Squid3 - New GUI with sync, normal and reverse proxy

marcelloc

change report language on squid gui, then save config.

al_reidy

@al_reidy:

transparent mode : which leaves nothing able to get DNS :'(

please uninstall and reinstall the package and see if dns problems are gone.

Cheers for the recompile the dns issues are fixed now. its very odd and like I'm doing something wrong…
transparent proxy is working according to whatismyip.com, however its still not caching anything. i have scanned the access.log and there is nothing with TCP_CACHE , the cache.log says this :


2012/04/20 16:27:24| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2012/04/20 16:27:24| Starting Authentication on port 127.0.0.1:3128
2012/04/20 16:27:24| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2012/04/20 16:27:24| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled)
2012/04/20 16:27:24| WARNING: refresh_pattern maximum age too high. Cropped back to 1 year.
2012/04/20 16:27:24| WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP
2012/04/20 16:27:24| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2012/04/20 16:27:24| WARNING: use of 'ignore-no-cache' in 'refresh_pattern' violates HTTP
2012/04/20 16:27:24| WARNING: use of 'ignore-private' in 'refresh_pattern' violates HTTP
2012/04/20 16:27:24| Initializing https proxy context
2012/04/20 16:27:24| Store logging disabled
2012/04/20 16:27:24| User-Agent logging is disabled.
2012/04/20 16:27:24| Referer logging is disabled.
2012/04/20 16:27:24| DNS Socket created at [::], FD 13
2012/04/20 16:27:24| DNS Socket created at 0.0.0.0, FD 14
2012/04/20 16:27:24| Adding domain ********** from /etc/resolv.conf
2012/04/20 16:27:24| Adding nameserver 192.168.168.1 from /etc/resolv.conf
2012/04/20 16:27:24| Adding nameserver 208.67.222.222 from /etc/resolv.conf
2012/04/20 16:27:24| Adding nameserver 208.67.220.220 from /etc/resolv.conf
2012/04/20 16:27:24| helperOpenServers: Starting 0/0 'ssl_crtd' processes
2012/04/20 16:27:24| helperOpenServers: No 'ssl_crtd' processes needed.
2012/04/20 16:27:24| Accepting  HTTP connections at 192.168.168.150:3128, FD 16.
2012/04/20 16:27:24| Accepting  intercepted HTTP connections at 127.0.0.1:3128, FD 17.
2012/04/20 16:27:24| Accepting ICP messages at [::]:7, FD 21.
2012/04/20 16:27:24| HTCP Disabled.
2012/04/20 16:27:24| Loaded Icons.
2012/04/20 16:27:24| Ready to serve requests.

my squid.conf is :


# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.168.150:3128
http_port 127.0.0.1:3128 intercept
icp_port 7

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/en
icon_directory /usr/local/etc/squid/icons
visible_hostname bernard.domain.org
cache_mgr bob@example.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 1
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.168.0/24
forwarded_for off
uri_whitespace strip

# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

# Let the clients favorite video site through with full caching
acl youtube dstdomain .youtube.com
cache allow youtube

# Windows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

# Symantec refresh_pattern
range_offset_limit -1
refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

# Avast refresh_pattern
range_offset_limit -1
refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

# Avira refresh_pattern
range_offset_limit -1
refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims
cache_mem 1024 MB
maximum_object_size_in_memory 5000 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 429000 16 256
minimum_object_size 0 KB
maximum_object_size 5242880 KB
offline_mode offcache_swap_low 90
cache_swap_high 95

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320
# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
acl sslports port 443 563  
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

quick_abort_min -1 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

deny_info TCP_RESET allsrc

# Package Integration

# Custom options

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

can anyone suggest something else to try? i have reinstalled again and restored from backup with the same results.

marcelloc

al_reidy,

I reverted the binaries, I'll rebuild my compile machine as squid3 is getting segmentation fault on dns module.

att,
Marcello Coutinho

Nachtfalke

@al_reidy

Edit this parameters on GUI (Traffic Mngt) - scroll down the page:


quick_abort_min 102400 KB
quick_abort_max 102400 KB
quick_abort_pct 60

Further try to search for "HIT" or "REFRESH" on access.log

al_reidy

@Nachtfalke:

