• Hi, I installed the squid package on my 0.90a version, but in order to it works properly, i did some changes based on some advices I got:

    There is some configuration missed on /dev/pf

    I was receiving the error:

    "parseHttpRequest: PF open failed: (13) Permission denied"

    In the cache.log

    So according to some posts I found the permissions for the /dev/pf should be changed to:

    chgrp squid /dev/pf
    chmod g+rw /dev/pf

    I'm not an expert on FreeBSD or Squid, but this certainly remove the errors on cache.log and enhanced the performance of cache.

    Besides after installing the squid package I have to replace the second line in the /usr/local/etc/rc.d/squid.sh with :
        #: /usr/local/etc/rc.d/squid.sh

    I hope this may help someone else.


  • Emanuel,

    I appreciate the suggestions.  I have made the changes in the package code to modify permissions on /dev/pf after reviewing several articles stating that this is appears to be a good way to give Squid permission to write to it.

    Does anyone see any negative implications of doing such before the code is committed?  I'm still working on some other issues before committing, so let me know.  Thanks!

    Mike


  • Thanks Myntric!!


  • Has this been comitted yet? I've manually done these changes, and they have really helped out my squid installation! Nice help Emanuel!


  • @Cyrandir:

    Has this been comitted yet? I've manually done these changes, and they have really helped out my squid installation! Nice help Emanuel!

    Not as of yet.


  • No commits as of yet.  I can commit these changes, but I'm in the midst of a rewrite of one of the components to try and make it a little faster in writing the configuration.  It's pretty inefficient at this point.  I'll see what I can do.


  • @Cyrandir:

    Has this been comitted yet? I've manually done these changes, and they have really helped out my squid installation! Nice help Emanuel!

    Hi Cyrandir, it's great I can help, but be aware that the permision changes doesn't survive a reboot, so you can do one of two things:

    1- Modify the /usr/local/etc/rc.d/squid.sh and add the two commands you ran before:
          chgrp squid /dev/pf
          chmod g+rw /dev/pf

    2- Modify the /etc/devfs.conf file and add at the end this lines:
        own pf root:squid
        perm pf 0640

    This is to make sure the changes are re-applied every time your server boots, at least it works well for me.

    Hope this help


  • Thanks! I'll do that


  • Hi Myntric,

    I'm using the last package you release, and it works really good, but seems like it needs to change perms for squid group to "/var/run/squid.pid".

    Besides, i was thinking that would be nice to have a squid entry in the "Status/Services" page in the GUI.  Is it much dificult? I have no skills in editing php or xml.

    Thanks again for your help!


  • I agree that a service status entry would be highly useful


  • This may have already been covered in the lists, but I'm recording them here for posterity as well.  After installing the squid package to my 0.93.2 box I had to make the following changes:

    mkdir /var/squid/cache
    chown squid: /var/squid/cache
    chown squid: /var/squid/logs
    squid -z -f /usr/local/etc/squid/squid.conf

    in squid.conf, you have to make the following changes to the ACLs ( I believe this to be a bug in the WebGUI but I haven't looked at the code yet ):

    ensure that acl all's src is set to 0.0.0.0/255.255.255.0
    ensure that acl localnet's src is set to your local network (or whatever networks you want to traverse your squid proxy)
    add the line: http_access allow localnet

    at this point you can start squid and you should be off and running.


  • The code is actually in there to do the chmod's and such during the install, but it is not executing properly.  I've been working with colin on this.  Due to the complexity with all of the GUI and integration with other items such as SquidGuard, it may come down to where I have to write this in full-fledged PHP and use the packaging system for the install portion, but I'd like to make this version as stable as possible in the meantime.  Thanks for your help!

    Mike


  • Mike,

    There's a big bug in the ACL section of the WebGUI.  When adding networks to the allow, section, only one network is captured, and its appended to the "all" ACL rather than the "localnet" ACL.  Any additional networks added are ignored, although they're slumped together one on top of the next in the WebGUI display.  It might be better to either create a file and write networks to that file and have squid.conf point to that file.  Alternatively, you might have the localnet ACL get the networks bound to whichever NIC squid should be bound to.


  • @submicron:

    Mike,

    There's a big bug in the ACL section of the WebGUI.  When adding networks to the allow, section, only one network is captured, and its appended to the "all" ACL rather than the "localnet" ACL.  Any additional networks added are ignored, although they're slumped together one on top of the next in the WebGUI display.  It might be better to either create a file and write networks to that file and have squid.conf point to that file.  Alternatively, you might have the localnet ACL get the networks bound to whichever NIC squid should be bound to.

    Also, i have found that if you add "unrestricted IPs" in the ACL of the WebGUI, the are stored in the acl file just as they were writed down in the WebGUI, this means, separated by a semi-colon, insted of one IP address per line, which generate errors when you start the service.  If you edit the acl_unrestricted_ip.acl file, and put one IP address per line, it shows funny in the WebGUI page.

