Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    after upgrade to 24.11: squid doesn´t start

    Scheduled Pinned Locked Moved General pfSense Questions
    58 Posts 12 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      19pegr69
      last edited by

      Hallo,
      after upgrading to 24.11 squid can not be started
      I always get this:
      /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'ld-elf.so.1: /usr/local/sbin/squid: Undefined symbol "_ZTTNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE"'

      uninstalling and reinstalling doesn´t help
      Any hints?

      stephenw10S JeGrJ W 3 Replies Last reply Reply Quote 0
      • philippe34P
        philippe34
        last edited by

        Hello, I confirm I have the same problem. 😒

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          You see exactly the same error logged?

          Are you both running amd64 hardware?

          A 1 Reply Last reply Reply Quote 0
          • philippe34P
            philippe34
            last edited by

            bonjour,

            yes it's amd64
            for the error logged I'll take a screenshot for you tonight

            1 Reply Last reply Reply Quote 0
            • 1
              19pegr69
              last edited by

              Exactly it´s a amd64-VM on Esxi 7.

              1 Reply Last reply Reply Quote 0
              • A
                Alekceu16 @stephenw10
                last edited by

                @stephenw10
                Hello, I have same problem
                24.11-RELEASE (amd64)
                built on Wed Nov 27 20:22:00 EET 2024
                FreeBSD 15.0-CURRENT

                1 Reply Last reply Reply Quote 0
                • stephenw10S stephenw10 moved this topic from Problems Installing or Upgrading pfSense Software on
                • philippe34P
                  philippe34
                  last edited by

                  the log file:

                  /pkg_edit.php: La commande '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' a retourné un code de sortie '1', la sortie était 'CPU Usage: 0.031 seconds = 0.031 user + 0.000 sys Maximum Resident Size: 62032 KB Page faults with physical i/o: 0 2024/12/02 17:50:07| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0) 2024/12/02 17:50:07| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048' OpenSSL-saved error #1: 0x1e08010c 2024/12/02 17:50:07| FATAL: Unknown http_port option 'NO_TLSv1,'. 2024/12/02 17:50:07| Not currently OK to rewrite swap log. 2024/12/02 17:50:07| storeDirWriteCleanLogs: Operation aborted. 2024/12/02 17:50:07| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 172.16.9.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1 2024/12/02 17:50:07| Squid Cache (Version 6.10): Terminated abnormally.'

                  Dec 2 17:50:18 php-fpm 45703 /pkg_edit.php: [squid] Starting a proxy monitor script
                  Dec 2 17:50:19 check_reload_status 511 Reloading filter
                  Dec 2 17:50:20 php-fpm 26104 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'nat' rules.
                  Dec 2 17:50:20 php-fpm 26104 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'pfearly' rules.
                  Dec 2 17:50:20 php-fpm 26104 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'ether' rules.
                  Dec 2 17:50:20 php-fpm 26104 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'filter' rules.
                  Dec 2 17:50:23 Squid_Alarm 7508 Squid has exited. Reconfiguring filter.
                  Dec 2 17:50:23 Squid_Alarm 8538 Attempting restart...

                  JonathanLeeJ 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    You have any custom options set? Looks like the new Squid version might be rejecting them.

                    philippe34P 4 Replies Last reply Reply Quote 0
                    • philippe34P
                      philippe34 @stephenw10
                      last edited by

                      ok thanks it's good it works:
                      desactivate SSL filter.....SAVE
                      squid RUN
                      in AC select none .....save
                      reactivate SSL filter......save
                      an error message is displayed (normal)
                      put the certificate back in AC.....SAVE

                      for me it works (don't ask me why!!!!)😒 😒

                      1 Reply Last reply Reply Quote 1
                      • philippe34P
                        philippe34 @stephenw10
                        last edited by

                        sorry for the long answers but the validation of my messages by your admin is very long.

                        thank you for your help or guidance.

                        another update with its surprises!!!!😒

                        1 Reply Last reply Reply Quote 0
                        • philippe34P
                          philippe34 @stephenw10
                          last edited by

                          when I reboot

                          11840 /status_services.php: La commande '/usr/local/etc/rc.d/squid.sh stop' a retourné un code de sortie '1', la sortie était '2024/12/02 21:35:51| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0) 2024/12/02 21:35:51| ERROR: Directive 'dns_v4_first' is obsolete. 2024/12/02 21:35:51| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records. 2024/12/02 21:35:51| Current Directory is /usr/local/www'

                          1 Reply Last reply Reply Quote 0
                          • philippe34P
                            philippe34 @stephenw10
                            last edited by

                            and désactive:

                            Resolve DNS IPv4 First

                            save and reboot OK

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              You should be able to post without delays now.