@al_reidy

Edit this parameters on GUI (Traffic Mngt) - scroll down the page:
quick_abort_min 102400 KB
quick_abort_max 102400 KB
quick_abort_pct 60
Further try to search for "HIT" or "REFRESH" on access.log

thanks for the suggestions, still no joy.

this is a sample of the access log.:


1334943652.116    165 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/star.gif - DIRECT/69.64.6.7 -
1334943652.160    197 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/useron.gif - DIRECT/69.64.6.7 -
1334943652.185     95 192.168.168.72 TCP_MISS/200 527 GET http://googleads.g.doubleclick.net/pagead/adview? - DIRECT/173.194.41.122 text/html
1334943652.200    212 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/icons/profile_sm.gif - DIRECT/69.64.6.7 -
1334943652.209    112 192.168.168.72 TCP_MISS/304 302 GET http://pagead2.googlesyndication.com/pagead/js/r20120411/r20110914/abg.js - DIRECT/173.194.41.109 -
1334943652.244    176 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/email_sm.gif - DIRECT/69.64.6.7 -
1334943652.265    194 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/im_on.gif - DIRECT/69.64.6.7 -
1334943652.302     93 192.168.168.72 TCP_MISS/304 302 GET http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png - DIRECT/173.194.41.109 -
1334943652.319    106 192.168.168.72 TCP_MISS/304 302 GET http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png - DIRECT/173.194.41.109 -
1334943652.339    226 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/post/xx.gif - DIRECT/69.64.6.7 -
1334943652.464    203 192.168.168.72 TCP_MISS/200 1270 GET http://googleads.g.doubleclick.net/pagead/ads? - DIRECT/173.194.41.122 text/html
1334943652.480    215 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/buttons/quote.gif - DIRECT/69.64.6.7 -
1334943652.501    231 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/buttons/modify.gif - DIRECT/69.64.6.7 -
1334943652.512    317 192.168.168.72 TCP_MISS/200 1871 GET http://ad2.adfarm1.adition.com/js? - DIRECT/217.79.188.21 application/x-javascript
1334943652.519    224 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/buttons/delete.gif - DIRECT/69.64.6.7 -
1334943652.558    218 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Smileys/default/cry.gif - DIRECT/69.64.6.7 -
1334943652.588    218 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/icons/modify_inline.gif - DIRECT/69.64.6.7 -
1334943652.605    218 192.168.168.72 TCP_MISS/304 384 GET http://imagesrv.adition.com/js/adition.js - DIRECT/217.79.188.11 application/javascript
1334943652.621    174 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/ip.gif - DIRECT/69.64.6.7 -
1334943652.626     80 192.168.168.72 TCP_MISS/200 527 GET http://googleads.g.doubleclick.net/pagead/adview? - DIRECT/173.194.41.122 text/html
1334943652.745    192 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Smileys/default/grin.gif - DIRECT/69.64.6.7 -
1334943652.770    209 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/useroff.gif - DIRECT/69.64.6.7 -
1334943652.806    187 192.168.168.72 TCP_MISS/200 1882 GET http://ad2.adfarm1.adition.com/js? - DIRECT/217.79.188.21 application/x-javascript
1334943652.820    207 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/im_off.gif - DIRECT/69.64.6.7 -
1334943652.849    189 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/mirrortab_first.gif - DIRECT/69.64.6.7 -
1334943652.866    181 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/mirrortab_back.gif - DIRECT/69.64.6.7 -
1334943652.917    191 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/mirrortab_last.gif - DIRECT/69.64.6.7 -
1334943653.009    181 192.168.168.72 TCP_MISS/304 366 GET http://forum.pfsense.org/Themes/slickprographite/images/catbg.jpg - DIRECT/69.64.6.7 -
1334943653.014    180 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/quote_img.gif - DIRECT/69.64.6.7 -
1334943653.027    222 192.168.168.72 TCP_MISS/200 6781 GET http://ad2.adfarm1.adition.com/banner? - DIRECT/217.79.188.21 text/javascript
1334943653.070    188 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/code_img.gif - DIRECT/69.64.6.7 -
1334943653.096    170 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_first.gif - DIRECT/69.64.6.7 -
1334943653.115    185 192.168.168.72 TCP_MISS/304 364 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_back.gif - DIRECT/69.64.6.7 -
1334943653.178    196 192.168.168.72 TCP_MISS/304 365 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_last.gif - DIRECT/69.64.6.7 -
1334943653.300    199 192.168.168.72 TCP_MISS/304 366 GET http://forum.pfsense.org/Themes/slickprographite/images/titlebg.jpg - DIRECT/69.64.6.7 -
1334943653.309    213 192.168.168.72 TCP_MISS/200 6785 GET http://ad2.adfarm1.adition.com/banner? - DIRECT/217.79.188.21 text/javascript

