Squid3 - New GUI with sync, normal and reverse proxy

moh10ly

Could you please post your configuration ? I would like to host my webserver through squid reverse proxy and it didn't work for me..

Truster

1st: You have to correct the typo as descripted in my post before…

I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yes

and of course, you have to open that port in the firewall rules.

i'm using OWA/Exch2010...

hope, this helps.

Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.

marcelloc

@Truster:

1st: You have to correct the typo as descripted in my post before…

Or just install latest package version (2.0.5_6)  ;)

quetzalcoatl

Thank you marcellok!!!

At last, since today, squid works again with both http and https caching everything.

I have been waiting for this fix for months!!!

Thanks again. May Quetzalcoatl bless you!

I wonder who is porting squid to freeBSD.

Now squid 3.3 beta is outwith several nice improvements and fixes since 3.2 and 3.1
Hopefully some kind guy will port it soon to freeBSD to make it available for pfSense as well.

mauricioniñoavella

Hi marcelloc,

I wonder if it works  squid3 with SquidGuard
or I can suggest that I can work with squid for Access Control List (ACL)

Thanks for your understanding.

Regards

Mauricio Niño

marcelloc

@mauricioniñoavella:

I wonder if it works  squid3 with SquidGuard

Yes, just reinstall squid3 after squidguard install

@mauricioniñoavella:

or I can suggest that I can work with squid for Access Control List (ACL)

On current package version, if acl fields available does not fit your need, you can create manual acls on custom_options

phil.davis

Notification/doco: The latest squid and squid3 have replaced the previous process called proxy_monitor with sqpmon.

[2.1-BETA1][admin@test.mydomain]/root(6): ls -l /usr/local/pkg/sqpmon.sh
-rwxr-xr-x  1 root  wheel  2906 Jan 21 15:28 /usr/local/pkg/sqpmon.sh
[2.1-BETA1][admin@test.mydomain]/root(7): ls -l /usr/local/etc/rc.d/sq*
-rwxr-xr-x  1 root  wheel  335 Jan 21 15:28 /usr/local/etc/rc.d/sqp_monitor.sh
-rwxr-xr-x  1 root  wheel  449 Jan 21 15:46 /usr/local/etc/rc.d/squid.sh
[2.1-BETA1][admin@test.mydomain]/root(8): ps ax | grep sqpmon
83263   0- I      0:00.26 /bin/sh /usr/local/pkg/sqpmon.sh

If you install the latest squid (2.7.9 pkg v.4.3.2) or squid3 (3.1.20 pkg 2.0.5_8), you will find an sqpmon process appears (squid process monitor) running /usr/local/pkg/sqpmon.sh. It does what proxy_monitor used to do - checks every minute or so to see if squid is still running. The sqp_monitor.sh script is called at startup and shutdown to start and stop it.
This helps out a guy in Ethiopia who was having trouble fetching files with "proxy" in the filename. It also fixes some potential problems with proxy_monitor - it was possible to have a scenario where proxy_monitor.sh would get called at shutdown and actually hang the shutdown, preventing a reboot from ever completing. Now sqpmon works the way that other package component startup/shutdown scripts are designed.
This all works on 2.0.n or 2.1-BETAn systems.

fragged

I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:

acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.*
cache deny steamtest

Squid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.

What am I doing wrong? :F

Regards,
Joona

Tikimotel

Will we see an update of the squid3 package to the 3.2 branch?

Stable v3.2.7 released on the 1st of Feb.
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html

Some bugs regarding ipv6 have been fixed in this latest version.
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID_3_2_7.html

Still no freshports.org update though, that is still at v3.2.6

p.s. the package name is 3.1.20 and 3.1.22 is rolled out in PBI. (I'm running 2.1 beta)

marcelloc

I'm testing 3.2.6 and SSL filtering this weekend. :)

Tikimotel

I've checked just now, freshports.org has finished porting v3.2.7  ;)

marcelloc

@Tikimotel:

I've checked just now, freshports.org has finished porting v3.2.7  ;)

