Squid Returned to Packages *** PLEASE TEST ***
-
Hi all. I'm new to the forum and relatevely new to pfSense too.
I'm using pfSense since few months but I think it's a very great firewall: stable, full of features, very well implemented.
I installed the 2.6.5_1-p15 version of squid package on 1.0.1 release and it seems to work for me.
I configured it to act as a transparent proxy./usr/local/sbin/squid status
2007/01/17 18:39:20| Squid is already running! Process ID 11629/var/squid/log/access.log and /var/squid/log/cache.log are populated.
I'm writing here because I don't understand if there is a way to view squid access logs in the webConfigurator.
I don't see anything in packages logs. Have you planned to implement this feature?I think I'll try to send access.log to a remote syslog server where to run a log analyzer as SARG.
Thanks you very much for all your great work.
-
@ jahonix
What version of pfSense are you running? Please be sure to be running a version beyond 1.0.1. You must be using a snapshot of some kind or else squid will not start. http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ If the update doesn't help, wipe the machine clean and start with a full iso clean install.
-
I have to debug the "whitelist access only" to see why it doesn't work. The only important part with the acls is the ordering. and allowed_subnets and localnet are last in the queue. I have no idea on this one yet.
With regards to access to the logs, none of that is currently implemented. Access to the cache.log is not such a problem. Since that one is small and for debugging purposes only. The access log however needs something akin to sarge or webalizer for generating anything usefull.
Syslog would be a workaround. Although by far the easiest way to move the logs around. Although this would be a bad idea on a larger installation.
-
@ jahonix
What version of pfSense are you running?1.0.1-SNAPSHOT-01-13-2007
built on Sun Jan 14 15:07:53 EST 2007 -
Thanks, databeestje, we have a working squid now. p15 finally did it.
-
well, here it still dumps, but no more at startup. no matter whether transparent or not.
i'm running 1.0.1-SNAPSHOT-01-13-2007 and just download the next one. squid is p15.squid starts without problems but dumps at any access.
another thing: when i disable 'allow on interface' but include the interface's ip-subnet to the allowed subnets it denies me access (and no dump!).
so, the download is ready, i'll post again after update.
edit:
now i'm running 1.0.1-SNAPSHOT-01-19-2007 and it still is the same, core dump at access.
sure there are no dependencies that need updates? -
better check if the acl(s) you use are in the new line by line format.
so no , in there.
-
Has anyone had any luck so far in getting a wildcard to work in the blacklist or somehow been able to create a 'whitelist only' proxy?
-
There is still some wrong …
Clean install of 1.0.1 iso, immediate upgrade to latest snapshot (2007-01-19), install squid.It starts and seems to be running on the default port (3128), but if I try to change anything on the General settings page (i.e. Admin e-mail, displayed hostname, PORT), I get the notorious:
The following input errors were detected:
You can not run squid on the same port as the webguiAny hints? I'm running pfSense with the WEBGUI on the default HTTPS-Port of 443 and I'm trying to set the Proxy-Port to 8080 ...
-
The following input errors were detected: You can not run squid on the same port as the webgui
Change the webGUI port to: HTTP:81, save it and set it back to https:443
This cured it over here on 2 installsMaybe it's just the unused reference to HTTP:80 that squid doesn't like, but I don't know.
I have set squid to transparent mode on port 80, FWIW -
found it!
i had to activate and deactivate the upstream-proxy! no idea why that but it solved it!! p15 running!!
-
I gave it a test run, p15 seems to be working great for me, I will update you if I find out anything new in my logs!
-
Setting the WebGUI-Port solved it.
No need to set it to http:81 and back to https:443.Just specifying a port in the WebGUI-Field does the trick (even if it's the default https port of 443).
Which gives me the suspicion that the "WebGUI-Port-Field is used for a RegEx - and an empty RegEx matches all … I'll test if a WebGui-Port of 80 prevents a Proxy-Port of 8080 or 8000 ...
-
Woot! I'm going to give this a try in the next week or two on the big iron box I've been running squid on since before it got b0rken'd. I have a 60+ day uptime on that box, squid hasn't been restarted once.
-
Hi, can you recompile squid with –enable-arp-acl option, because, arp acls not working.
thank you very much :)
-
Any luck yet with white list only or any kind of wild card in the black list field? Just tried with a clean install of snapshot 1-24 and I'm still making it to any site. Maybe we'll have to do something like ipCop and create a whitelist only check box. I suspect in their implementation it removes the blacklist_acl completely and leaves only the whitelist in squid.conf. Just a thought, my programming / text edit skills in FreeBSD are marginal at best.
Any ideas data?
-
what kind of wildcard are you looking for in the blocked domains? trying to be able to block domains like sex ? cuz that WOULD be nice.
currently though it can block all subdomains of a domain. wonder if it will work on top domains. would be neat if i could block, say, all of .ru (havent tried so it may already do it). course i could do the same thing by running an internal DNS. -
There is also some difficulties if i setup my proxy without transparent proxy and Allow users on interfase, with Allowed subnets, then squid.inc create
acl allowed_subnets src XXX.XXX.XXX.XXX/XX
but there is no
http_access allow allowed_subnets
also waiting for recompiled squid binaries with –arp
-
Blacklisting TLDs does work as reported in this post some time ago. I want to be able to block all sites not explicitly named in my whitelist.
-
for whitelisting and blacklisting use wildcard "."
example for blacklist:
.sex.
.xxx.
.ch
.net
.123456.if you leave only "." dot in list then your users can access only sites listed in Whitelist
Best regards
Ju5t4s