Nachtfalke

Hi,

for me it is working. This is my access.log
First downloading a cached pfsense.iso file (100MB)
then went to forum.ofsense.org
Then did a brwser refresh

1334945508.305  10479 192.168.0.112 TCP_HIT/200 102638928 GET http://pfsense.mirror.range-id.it/downloads/pfSense-2.0.1-RELEASE-i386.iso.gz - NONE/- application/x-gzip

1334945530.527    755 192.168.0.112 TCP_MISS/200 11348 GET http://forum.pfsense.org/index.php - DIRECT/69.64.6.7 text/html
1334945530.622    306 192.168.0.112 TCP_MISS/304 323 GET http://forum.pfsense.org/Themes/default/script.js? - DIRECT/69.64.6.7 -
1334945530.635    315 192.168.0.112 TCP_MISS/304 323 GET http://forum.pfsense.org/Themes/slickprographite/style.css? - DIRECT/69.64.6.7 -
1334945530.658    336 192.168.0.112 TCP_MISS/304 321 GET http://forum.pfsense.org/Themes/default/print.css? - DIRECT/69.64.6.7 -
1334945530.675    141 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 256 GET http://pagead2.googlesyndication.com/pagead/show_ads.js - DIRECT/209.85.148.156 -
1334945531.054    167 192.168.0.112 TCP_MISS/200 499 GET http://www.google-analytics.com/__utm.gif? - DIRECT/173.194.67.139 image/gif
1334945531.323     52 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 257 GET http://pagead2.googlesyndication.com/pagead/expansion_embed.js - DIRECT/209.85.148.156 -
1334945531.685     49 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 256 GET http://pagead2.googlesyndication.com/pagead/osd.js - DIRECT/209.85.148.156 -
1334945531.938    324 192.168.0.112 TCP_MISS/200 2016 GET http://googleads.g.doubleclick.net/pagead/ads? - DIRECT/209.85.148.157 text/html
1334945532.028    289 192.168.0.112 TCP_MISS/200 2015 GET http://googleads.g.doubleclick.net/pagead/ads? - DIRECT/209.85.148.157 text/html
1334945532.060    110 192.168.0.112 TCP_MISS/200 484 GET http://googleads.g.doubleclick.net/pagead/adview? - DIRECT/209.85.148.157 text/html
1334945532.151    106 192.168.0.112 TCP_MISS/200 484 GET http://googleads.g.doubleclick.net/pagead/adview? - DIRECT/209.85.148.157 text/html
1334945532.820    678 192.168.0.112 TCP_MISS/200 4692 GET http://ad.turn.com/server/ads.js? - DIRECT/69.194.244.11 text/javascript
1334945532.933    706 192.168.0.112 TCP_MISS/200 4693 GET http://ad.turn.com/server/ads.js? - DIRECT/69.194.244.11 text/javascript
1334945533.293    173 192.168.0.112 TCP_MISS/200 2909 GET http://ads.heias.com/x/heias.TAG.v2.0/? - DIRECT/83.169.59.64 application/x-javascript
1334945533.317    185 192.168.0.112 TCP_MISS/200 2909 GET http://ads.heias.com/x/heias.TAG.v2.0/? - DIRECT/83.169.59.64 application/x-javascript
1334945533.826    303 192.168.0.112 TCP_MISS/200 4707 GET http://ads.heias.com/x/heias.TAG.v2.0/tag.php? - DIRECT/83.169.59.64 application/x-javascript
1334945533.832    417 192.168.0.112 TCP_MISS/200 4712 GET http://ads.heias.com/x/heias.TAG.v2.0/tag.php? - DIRECT/83.169.59.64 application/x-javascript
1334945534.118    193 192.168.0.112 TCP_MISS/200 1319 GET http://bs.serving-sys.com/BurstingPipe/adServer.bs? - DIRECT/80.252.91.41 image/gif
1334945535.162    191 192.168.0.112 TCP_MISS/302 752 GET http://ads.heias.com/x/heias_image.php? - DIRECT/83.169.59.64 application/x-shockwave-flash
1334945535.188    218 192.168.0.112 TCP_MISS/200 3641 GET http://cdn.turn.com/server/ddc.htm? - DIRECT/80.239.230.163 text/html
1334945535.192    223 192.168.0.112 TCP_MISS/200 1319 GET http://bs.serving-sys.com/BurstingPipe/adServer.bs? - DIRECT/80.252.91.41 image/gif
1334945535.195    225 192.168.0.112 TCP_MISS/302 752 GET http://ads.heias.com/x/heias_image.php? - DIRECT/83.169.59.64 application/x-shockwave-flash
1334945535.207    189 192.168.0.112 TCP_MISS/200 3641 GET http://cdn.turn.com/server/ddc.htm? - DIRECT/80.239.230.163 text/html
1334945535.313    147 192.168.0.112 TCP_MISS/304 206 GET http://ads.heias.com/images/tmp/11409/20282/heias_7_20282_160586.swf? - DIRECT/83.169.59.64 -