Compiling and testing

big changelog

Fri 2013-02-01 03:54:21 -0700 Amos Jeffries +23 -6 3.2.7
Thu 2013-01-31 21:58:59 -0700 Amos Jeffries +4 -0 Fix ipv6 enabled pinger.
Thu 2013-01-31 21:57:13 -0700 Amos Jeffries +11 -8 Bug #3687: unhandled exception: c when using interception and peers
Thu 2013-01-31 21:56:07 -0700 Alex Rousskov +2 -0 Bug #3111: Mid-term fix for the forward.cc "err" assertion.
Thu 2013-01-31 21:54:23 -0700 Sebastien Wenske +5 -0 Support OpenSSL NO_Compression option
Tue 2013-01-29 00:00:55 -0700 Amos Jeffries +2 -2 Fix WCCPv2 'comparison between signed and unsigned integer expressions'
Mon 2013-01-28 04:49:40 -0700 Amos Jeffries +1 -1 Bug #3567: Memory leak handling malformed requests
Mon 2013-01-28 04:48:06 -0700 Amos Jeffries +9 -0 Bug #3735: raw-IPv6 domain URLs crash if IPv6-disabled
Mon 2013-01-28 04:45:07 -0700 Amos Jeffries +2 -3 Bug #3732: Fix ConnOpener IPv6 awareness
Mon 2013-01-28 04:41:04 -0700 Amos Jeffries +6 -2 Initialize mem_node fully
Mon 2013-01-28 04:40:12 -0700 Tianyin Xu +6 -0 Bug #3736: Floating point exception due to divide by zero
Mon 2013-01-28 04:29:16 -0700 Alex Rousskov +5 -0 Fix "address.GetPort() != 0" assertion for helpers on FreeBSD (at least).
Mon 2013-01-28 04:25:34 -0700 Amos Jeffries +25 -18 WCCP: Fix memory leak in mask assignment, improve debuggsing.
Mon 2013-01-28 04:23:27 -0700 Amos Jeffries +32 -32 Polish quick_abort feature decision code
Mon 2013-01-28 04:22:25 -0700 Amos Jeffries +1 -0 Fix memory leak in IP address unit test
Mon 2013-01-28 02:59:18 -0700 Amos Jeffries +12 -2 Fix memory leaks in ICMP
Mon 2013-01-28 02:58:16 -0700 Tianyin Xu +1 -1 Bug #3729: 32-bit overflow in parsing 64-bit configuration values
Sun 2013-01-27 22:43:11 -0700 Tomas Hozza +36 -10 Fix various Disk I/O issues in all modules
Sun 2013-01-27 22:40:06 -0700 Francesco Chemolli +2 -2 Fix error in config parser which would mis-assign the sslcrlfile directive.
Sun 2013-01-27 22:39:19 -0700 Francesco Chemolli +54 -26 Plugged memory leaks in digest authentication module
Sun 2013-01-27 21:33:00 -0700 Tianyin Xu +4 -0 Bug #3728: Improve debug for cache_dir
Sun 2013-01-27 21:30:26 -0700 Tomas Hozza +3 -0 Make sure copied strings are properly terminated in snmplib and wccp2
Sun 2013-01-27 21:28:17 -0700 Tomas Hozza +32 -10 Fix various issues in snmplib
Sun 2013-01-27 21:27:32 -0700 Tomas Hozza +31 -11 Fix various issues in smblib
Fri 2013-01-25 02:59:54 -0700 Timo Teras +7 -2 Bug #3678: external acl grace period causes acl lookup failures

geijt

I've modified the squid-reverse package to support redirects.
This was something I missed after migrating from Microsoft TMG 2010 to pfsense.

You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com
Or in case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect function.

I think you can expect the updated package soon.

redflag237

@Truster:

1st: You have to correct the typo as descripted in my post before…

I configured it like this:
reverse Proxy Interface: WAN
External FQDN webmail.domain.tld
Reset TCP connections if request is unauthorized: active
Enable HTTPS reverse proxy: Active
reverse HTTPS port: 443
reverse SSL certificate
Ignore internal Certificate validation: active (we use self signed certs)
OWA frontend IP address: IP Address four your Frontent OWA Server
Enable ActiveSync: yes
Enable Outlook Anywhere: yes
Enable Exchange WebServices: yes
Enable AutoDiscover:yes

and of course, you have to open that port in the firewall rules.

i'm using OWA/Exch2010...

hope, this helps.

