Havp + Squid problem (connect failed)



  • Hi everyone!
    I've just installed clean pfsense version 1.2.3-RELEASE, then I've installed squid, havp and configured its. (in browser, of coz)

    My squid config:

    Do not edit manually !

    http_port 1.0.0.1:3128
    http_port 127.0.0.1:80 transparent
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /dev/null
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  1.0.0.0/255.255.255.0
    httpd_suppress_version_string on
    uri_whitespace strip

    cache_mem 1024 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 20480 256 256
    minimum_object_size 0 KB
    maximum_object_size 10240 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95

    No redirector configured

    Setup some default acls

    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 22222 3128 1025-65535
    acl sslports port 443 563 22222
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 deny all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all

    Setup allowed acls

    Allow local network(s) on interface(s)

    http_access allow localnet

    Default block all to be sure

    http_access deny all

    cat /usr/local/etc/squid/squid.conf | grep havp

    cache_peer 127.0.0.1 parent 8080 0 name=havp no-query no-digest no-netdb-exchange default

    cat /usr/local/etc/squid/squid.conf

    Do not edit manually !

    http_port 1.0.0.1:3128
    http_port 127.0.0.1:80 transparent
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /dev/null
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  1.0.0.0/255.255.255.0
    httpd_suppress_version_string on
    uri_whitespace strip

    cache_mem 1024 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 20480 256 256
    minimum_object_size 0 KB
    maximum_object_size 10240 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95

    No redirector configured

    Setup some default acls

    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 22222 3128 1025-65535
    acl sslports port 443 563 22222
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 deny all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all

    Setup allowed acls

    Allow local network(s) on interface(s)

    http_access allow localnet

    Custom options

    never_direct allow all
    cache_peer 127.0.0.1 parent 8080 0 name=havp no-query no-digest no-netdb-exchange default

    Default block all to be sure

    http_access deny all

    my havp config:

    ============================================================

    HAVP config file

    This file generated automaticly with HAVP configurator (part of pfSense)

    (C)2008 Serg Dvoriancev

    email: dv_serg@mail.ru

    ============================================================

    USER          havp
    GROUP          havp
    DAEMON        true
    PIDFILE        /var/run/havp.pid

    For small home use, 8 should be minimum.

    For 500 users corporate use, start at 40.

    SERVERNUMBER  3
    MAXSERVERS    100

    log

    ACCESSLOG      /var/log/havp/access.log
    ERRORLOG      /var/log/havp/havp.log

    syslog

    USESYSLOG      true
    SYSLOGNAME    havp
    SYSLOGFACILITY daemon
    SYSLOGLEVEL    info

    Level of HAVP logging

    #  0 = Only serious errors and information
    #  1 = Less interesting information is included
    LOG_OKS        false
    LOGLEVEL      0

    temp

    SCANTEMPFILE  /var/tmp/havpRAM/havp-XXXXXX
    TEMPDIR        /var/tmp

    DBRELOAD      180
    TRANSPARENT    false

    if HAVP is used as parent proxy by some other proxy, this allows to write the real users IP to log, instead of proxy IP.

    FORWARDED_IP    false
    X_FORWARDED_FOR false

    havp is listening on

    PORT          8080
    BIND_ADDRESS  127.0.0.1

    Path to template files

    TEMPLATEPATH  /usr/local/share/examples/havp/templates/ru

    whitelist and blacklist

    WHITELISTFIRST true
    WHITELIST      /usr/local/etc/havp/whitelist
    BLACKLIST      /usr/local/etc/havp/blacklist

    block file if error scanning

    FAILSCANERROR  true

    scanner

    SCANNERTIMEOUT 10
    RANGE          false

    stream scan disabled

    STREAMSCANSIZE  0
    SCANIMAGES      true
    MAXSCANSIZE    5120000
    KEEPBACKBUFFER  200000
    KEEPBACKTIME    5

    After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive

    TRICKLING      10
    TRICKLINGBYTES  1

    Downloads larger than MAXDOWNLOADSIZE will be blocked.