1334945535.775     89 192.168.0.112 TCP_MISS/304 206 GET http://ads.heias.com/x/heias.xml.template/ret_xml_1.0.12.swf - DIRECT/83.169.59.64 -
1334945535.946    102 192.168.0.112 TCP_MISS/200 812 GET http://ads.heias.com/x/heias.xml.template/? - DIRECT/83.169.59.64 text/xml
1334945535.959    107 192.168.0.112 TCP_MISS/200 812 GET http://ads.heias.com/x/heias.xml.template/? - DIRECT/83.169.59.64 text/xml
1334945541.188     60 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 5299 GET http://pagead2.googlesyndication.com/pagead/show_ads.js - DIRECT/209.85.148.156 text/javascript
1334945541.201     73 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 7347 GET http://www.google-analytics.com/urchin.js - DIRECT/173.194.67.139 text/javascript
1334945541.301    667 192.168.0.112 TCP_MISS/200 11348 GET http://forum.pfsense.org/index.php - DIRECT/69.64.6.7 text/html
1334945541.407    304 192.168.0.112 TCP_MISS/200 483 GET http://forum.pfsense.org/Themes/default/print.css? - DIRECT/69.64.6.7 text/css
1334945541.463    331 192.168.0.112 TCP_MISS/200 4149 GET http://forum.pfsense.org/Themes/default/fader.js - DIRECT/69.64.6.7 application/javascript
1334945541.679    608 192.168.0.112 TCP_MISS/200 13948 GET http://forum.pfsense.org/Themes/default/script.js? - DIRECT/69.64.6.7 application/javascript
1334945541.690    618 192.168.0.112 TCP_MISS/200 13280 GET http://forum.pfsense.org/Themes/slickprographite/style.css? - DIRECT/69.64.6.7 text/css
1334945542.031    169 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 1595 GET http://forum.pfsense.org/Themes/slickprographite/images/bg_body.gif - DIRECT/69.64.6.7 image/gif
1334945542.098    165 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 751 GET http://forum.pfsense.org/Themes/slickprographite/images/transparency.gif - DIRECT/69.64.6.7 image/gif
1334945542.134    182 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 1029 GET http://forum.pfsense.org/Themes/slickprographite/images/icons/folder_open.gif - DIRECT/69.64.6.7 image/gif
1334945542.142    169 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 1124 GET http://forum.pfsense.org/Themes/slickprographite/images/rss.gif - DIRECT/69.64.6.7 image/gif
1334945542.175     69 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 5299 GET http://pagead2.googlesyndication.com/pagead/show_ads.js - DIRECT/209.85.148.156 text/javascript
1334945542.176     70 192.168.0.112 TCP_MISS/200 499 GET http://www.google-analytics.com/__utm.gif? - DIRECT/173.194.67.139 image/gif
1334945542.219    165 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 763 GET http://forum.pfsense.org/Themes/slickprographite/images/filter.gif - DIRECT/69.64.6.7 image/gif
1334945542.309    200 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 489 GET http://forum.pfsense.org/Themes/slickprographite/images/coltitle_bg.gif - DIRECT/69.64.6.7 image/gif
1334945542.329    194 192.168.0.112 TCP_MISS/200 950 GET http://forum.pfsense.org/Themes/slickprographite/images/subforum_off.gif - DIRECT/69.64.6.7 image/gif
1334945542.347    205 192.168.0.112 TCP_MISS/200 1221 GET http://forum.pfsense.org/Themes/slickprographite/images/new_some.gif - DIRECT/69.64.6.7 image/gif
1334945542.390    169 192.168.0.112 TCP_MISS/200 1752 GET http://forum.pfsense.org/Themes/slickprographite/images/new_none.gif - DIRECT/69.64.6.7 image/gif
1334945542.480    370 192.168.0.112 TCP_MISS/200 942 GET http://forum.pfsense.org/Themes/slickprographite/images/cat_unread.gif - DIRECT/69.64.6.7 image/gif
1334945542.499    188 192.168.0.112 TCP_MISS/200 2594 GET http://forum.pfsense.org/Themes/slickprographite/images/icons/info.gif - DIRECT/69.64.6.7 image/gif
1334945542.516    404 192.168.0.112 TCP_MISS/200 2293 GET http://forum.pfsense.org/Themes/slickprographite/images/off.gif - DIRECT/69.64.6.7 image/gif
1334945542.520    409 192.168.0.112 TCP_MISS/200 1045 GET http://forum.pfsense.org/Themes/slickprographite/images/collapse.gif - DIRECT/69.64.6.7 image/gif
