• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid troubles, http not working

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mr.fox
    last edited by Dec 3, 2024, 4:55 PM

    This is my first post. I am unable to get http access working with a squid proxy. I've googled around, tried a few guides, and no luck.

    setup description:

    WAN -> Proxmox -> pfSense/squid(VM) -> | vm: server 1 | vm: server 2|
    

    intent:
    2 servers/VM on one IP address
    server 1 would match to xyz.com and handle regular web traffic
    server 2 would match to sub1.xyz.com and handle some other stuff.

    It's most likely some misconfiguration somewhere, but I'm just not sure where. Right now, I'm just focused on getting server 1 accessible.

    server 1:
    Alma Linux 9
    apache has mod_proxy

    site conf file
    server1 apache conf.JPG

    /etc/hosts file
    server1 hosts.JPG

    one guide said to create a conf file with the following.
    server1 reverse_proxy conf.JPG

    pfSense:
    squid installed
    squidGuard installed/disabled for now

    squid conf

    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 192.168.1.1:3128
    icp_port 0
    digest_generation off
    dns_v4_first off
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname voip-ly.com
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger
    
    logfile_rotate 0
    debug_options rotate=0
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  192.168.1.0/24
    forwarded_for on
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    
    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    cache_dir ufs /var/squid/cache 100 16 256
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache deny all
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
    refresh_pattern .    0  20%  4320
    
    
    #Remote proxies
    
    
    # Setup some default acls
    # ACLs all, manager, localhost, and to_localhost are predefined.
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
    acl sslports port 443 563  
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src 192.168.1.0/24
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    http_port 69.16.214.157:80 accel defaultsite=voip-ly.com vhost
    #alma9 server
    cache_peer 192.168.1.15 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_www
    
    #debian12.pbx
    cache_peer 192.168.1.16 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pbx
    
    acl rvm_public url_regex -i voip-ly.com
    acl rvm_pbx url_regex -i voip-ly.com
    cache_peer_access rvp_www allow rvm_public
    cache_peer_access rvp_pbx allow rvm_pbx
    cache_peer_access rvp_www deny !rvm_public
    cache_peer_access rvp_pbx deny !rvm_pbx
    never_direct allow rvm_public
    never_direct allow rvm_pbx
    http_access allow rvm_public
    http_access allow rvm_pbx
    
    deny_info TCP_RESET allsrc
    
    # Custom options before auth
    
    
    # Set YouTube safesearch restriction
    acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
    request_header_access YouTube-Restrict deny all
    request_header_add YouTube-Restrict none youtubedst
    # Setup allowed ACLs
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc
    
    
    
    1 Reply Last reply Reply Quote 0
    • J
      JonathanLee
      last edited by Dec 5, 2024, 3:42 PM

      Squid has a default gateway directive.

      https://www.squid-cache.org/Doc/config/tls_outgoing_options/

      https://www.squid-cache.org/Doc/config/tcp_outgoing_address/

      Option Name:	tcp_outgoing_address
      Replaces:	
      Requires:	
      Default Value:	Address selection is performed by the operating system.
      Suggested Config:	
      
      	Allows you to map requests to different outgoing IP addresses
      	based on the username or source address of the user making
      	the request.
      
      	tcp_outgoing_address ipaddr [[!]aclname] ...
      
      	For example;
      		Forwarding clients with dedicated IPs for certain subnets.
      
      	  acl normal_service_net src 10.0.0.0/24
      	  acl good_service_net src 10.0.2.0/24
      
      	  tcp_outgoing_address 2001:db8::c001 good_service_net
      	  tcp_outgoing_address 10.1.0.2 good_service_net
      
      	  tcp_outgoing_address 2001:db8::beef normal_service_net
      	  tcp_outgoing_address 10.1.0.1 normal_service_net
      
      	  tcp_outgoing_address 2001:db8::1
      	  tcp_outgoing_address 10.1.0.3
      
      	Processing proceeds in the order specified, and stops at first fully
      	matching line.
      
      	Squid will add an implicit IP version test to each line.
      	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
      	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
      
      
      	NOTE: The use of this directive using client dependent ACLs is
      	incompatible with the use of server side persistent connections. To
      	ensure correct results it is best to set server_persistent_connections
      	to off when using this directive in such configurations.
      
      	NOTE: The use of this directive to set a local IP on outgoing TCP links
      	is incompatible with using TPROXY to set client IP out outbound TCP links.
      	When needing to contact peers use the no-tproxy cache_peer option and the
      	client_dst_passthru directive re-enable normal forwarding such as this.
      
      	This clause only supports fast acl types.
      	See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
      
      

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received