Squid3 - New GUI with sync, normal and reverse proxy

mhab12 · Aug 6, 2014, 12:19 PM

I was getting the previously discussed msgget failed error and the squid service would not stay running. The issue only appeared about a week after installing lightsquid, probably when the files were set to update. I uninstalled lightsquid but that didn't seem to help. I cleared the squid cache but that didn't seem to help. The only fix I found was to reboot the box after removing lightsquid and now everything is up and running smoothly.

DavidMcQueenLPS · Oct 2, 2014, 8:20 PM

Recently we install the following:

pfSense 2.1.5 VM
Squid3dev 3.3.10 pkg 2.2.6
Diladele 3.3.0.E807

We are running in transparent mode with HTTPS bumping.

Lately we have been getting icap errors:

The message is coming from Squid:

ICAP protocol error.
The system returned: [No Error]

Is there anywhere I can look for more detail?

Also, while looking in the /var/squid/logs/cache.log I have been seeing many:

parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/templates/error-details.txt
WARNING: failed to find or read error text file error-details.txt

This file does exist:

-r–r--r-- 1 proxy proxy 7151 Nov 26 2013 error-details.txt

eldersouza · Oct 21, 2014, 3:22 PM

Hi guys,

I configured pfSync + CARP and both server are running ok. But Squid "Sync to configured system backup server" does not work. I'm getting this message in system logs

php: /pkg_edit.php: [squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config.

But, if I change this configuration to "Sync to hosts defined below" and put IP address from backup server everything works fine.

This is a bug or I forgot some configuration?

Thanks

edanpedragosa · Oct 22, 2014, 9:25 AM

Hi!

With HTTPS/SSL interception enabled, some desktop apps like google drive does not work.

Any easy workaround for this?

Thanks!

dooldeniya · Oct 22, 2014, 9:34 PM

Hello,

I am attempting to install squid3 from the packages menu and getting the following error:
pfsense version: 2.2-BETA (amd64) built on Tue Oct 21 13:21:00 CDT 2014 FreeBSD 10.1-RC2

Installation of squid3 FAILED!

Beginning package installation for squid3 .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading squid3 and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/10/All/squid-3.1.22_1-amd64.pbi ... could not download from there or https://files.pfsense.org/packages/10/All//squid-3.1.22_1-amd64.pbi.
of squid-3.1.22_1-amd64 failed!

Installation aborted.Removing package...
Starting package deletion for squid-3.1.22_1-amd64...done.
Removing squid3 components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file squid.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.

Installation halted.

Is this not available on 2.2 as a pbi? Do I need to install manually via CLI?

edanpedragosa · Nov 10, 2014, 8:24 AM

Hi!

Is there a way to revert back to 3.3.10 pkg 2.2.6 from the current 3.3.10 pkg 2.2.8?

Thanks!

finalcut · Nov 10, 2014, 8:34 AM

why do you want to revert back ,, i'm about to update ?

edanpedragosa · Nov 10, 2014, 8:52 AM

It seems that after the update, the squid real-time monitoring does not work anymore.

Also, the tweak to allow large downloads in cache also stopped working.

With that note, I want to revert to see if the issue was with this update or not.

finalcut · Nov 10, 2014, 10:41 AM

clear old cash
or
from console squid -k rotate

stuntshell · Nov 10, 2014, 12:56 PM

Hi,
I set it to portuguese pt-br and I receive the following error messages on startup:

2014/11/10 08:39:29 kid1|  parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/pt-br/error-details.txt
2014/11/10 08:39:29 kid1| Unable to load default error language files. Reset to backups.
2014/11/10 08:39:29 kid1|  parse error while reading template file: /usr/pbi/squid-amd64/etc/squid/errors/templates/error-details.txt
2014/11/10 08:39:29 kid1| WARNING: failed to find or read error text file error-details.txt

Thanks,

edanpedragosa · Nov 11, 2014, 4:19 AM

I already cleared the cache many times, even uninstalled and reinstalled all the packages with the same effect.

I'm not pretty sure if rotating logs will make a difference, anyway, I'll try again later.

SARG can still display the realtime logs but squid realtime is not working.

I hope the next update will fix it.

edanpedragosa · Nov 11, 2014, 7:49 AM

It seems that squid does not cache anything at all.

I only get TCP_MISS/200 in the access log.