1334945542.543    431 192.168.0.112 TCP_MISS/200 2171 GET http://forum.pfsense.org/Themes/slickprographite/images/on.gif - DIRECT/69.64.6.7 image/gif
1334945542.553    222 192.168.0.112 TCP_MISS/200 2310 GET http://forum.pfsense.org/Themes/slickprographite/images/icons/online.gif - DIRECT/69.64.6.7 image/gif
1334945542.649    168 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 854 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_first.gif - DIRECT/69.64.6.7 image/gif
1334945542.667    166 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 664 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_back.gif - DIRECT/69.64.6.7 image/gif
1334945542.686    165 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 713 GET http://forum.pfsense.org/Themes/slickprographite/images/maintab_last.gif - DIRECT/69.64.6.7 image/gif
1334945542.918    526 192.168.0.112 TCP_MISS/200 21960 GET http://forum.pfsense.org/Themes/slickprographite/images/catbg2.jpg - DIRECT/69.64.6.7 image/jpeg
1334945543.057    709 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 21959 GET http://forum.pfsense.org/Themes/slickprographite/images/catbg.jpg - DIRECT/69.64.6.7 image/jpeg
1334945543.060    255 192.168.0.112 TCP_MISS/200 3621 GET http://googleads.g.doubleclick.net/pagead/ads? - DIRECT/209.85.148.157 text/html
1334945543.092    984 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 58783 GET http://forum.pfsense.org/Themes/slickprographite/images/logo.jpg - DIRECT/69.64.6.7 image/jpeg
1334945543.124    175 192.168.0.112 TCP_MISS/200 2827 GET http://googleads.g.doubleclick.net/pagead/ads? - DIRECT/209.85.148.157 text/html
1334945543.155     63 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 257 GET http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png - DIRECT/209.85.148.156 -
1334945543.168    615 192.168.0.112 TCP_CLIENT_REFRESH_MISS/200 21941 GET http://forum.pfsense.org/Themes/slickprographite/images/titlebg.jpg - DIRECT/69.64.6.7 image/jpeg
1334945543.214    110 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 257 GET http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png - DIRECT/209.85.148.156 -
1334945543.244     67 192.168.0.112 TCP_MISS/200 561 GET http://googleads.g.doubleclick.net/pagead/drt/s? - DIRECT/209.85.148.157 text/html
1334945543.395    165 192.168.0.112 TCP_MISS/200 24850 GET http://pagead2.googlesyndication.com/simgad/8603368683143355801 - DIRECT/209.85.148.156 image/png
1334945543.433    249 192.168.0.112 TCP_REFRESH_MODIFIED/200 56755 GET http://pagead2.googlesyndication.com/pagead/TemplateContainer.swf - DIRECT/209.85.148.156 application/x-shockwave-flash
1334945543.621    112 192.168.0.112 TCP_MISS/302 806 GET http://google.com/pagead/drt/ui - DIRECT/173.194.70.139 text/html
1334945543.675     46 192.168.0.112 TCP_MISS/302 806 GET http://google.com/pagead/drt/ui - DIRECT/173.194.70.139 text/html
1334945543.684     54 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 257 GET http://pagead2.googlesyndication.com/pagead/gadgets/all_V15/all_V15_spec_728_90.swf - DIRECT/209.85.148.156 -
1334945543.691     59 192.168.0.112 TCP_REFRESH_UNMODIFIED/304 257 GET http://pagead2.googlesyndication.com/pagead/gadgets/all_V15/all_V15_spec_728_90.xml - DIRECT/209.85.148.156 -
1334945543.834     54 192.168.0.112 TCP_MISS/200 6914 GET http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/209.85.148.156 application/x-shockwave-flash
1334945547.398    311 192.168.0.112 TCP_MISS/200 54180 GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY4YMFIICFBSoHbkIBAP__BzIW4UEBAP______________________Hw - DIRECT/173.194.67.139 application/vnd.google.safebrowsing-chunk
1334945549.094    158 192.168.0.112 TCP_REFRESH_MODIFIED/200 56758 GET http://pagead2.googlesyndication.com/pagead/TemplateContainer_latest.swf - DIRECT/209.85.148.156 application/x-shockwave-flash
^C
[2.0.1-RELEASE][admin@pfsense.localdomain]/var/log/squid(66):