                              Check /usr/local/etc/squid/squid.conf before and after making that save. And after rebooting. What is changing there?

                              I suspect there will be a value missing.

                              philippe34P 1 Reply Last reply Reply Quote 0
                              • philippe34P
                                philippe34 @stephenw10
                                last edited by

                                This file is automatically generated by pfSense

                                Do not edit manually !

                                http_port 172.16.9.1:3128
                                http_port 172.16.4.1:3128
                                http_port 172.16.5.1:3128
                                http_port 172.16.6.1:3128
                                http_port 172.16.8.1:3128
                                tcp_outgoing_address XX.XX.XXX.XXX
                                icp_port 0
                                digest_generation off
                                dns_v4_first off
                                pid_filename /var/run/squid/squid.pid
                                cache_effective_user squid
                                cache_effective_group proxy
                                error_default_language fr
                                icon_directory /usr/local/etc/squid/icons
                                visible_hostname Squid Serveur
                                cache_mgr XXXXXXX.XXXXXXXXXX@XXXXXX.XX
                                access_log /var/squid/logs/access.log
                                cache_log /var/squid/logs/cache.log
                                cache_store_log none
                                netdb_filename /var/squid/logs/netdb.state
                                pinger_enable on
                                pinger_program /usr/local/libexec/squid/pinger

                                logfile_rotate 360
                                debug_options rotate=360
                                shutdown_lifetime 3 seconds

                                Allow local network(s) on interface(s)

                                acl localnet src 172.16.9.0/28 172.16.4.0/28 172.16.5.0/27 172.16.6.0/28 172.16.8.0/28
                                forwarded_for on
                                uri_whitespace strip

                                cache_mem 4000 MB
                                maximum_object_size_in_memory 1000 KB
                                memory_replacement_policy heap GDSF
                                cache_replacement_policy heap LFUDA
                                minimum_object_size 0 KB
                                maximum_object_size 20 MB
                                cache_dir ufs /var/squid/cache 2000 256 256
                                offline_mode on
                                cache_swap_low 90
                                cache_swap_high 95
                                cache allow all

                                Add any of your own refresh_pattern entries above these.

                                refresh_pattern ^ftp: 1440 20% 10080
                                refresh_pattern ^gopher: 1440 0% 1440
                                refresh_pattern -i (/cgi-bin/|?) 0 0% 0
                                refresh_pattern . 0 20% 4320

                                #Remote proxies

                                Setup some default acls

                                ACLs all, manager, localhost, and to_localhost are predefined.

                                acl allsrc src all
                                acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
                                acl sslports port 443 563

                                acl purge method PURGE
                                acl connect method CONNECT

                                Define protocols used for redirects

                                acl HTTP proto HTTP
                                acl HTTPS proto HTTPS
                                acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
                                acl sslwhitelist ssl::server_name_regex -i "/var/squid/acl/whitelist.acl"
                                http_access allow manager localhost

                                http_access deny manager
                                http_access allow purge localhost
                                http_access deny purge
                                http_access deny !safeports
                                http_access deny CONNECT !sslports

                                Always allow localhost connections

                                http_access allow localhost

                                request_body_max_size 0 KB
                                delay_pools 1
                                delay_class 1 2
                                delay_parameters 1 -1/-1 -1/-1
                                delay_initial_bucket_level 100
                                delay_access 1 allow allsrc

                                Reverse Proxy settings

                                Package Integration

                                url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
                                url_rewrite_bypass off
                                url_rewrite_children 16 startup=12 idle=8 concurrency=0

                                Custom options before auth

                                Always allow access to whitelist domains

                                http_access allow whitelist

                                List of domains allowed to logging in to Google services

                                request_header_access X-GoogApps-Allowed-Domains deny all
                                request_header_add X-GoogApps-Allowed-Domains microsoft.com

                                Set YouTube safesearch restriction

                                acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
                                request_header_access YouTube-Restrict deny all
                                request_header_add YouTube-Restrict moderate youtubedst

                                Setup allowed ACLs

                                Allow local network(s) on interface(s)

                                http_access allow localnet

                                Default block all to be sure

                                http_access deny allsrc

                                icap_enable on
                                icap_send_client_ip on
                                icap_send_client_username on
                                icap_client_username_encode off
                                icap_client_username_header X-Authenticated-User
                                icap_preview_enable on
                                icap_preview_size 1024

                                icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
                                adaptation_access service_avi_req allow all
                                icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
                                adaptation_access service_avi_resp allow all

                                philippe34P stephenw10S 2 Replies Last reply Reply Quote 0
                                • philippe34P
                                  philippe34 @philippe34
                                  last edited by

                                  With my non-expert eyes I don't see anything that shocks me. What do you think?