    MAXDOWNLOADSIZE 0

    ClamAV Library Scanner (libclamav)

    ENABLECLAMLIB        false

    Clamd scanner (Clam daemon)

    ENABLECLAMD          true
    CLAMDSERVER          127.0.0.1
    CLAMDPORT            3310

    All servises is Started, but errors like this:
    Feb 17 20:54:56 havp[36213]: connect() failed: Operation not permitted
    Feb 17 20:54:54 havp[36455]: 127.0.0.1 GET 200 http://autocontext.begun.ru/blockcounter? 343+43 SCANERROR Clamd: Could not connect to scanner socket
    Feb 17 20:54:54 havp[36455]: Scanner errors: Clamd: Could not connect to scanner socket (lasturl: http://autocontext.begun.ru/blockcounter?)
    Feb 17 20:54:54 havp[36457]: Clamd: Could not connect to scanner! Scanner down?
    Feb 17 20:54:54 havp[36457]: connect() failed: Operation not permitted
    Feb 17 20:54:54 havp[34945]: connect() failed: Operation not permitted

    That's wrong? Help me, please



  • Update you Antivirus DB.



  • my AV DB is ClamAV 0.95.3/12720/Thu Feb 17 17:48:08 2011

    but when i try to update now i see in log:
    Feb 17 22:33:43 freshclam[6857]: Current functionality level = 44, recommended = 58
    Feb 17 22:33:25 freshclam[7092]: getpatch: Can't download safebrowsing-27355.cdiff from db.at.clamav.net
    Feb 17 22:33:24 freshclam[7092]: Can't download safebrowsing.cvd from clamav.citrin.ru
    Feb 17 22:33:02 freshclam[6944]: Incremental update failed, trying to download safebrowsing.cvd
    Feb 17 22:33:02 freshclam[6944]: getpatch: Can't download safebrowsing-27355.cdiff from clamav.citrin.ru
    Feb 17 22:32:58 freshclam[6944]: Local version: 0.95.3 Recommended version: 0.97
    Feb 17 22:32:58 freshclam[6944]: Your ClamAV installation is OUTDATED!
    and so on.

    And
    Update status
    Start Update 17.02.2011 22:33:10 Antivirus update started.
                            17.02.2011 22:33:10 Antivirus database already is updated.
                            17.02.2011 22:33:43 Antivirus update end.

    But, nevertheless, my DB is fresh:
    daily.cld 17.02.2011 2.93 M 12720 47541 ccordes
    main.cvd 14.11.2010 25.01 M 53 846214 sven
    safebrowsing.cld 17.02.2011 20.60 M 27355 415448 google



  • What if run from console

    > clamd --debug
    

    And then look log/syslog for ErroR messages ?



  • Something news:
    Feb 19 00:31:12 clamd[11486]: MaxThreads * MaxRecursion is too high: 25500, open file descriptor limit is: 11095
    Feb 19 00:29:40 freshclam[8625]: Invalid DNS reply. Falling back to HTTP mode.
    Feb 19 00:35:28 freshclam[7977]: Current functionality level = 44, recommended = 58

    I've deleted squid. Now HAVP works as transparent proxy.

    clamd –debug

    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************



  • @goliy:

    Something news:
    Feb 19 00:31:12 clamd[11486]: MaxThreads * MaxRecursion is too high: 25500, open file descriptor limit is: 11095

    Possible change /usr/local/etc/clamd.conf :

    
    # daemon
    MaxThreads                10
    # scanner
    MaxDirectoryRecursion     100
    
    

    Then test new.



  • I'm sorry, but I am compelled to postpone the tests until I decide the main problem - with packets loss (http://forum.pfsense.org/index.php/topic,33467.msg173515.html)
    very thx



  • Do you speak Russian?
    My previous error was associated with the overflow table sizes. I fixed it.
    Now it works, but the logs written some suspicious messages, like this:
    Feb 24 10:36:19 havp[27558]: accept() failed: Software caused connection abort
    Feb 24 10:34:47 havp[27586]: accept() failed: Software caused connection abort
    Feb 24 10:34:43 havp[27803]: accept() failed: Software caused connection abort


Log in to reply