squid.conf

# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.0.22:3128
http_port 127.0.0.1:3128 intercept
icp_port 7

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/de-de
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 2
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/24
httpd_suppress_version_string on
uri_whitespace strip
dns_nameservers 127.0.0.1
acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 1000 16 256
minimum_object_size 0 KB
maximum_object_size 204800 KB
offline_mode offcache_swap_low 90
cache_swap_high 95

# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

quick_abort_min -1 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
delay_access 1 allow throttle_exts
delay_access 1 deny allsrc

# Reverse Proxy settings

# Package Integration
redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
redirector_bypass on
redirect_children 3

# Custom options

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

This is just a test installation.

marcelloc

version 2.0.5 is out with:

new binaries again to fix transparent proxy
new option to patch captive portal to work together with non transparent use

As I'm including new features to this package, the status is back to beta until improvements and tests are done.

att,
Marcello Coutinho

al_reidy

@marcelloc:

version 2.0.5 is out with:

new binaries again to fix transparent proxy

new option to patch captive portal to work together with non transparent use

As I'm including new features to this package, the status is back to beta until improvements and tests are done.

att,
Marcello Coutinho

dude, legend it works now. i uninstalled the package then installed.
it didn't work right away though i had to stop the package, altered the config to 32 directories to store the cache.ran squid -z, then chmod -R 777 the cache directory then rebooted.
perhaps on a fresh install that won't be needed.
thanks for your time on this. :-D

Donny

Hello all,

I have tested between Squid3 with LDAP (Windows Server 2008). I can use domain users to authentication login to web browser and successes.

pfSense configuration detail

System > General setup > DNS Servers :
172.31.21.10 (Internal DNS, DHCP Windows Sever 2008 )
208.67.222.222 (OpenDNS)
208.67.220.220 (OpenDNS)

Sevices > DNS forwarders : Enable DNS forwarders has checked.