                                  1 Reply Last reply Reply Quote 0
                                  • JonathanLeeJ
                                    JonathanLee @philippe34
                                    last edited by JonathanLee

                                    @philippe34 @stephenw10

                                    said in after upgrade to 24.11: squid doesn´t start:

                                    Unknown http_port option 'NO_TLSv1,'

                                    Unknown http_port option 'NO_TLSv1,'

                                    We had this merged as it disabled the older TLS version in the previous Squid version

                                    2024/12/02 15:13:21| Processing: acl block_hours time 00:30-05:00
                                    2024/12/02 15:13:21| Processing: ssl_bump terminate all block_hours
                                    2024/12/02 15:13:21| Processing: http_access deny all block_hours
                                    2024/12/02 15:13:21| Processing: acl getmethod method GET
                                    2024/12/02 15:13:21| Processing: acl to_ipv6 dst ipv6
                                    2024/12/02 15:13:21| Processing: acl from_ipv6 src ipv6
                                    **2024/12/02 15:13:21| Processing: tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE**
                                    2024/12/02 15:13:21| ERROR: Unsupported TLS option SINGLE_DH_USE
                                    2024/12/02 15:13:21| ERROR: Unsupported TLS option SINGLE_ECDH_USE
                                    2024/12/02 15:13:21| Processing: acl HttpAccess dstdomain "/usr/local/pkg/http.access"
                                    2024/12/02 15:13:21| Processing: acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"
                                    2024/12/02 15:13:21| Processing: refresh_all_ims on
                                    2024/12/02 15:13:21| Processing: reload_into_ims on
                                    2024/12/02 15:13:21| Processing: max_stale 20 years
                                    2024/12/02 15:13:21| Processing: minimum_expiry_time 0
                                    

                                    See the NO_TLSv1 processes in the older boot environments that is weird I wonder if that is Squid 7 they changed that directive right when we merged it. Unreal

                                    Merged in dc49dc3b0fa84d3e2588f31c69060f70b162e390.

                                    https://github.com/pfsense/FreeBSD-ports/commit/bd93b039663782e42721656ed50653086e6118ba

                                    https://github.com/pfsense/FreeBSD-ports/pull/1367

                                    https://github.com/pfsense/FreeBSD-ports/pull/1365

                                    That is when I added the NO_TLSv1 for security, but it is not taking scratching my head here as it was working before and on that last pfsense versions. Sorry

                                    $sslproxy_options is used with tls_outgoing_options options and should have blocked use of TLS1 and TLS1_1 when doing packet scans without this feature flag set the proxy was allowing connections with TLS1_1 after adding this directive feature flag manually it forced TLSv1_2 and TLSv1_3 to be used as seen in pcap files. Please set this as many websites will send change cipher requests when attempting TLS1_1

                                    Again, why does the new version block the restriction and mark it as unknown weird right it works on the older one as you can see above.

                                    I think I got mixed up with my first attempt to improve security on this package. Sorry :(

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator @philippe34
                                      last edited by

                                      @philippe34 Is that the conf file start or fails?

                                      The error shown: Unknown http_port option 'NO_TLSv1,' makes it seem like the conf file is being incorrectly generated such that it;s trying to use 'NO_TLSv' as a an http_port.

                                      JonathanLeeJ philippe34P 2 Replies Last reply Reply Quote 1
                                      • JonathanLeeJ
                                        JonathanLee @stephenw10
                                        last edited by JonathanLee

                                        @stephenw10

                                        Commit
                                        dc0f0badcbf29efa73fa6d3cc5e5ab966ea3da4f

                                        caused issues I think this directive is no longer valid as soon as we fixed it, Squid upstream must have already fixed it and disabled the directive also just NO_TLSv1 the other NO_TLSv1_1 seems to still work.

                                        https://github.com/JonathanDLee24/FreeBSD-ports/tree/dc0f0badcbf29efa73fa6d3cc5e5ab966ea3da4f

                                        Screenshot 2024-12-02 at 15.45.04.png

                                        Let me change it back and see if that fixes the error but it will take 6 months to get fixed before it gets reviewed again, I tested it with my stuff and everything. Keep trying don't give up

                                        Make sure to upvote

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Oh OK this is a fixed setting not an option. Interesting.
                                          I expect those http_ports lines to include those options like:

                                          http_port 192.168.221.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1_1
                                          

                                          Which is why it throws the error there.

                                          1 Reply Last reply Reply Quote 0
                                          • JonathanLeeJ
                                            JonathanLee
                                            last edited by

                                            @stephenw10 said in after upgrade to 24.11: squid doesn´t start:

                                            le=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1_1

                                            https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

                                            Should fix it per maintainer

                                            Make sure to upvote

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.