    Thanks again for this great piece of software!


  • Mike,

    I know you'll work on these issues when you get time.  Is it better for us to keep posting to this thread or would you rather we file bug reports as we come across issues?


  • @submicron:

    Mike,

    I know you'll work on these issues when you get time.  Is it better for us to keep posting to this thread or would you rather we file bug reports as we come across issues?

    I think the this thread for now will work best for me.  Thanks!

    Mike


  • I just installed Squid 2.5.11_3 on 0.90 - I know, there's a newer release… ;-)
    After install, I did this:
    chgrp squid /dev/pf
    chmod g+rw /dev/pf
    /usr/local/sbin/squid -z -f /usr/local/etc/squid/squid.conf
    Navigated to: Services->Squid
    Proxy Listening Interface: LAN
    Transparent Proxy: CHECKED
    Log Enabled: CHECKED
    Visible Hostname: XXX.com
    Cache Administrator Email: support@XXX.com
    Error Message Language: English
    And then pressed save:
    Warning: fopen(/usr/local/etc/squid/advanced/acls/src_subnets.acl): failed to open stream: No such file or directory in /usr/local/pkg/squid_ng.inc on line 487 Warning: fwrite(): supplied argument is not a valid stream resource in /usr/local/pkg/squid_ng.inc on line 488 Warning: fclose(): supplied argument is not a valid stream resource in /usr/local/pkg/squid_ng.inc on line 489 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/squid_ng.inc:487) in /usr/local/www/pkg_edit.php on line 183

    Are the missing files (I checked) not a part of the package?
    I have set squid up on an older version before - no problems there - did I miss something or is it in a state of flux at the moment?

    Thanks!


  • I just installed .94  I havn't had a chance to get .94.4 yet but I got pretty much the same thing.  I changed some options and clicked save and an error similar to that appeared.  I was on the first tab of the setup page.  I got similar errors from the second tab after changing an option or two and perhaps from the third tab also.  On the tab you enter ip and domain ips etc after hitting save I got no errors.

    I refreshed all the pages I changed settings on and they seemed to be set to what I changed them too.

    I didn't bother posting it here because I'm not on the most current version.


  • Interesting.  The last commit was a few weeks ago and while quite a bit was changed, I was under the impression that the default install worked.  The package is definitely in a state of flux at the moment.  In speaking with Colin, it seems that the best way to design a flexible Squid package and allow the integration with SquidGuard, HAVP, ClamAV, or whatever is to code in pure PHP while using the packaging system simply for the install/deinstall and such.  This would allow much more flexibility. I've started the process and don't expect to have a commit for little while, but am plugging away and trying to support both packages now.  I'll check into this issue and see if I can fix it and commit a new version.  I'll let everyone know if I do.  Thanks!


  • This actually was a server error.  Or package sync script stopped copying changes from CVS.

    At any rate, everything is fixed now and the squid stuff should be on the latest version on the server now.


  • I'm guessing that the correct answer is to uninstall and then re-install the squid package?


  • @submicron:

    I'm guessing that the correct answer is to uninstall and then re-install the squid package?

    Yep.


  • Just did a remove and install…
    At the bottom of the package install screen in black on the grey background was this text:
    Parse error: parse error, unexpected T_STRING in /etc/inc/pkg-utils.inc(426) : eval()'d code on line 1

    Tried the same task again, got the same message about missing includes etc. when I pressed save on the first page of the config... perhaps the cause was the error above?

    Thanks!
    Still running 0.90 on that box - will upgrade to 94.4 today


  • @submicron:

    I'm guessing that the correct answer is to uninstall and then re-install the squid package?

    My install was 100% fresh.  The first thing I did was install squid and start to configure it.

    I am thinking I havn't seen these errors before or not I remember,  is because I have just used the upgrade option each time (except this time).  And it keeps all my settings even when you get the error.


  • Hi all!

    Likewise, all references to "GSDF" should also be changed to "GDSF".

    ;)


  • @amenabe:

    Hi all!

    Likewise, all references to "GSDF" should also be changed to "GDSF".

    ;)

    Already fixed.


  • have pfsense .95a installed and just installed squid.

    first time it's installed, i got misconfigured it and got lots of error.
    so i removed it and install again.
    this time it works fine.

    but after reboot, it wont start up automatically.
    i have to go to shell and type squid to start it

    what to do to make it startup on every boot?


  • @rexster:

    have pfsense .95a installed and just installed squid.

    This version is not supported.  Upgrade to receive support.