Here's my current squid config settings:


# This file is automatically generated by pfSense
# Do not edit manually !

http_port 177.7.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

http_port 172.16.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

https_port 127.0.0.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/

icp_port 0
dns_v4_first on
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname AIMSNet_Gateway
cache_mgr edan@aims.ac.th
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
netdb_filename /var/squid/log/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger
sslcrtd_program /usr/pbi/squid-amd64/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 32
sslproxy_capath /usr/pbi/squid-amd64/share/certs/

logfile_rotate 180
debug_options rotate=180
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  177.7.0.0/16 172.16.0.0/16
forwarded_for off
via off
httpd_suppress_version_string on
uri_whitespace encode

# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

# Let the clients favorite video site through with full caching
acl youtube dstdomain .youtube.com
cache allow youtube

# Windows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

# Symantec refresh_pattern
range_offset_limit -1
refresh_pattern liveupdate.symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

# Avast refresh_pattern
range_offset_limit -1
refresh_pattern avast.com/.*.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

# Avira refresh_pattern
range_offset_limit -1
refresh_pattern personal.avira-update.com/.*.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims

cache_dir aufs /var/squid/cache 77777 256 256
cache_mem 15777 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 1000000 KB
offline_mode on
cache_swap_low 90
cache_swap_high 95
cache allow all

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 172.16.0.1
acl ext_manager src 177.7.0.1
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 70
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
url_rewrite_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 5

# Custom options before auth
always_direct allow all
ssl_bump server-first all

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

What could be wrong with it? Note that it was working fine with squid3-dev 3.3.10 pkg 2.2.6

Packages installed:
Cron
pfBlocker
Sarg
squid3-dev
squidGuard-squid3
System Patches

My hardware/software config is:

Dell PowerEdge T110 II
Intel Xeon processor E3-1200 V2 product family
32GB Server RAM
256GB SSD Drive

Version 2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16

Platform pfSense
CPU Type
Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)

DNS server(s)
208.67.222.222
208.67.220.220

State table size
0% (1367/1777777)

MBUF Usage
4% (6292/177778)

Temperature 29.8°C

Load average
0.20, 0.14, 0.15

CPU usage
0%

Memory usage
7% of 32716 MB

SWAP usage
0% of 65536 MB

Disk usage
1% of 169G

finalcut · Nov 14, 2014, 9:28 AM

i made update it work flawless ,, thanks for update

sunghost · Nov 14, 2014, 10:40 AM

Hello,
first you make a very good job. Pfsense as well all package developer. I look since weeks for a solution to use an webproxy with antivirus and contentfilter. First i want to use dansguardian, but the last version is from 2012 - very old. than i wanted to use havp, but this version is from 2010! and it looks like the latest security fix is not included in pfsense havp package. I use always stable version for my production environment so squid whould a good choice, but the version of the package is from 2008-2010! and the squid3 beta is also old 2012!

After reading lots of post here in this forum and the most of this over 23 pages in this thread i am not alight with a positiv feeling of using it. The package Info link of squid3 in pfsense leads also to this thread which is a bad overview for information to this package. In my eyes this part must created new with infos over the package and not to a thread with errors and other parts of an information to a package. So in short why are the packages old and what whould be the choice of using a webproxy with antivirus and content filter/security?
thx and this is no offense to anybody just my impression.

finalcut · Nov 15, 2014, 12:20 AM

then push $$$$upport to programmer for those updates
i try to send him donation for his great job but my country is blocked

Tikimotel · Nov 15, 2014, 11:10 AM

@finalcut:

then push $$$$upport to programmer for those updates
i try to send him donation for his great job but my country is blocked

My country wasn't blocked, so I donated today!

finalcut · Nov 15, 2014, 7:52 PM

i am not kidding
also it happen with pfsense i try to buy two stickers (as simple first donation) and they send the money back to me

any way i try to encourage my company to get pfsense support , they can buy any thing from anywhere

sunghost · Nov 15, 2014, 9:29 PM

You are right, donation for the developer and the project is always good. Thats not the question. i think its not good to use package which are older than 1 or 2 or more years. or packages which seems not longer develop. you know? All things getting faster, the development the bad guys and also the features of some packages which we cant use, while our older than 1 year. i also think its not in any case good to use the latest version, but one which is older than 6 month?! not good if the features or fixes alot. i think a security solution must be up to date. But the product pfsense and the idea behind it is great. dont misunderstand me.

edanpedragosa · Nov 17, 2014, 6:14 AM

@finalcut:

i made update it work flawless ,, thanks for update

Are you on a 32-bit or 64-bit version?

Caching does not seem to work right now… I only get TCP_MISS....

Can you share us your configuration and settings for squid?

Thank you in advance!

finalcut · Nov 17, 2014, 6:44 AM

64-bit
do you have tcp_swapfail ?