Edit: if you correct the typo after enabling RPC-over-HTTPS you have to uncheck that box, save the configuration, recheck the box and save it again to apply the changes.

I configured it like this:
reverse Proxy Interface: WAN
External FQDN secret.no-ip.org
Reset TCP connections if request is unauthorized: active
Enable HTTP reverse proxy: Active
reverse HTTP port: 8080

Web Servers:
Enable this peer: active
Peer Alias: mynas
Peer Ip: 10.178.1.61
Peer Port: 8080
Peer Protocol: HTTP

Mappings:
Enable this URI: enabled
Group Name: NAS-MyNAS
Peers: mynas (selected)
URIs: *

Result: TCP Connection is being reset.
–---

When disabling the 'Reset if unauthorised' button, i'm getting an access denied Message of Squid.

Can anyone help me, please?

geijt

Redflag237,

Did you tried entering some actual URIs instead of * on you mapping?

The URIs field expects a regex, just * isn't a valid regex.
If you really want to accept everything enter ^.*$ as URI, I didn't checked or squid accept this but it's a valid regex. ;-)

dneuhaeuser

I think I found a small bug leading to this message in system log:
"Not calling package sync code for dependency squidreverse of squid3 because some include files are missing."

This is my patch suggestion:

–- /usr/local/pkg/squid_reverse.xml    2013-02-17 16:15:30.000000000 +0100
+++ /usr/local/pkg/squid_reverse.xml    2013-02-17 16:15:49.000000000 +0100
@@ -50,3 +50,3 @@
       <title>Proxy server: Reverse Proxy</title>

• <include_file>squid.inc</include_file>

• <include_file>/usr/local/pkg/squid.inc</include_file>
          <tabs>–Dennis</tabs>

fragged

@fragged:

I want to not cache Steam downloads. Shouldn't this work in "Custom settings" on the General-tab:

acl steamtest url_regex -i ^http://.*/depot/.*/chunk/.*
cache deny steamtest

Squid is still caching Steam downloads (url http://81.171.70.221/depot/107202/chunk/52f888f7848537d725be13719ef9870f0b1da910). My regexp should match the url each time. The IP changes, but /depot/ and /chunk/ are always there.

What am I doing wrong? :F

Regards,
Joona

Can anyone help me with this? The custom settings pops up into /usr/pbi/squid-amd64/etc/squid/squid.conf, but content that falls under the url_regex is still being cached. My cache keeps getting filled by one time Steam downloads.

marcelloc

Fragged,  did you enabled cache dynamic content?
Can you check on squid conf for more cache options defined?

fragged

@marcelloc:

Fragged,  did you enabled cache dynamic content?
Can you check on squid conf for more cache options defined?

Dynamic content is off. Here's my full config.

[2.1-BETA1][admin@pfsense.localdomain]/root(10): cat /usr/pbi/squid-amd64/etc/squid/squid.conf
# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.11.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 7
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr fragged@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 30
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.11.0/24
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
cache_mem 4096 MB
maximum_object_size_in_memory 524288 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap GDSF
cache_dir ufs /var/squid/cache 4096 8 256
minimum_object_size 0 KB
maximum_object_size 1024 KB
offline_mode offcache_swap_low 90
cache_swap_high 95

# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 127.0.0.1
acl ext_manager src 192.168.11.1
acl ext_manager src
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Custom options
acl steamtest url_regex -i http://.*/depot/.*/chunk/.*
cache deny steamtest

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

jaredadams

I see you guys trying to disable the cache of steam downloads.  But what about for LAN parties that would absolutely LOVE to do this?  How well does it work?  When ONE person on the LAN downloads a game from steam will everyone else then get it from the squid cache?