  • fresh installed pfsense 1 beta
    then directly install squid package only.

    squid doesnt run at all.
    i try see from shell, no /var/squid folder
    there's a squid folder on /etc/local
    but it's only contain 2 folders (logs and cache) and both folders are empty.

    so, no log i can see.
    the cache folder also not created yet.

    i try squid -z but it gives out error: failed to create folder…


  • these steps you need to take to get squid 2.5.12 from the pfsense packages working with pfsense beta 1

    
    pfSense console setup
    8)  Shell
    
    mkdir /var/squid
    chown squid:squid /var/squid
    mkdir /var/squid/logs
    chown squid:squid /var/squid/logs
    mkdir /var/squid/cache
    chown squid:squid /var/squid/cache
    mkdir /usr/local/etc/squid/advanced
    chown squid:squid /usr/local/etc/squid/advanced
    mkdir /usr/local/etc/squid/advanced/acls
    chown squid:squid /usr/local/etc/squid/advanced/acls
    touch /usr/local/etc/squid/advanced/acls/src_subnets.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl
    touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    squid -z
    exit
    
    pfSense console setup
    11)  Restart webConfigurator
    
    now config in pfsense browser
    http://ipadress/pkg_edit.php?xml=squid_ng.xml&id=0
    
    go back to consul
    pfSense console setup
    8)  Shell
    
    squid
    ps -ax | grep squid
    
    if you see somving like this :
     4683  ??  Ss     0:00.00 squid
     4685  ??  S      0:00.19 (squid) (squid)
     4695  p0  S+     0:00.01 grep squid
    
    squid is running
    
    

  • ok now squid runs fine.

    still one problem.
    how do i make it automatically start on each boot?

    btw… one more issue...
    even that squid does run, when i check the access.log file,
    i only see access to http://my.ip.address
    and all access to the internet doesn showed up there.

    is this normal?

    tnx
    rex


  • Try starting it by using the hidden xml-options for the config.xml: http://faq.pfsense.com/index.php?sid=18492&lang=en&action=artikel&cat=10&id=38&artlang=en&highlight=hidden

    This of course won't be needed later when the package is final.


  • can you explain more detailed…
    exactly, what to put into config.xml, where to put it?

    few issue i found:
    transparent proxy doesnt seem to work (yet) ?
    and proxy also refuse https protocol?

    tnx
    rex


  • here transparent proxy for poort 80 works but only with 3128 as squid poort on pfsense 
    the log is on /var/squid/logs/access.log

    
    10.141.254.1 - - [07/Jan/2006:09:32:23 +0100] "GET http://forum.pfsense.org/favicon.ico HTTP/1.1" 404 483 TCP_NEGATIVE_HIT:NONE
    10.141.254.1 - - [07/Jan/2006:09:32:24 +0100] "GET http://www.imageshack.us/iframe.php?txtcolor=111111&type=blank HTTP/1.1" 200 1211 TCP_MISS:DIRECT
    10.141.254.1 - - [07/Jan/2006:09:32:24 +0100] "GET http://forum.pfsense.org/favicon.ico HTTP/1.1" 404 483 TCP_NEGATIVE_HIT:NONE
    10.141.254.1 - - [07/Jan/2006:09:34:06 +0100] "GET http://checkip.dyndns.org/ HTTP/1.0" 200 264 TCP_MISS:DIRECT
    10.141.254.1 - - [07/Jan/2006:09:39:09 +0100] "GET http://checkip.dyndns.org/ HTTP/1.0" 200 264 TCP_MISS:DIRECT
    
    

    check /var/squid/logs/cache.log for squid errors

    to start squid from config.xml:
    add <shellcmd>squid</shellcmd> to config.xml
    look at the code below for where to put it

    
     <system><optimization>normal</optimization>
    	<hostname>pfsense</hostname>
    	<domain>wlelystad.homeip.net</domain>
    	<username>admin</username>
    	<password>$1$.Qr5mty/$FZsZiYnpLMX1fs3VPAJpq1</password>
    	<timezone>Europe/Amsterdam</timezone>
    	<time-update-interval>300</time-update-interval>
    	<timeservers>pool.ntp.org</timeservers>
    	 <webgui><protocol>http</protocol>
    		 <certificate><private-key><port>10000</port></private-key></certificate></webgui> 
    	<enablesshd>yes</enablesshd>
    
    	 <maximumstates><dnsallowoverride><dnsserver><dnsserver><shellcmd>squid</shellcmd></dnsserver></dnsserver></dnsallowoverride></maximumstates></system> 
    
    

