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect.
    One to note in particular is the "mangle" table rule."

    @jimp You said

    "Squid isn't on the "LAN" when it's on pfSense. It won't ever hit your LAN rules.

    The rules (especially on 1.2.3) are only evaluated when traffic comes into an interface, not when it leaves. When traffic comes into LAN, it's going to squid on port 3128. When it leaves squid it's going out WAN, and all traffic is allowed out by default from the firewall itself.

    On 2.0 you can restrict that with a floating firewall rule on the WAN with the direction set to 'out', but there isn't much reason to do so."

    # your proxy IP
SQUIDIP=192.168.0.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

    Do we already have this built into pfsense?

    What rules do these equate to with NAT?

    Make sure to upvote

    1 Reply Last reply Reply Quote 0
    • J Offline
      JonathanLee
      last edited by Jul 11, 2024, 11:43 PM

      @JonathanLee said in New Secure Squid version 6.6 status page issues NAT Questions:

      cache_object

      I went as far as to add an any any rule to see if the ACL blocking port 80 caused this issue however it does not... Same result..

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received