  • @jeroen234:

    these steps you need to take to get squid 2.5.12 from the pfsense packages working with pfsense beta 1

    
    pfSense console setup
    8)  Shell
    
    mkdir /var/squid
    chown squid:squid /var/squid
    mkdir /var/squid/logs
    chown squid:squid /var/squid/logs
    mkdir /var/squid/cache
    chown squid:squid /var/squid/cache
    mkdir /usr/local/etc/squid/advanced
    chown squid:squid /usr/local/etc/squid/advanced
    mkdir /usr/local/etc/squid/advanced/acls
    chown squid:squid /usr/local/etc/squid/advanced/acls
    touch /usr/local/etc/squid/advanced/acls/src_subnets.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl
    touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    squid -z
    exit
    
    pfSense console setup
    11)  Restart webConfigurator
    
    now config in pfsense browser
    http://ipadress/pkg_edit.php?xml=squid_ng.xml&id=0
    
    go back to consul
    pfSense console setup
    8)  Shell
    
    squid
    ps -ax | grep squid
    
    if you see somving like this :
     4683  ??  Ss     0:00.00 squid
     4685  ??  S      0:00.19 (squid) (squid)
     4695  p0  S+     0:00.01 grep squid
    
    squid is running
    
    

    I just updated the squid INIT code to include this.  Please test again!


  • @sullrich:

    This actually was a server error.  Or package sync script stopped copying changes from CVS.

    At any rate, everything is fixed now and the squid stuff should be on the latest version on the server now.

    Speaking of this, we had yet another problem syncing packages.  Please try squid again, I've fixed a ton of errors and made sure that it is sycning.

    Out of the box squid starts now for me.  Please let me know if this is not the case for anyone else, I really want squid working for 1.0.


  • Hi @all!

    I've tried to use the captive portal together with squid in transparent mode. The captive portal was running before without any errors, but after I have installed squid I've got a lot of errors and squid refused the connection to any server on the wan-side.
    Well, I've read the squid docs and faqs and there I've found, it isn't possible to run squid in transparent mode with authentification by acl, ldap and so on.
    Now my question: Is it possible to run squid together with a captive portal?

    Thanks and so long
    Schnuffel


  • i uninstalled squid
    removed leftovers
    installed squid again
    its now working direct for me

    by the way if you select any of the Authentication settings on squid then squid breeks 
    the squid auth files are missing
    had to reinstall squid to get squid working again afther that

    
    Warning: Unknown(/usr/local/pkg/squid_auth.inc): failed to open stream: No such file or directory in /usr/local/www/pkg_edit.php(164) : 
    eval()'d code on line 1 Fatal error: (null)(): Failed opening required '/usr/local/pkg/squid_auth.inc' 
    (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal') in /usr/local/www/pkg_edit.php(164) : eval()'d code on line 1
    
    

    only inc file i have in /usr/local/pkg is squid_ng.inc
    the rest are xml files

    @sullrich:

    @jeroen234:

    these steps you need to take to get squid 2.5.12 from the pfsense packages working with pfsense beta 1

    
    pfSense console setup
    8)  Shell
    
    mkdir /var/squid
    chown squid:squid /var/squid
    mkdir /var/squid/logs
    chown squid:squid /var/squid/logs
    mkdir /var/squid/cache
    chown squid:squid /var/squid/cache
    mkdir /usr/local/etc/squid/advanced
    chown squid:squid /usr/local/etc/squid/advanced
    mkdir /usr/local/etc/squid/advanced/acls
    chown squid:squid /usr/local/etc/squid/advanced/acls
    touch /usr/local/etc/squid/advanced/acls/src_subnets.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl
    touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl
    squid -z
    exit
    
    pfSense console setup
    11)  Restart webConfigurator
    
    now config in pfsense browser
    http://ipadress/pkg_edit.php?xml=squid_ng.xml&id=0
    
    go back to consul
    pfSense console setup
    8)  Shell
    
    squid
    ps -ax | grep squid
    
    if you see somving like this :
     4683  ??  Ss     0:00.00 squid
     4685  ??  S      0:00.19 (squid) (squid)
     4695  p0  S+     0:00.01 grep squid
    
    squid is running
    
    

    I just updated the squid INIT code to include this.  Please test again!


  • Did a clean install on VMware and installed the SQUID package.
    As far as i can see it seams to be working.
    I enabled logging in the web gui but the log can only be viewed from the shell.

    • Only set logging and i saw requests.
        Set the captive portal and that didn't work anymore :(

    • Then set tranparted proxy delete the logs
        Captive portal loggin page was working again but u could not get webpages.

    • disabled captive portal and got requests in the logfiles.

    I take it that the requests showing up ib the logfile indicate squid is working.


  • @jeroen234:

    
    Warning: Unknown(/usr/local/pkg/squid_auth.inc): failed to open stream: No such file or directory in /usr/local/www/pkg_edit.php(164) : 
    eval()'d code on line 1 Fatal error: (null)(): Failed opening required '/usr/local/pkg/squid_auth.inc' 
    (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal') in /usr/local/www/pkg_edit.php(164) : eval()'d code on line 1
    
    

    I just updated squid_ng.xml to include squid_auth.inc.  Deinstall the package and reinstall.  Hoepfully this one is fixed now.