On Windows Server 2008

At DNS forwarder tab I forward to
172.31.21.1 pfSense
208.67.222.222 OpenDNS
208.67.220.220 OpenDNS
also I have made pfsense record name on DNS server.

After domain users successes login with web browser (Firefox, IE,Opera and Chrome). At system log I got DNS-rebind attack as the detail below.

Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns

I tried to find another solution by google search and some pfsense forum but can not solve this problem. Also I tried to "disable DNS Rebinding Checks" or "Alternate Hostnames" or
"Browser HTTP_REFERER enforcement" at System > Advanced and domain overrides but when I do this I can not login with domain users to web browser. finally reboot pfSense and it does not help.

Any suggestion !

Donny

Hello Marcelloc,

I just would like to inform you that Squid3 authentication with LDAP Windows Server 2008 does not work very well with OpenDNS. When I only use OpenDNS 208.67.222.222 and 208.67.220.220 at System > General Setup > DNS Servers, and I try to login via web browser with domain users name, the web browser still hang up only "loading" and take too long before the web page is coming up.

The way I solved this problem is :

1. Use DNS Server from ISP : 67.xx.xxx.xx and 203.xx.xxx.xx or Use DNS Server from google : 8.8.8.8 and 8.8.4.4
2. At System > General Setup > DNS Servers. I take off IP address from internal DNS Server Windows 2008 because it will cause "DNS-rebind attack detected" If I still use internal dns ip address.

So, at System > General Setup > DNS Servers, I only use DNS Server from my ISP (67.xx.xxx.xx and 203.xx.xxx.xx) or use Google DNS Server 8.8.8.8 and 8.8.4.4. that's it.
Now I can use domain users to authenticate login via web browser and I don't get any DNS-rebind attack detected anymore. Every users from the domain that I tested, it's succeses.

SARG report at "View Report and Realtime tab", I have success to use a real user name from domain users (Windows Server 2008).

See screenshot.

Thank u very much Marcelloc

SargRealtimeLdapW2k8.png_thumb

SargViewReporLdapW2K8.png_thumb

SargViewLdapW2K8.png_thumb

Donny

Hello Marcello,

When I reboot pfSense. At the console I saw some warning: Invalid argument supplied for foreach() in /usr/local/pkg/squid.inc on line 946.
This is squid.inc code and **this is a line 946>**foreach ($config['installedpackages']['squidremote']['config'] as $settings)

function squid_resync_upstream() {
   global $config;
   $conf = "\n#Remote proxies\n";
foreach ($config['installedpackages']['squidremote']['config'] as $settings){
      if ($settings['enable'] == 'on') {
         $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} ";
         if ($settings['icpport'] == '7')
              $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} ";
          else
               $conf .= "{$settings['icpport']} ";
            #auth settings
         if (!empty($settings['username']) && !empty($settings['password'])){
            $conf .= " login={$settings['username']}:{$settings['password']}";
            }
         else{
            $conf .= "{$settings['authoption']} ";
         }
         #other options settings
         if (!empty($settings['weight']))
            $conf .= "weight={$settings['weight']} ";
         if (!empty($settings['basetime']))
            $conf .= "basetime={$settings['basetime']} ";
         if (!empty($settings['ttl']))
            $conf .= "ttl={$settings['ttl']} ";
         if (!empty($settings['nodelay']))
            $conf .= "no-delay";
      }
      $conf .= "\n";
    }
   return $conf;
}

marcelloc

Donny,

I've pushed a fix for these array right now, wait 15 minutes, reinstall the package, and check if it stops the bootup error.

Donny

@marcelloc:

Donny,

I've pushed a fix for these array right now, wait 15 minutes, reinstall the package, and check if it stops the bootup error.

Hello Marcelloc,

After reinstall Squid3 and reboot system, the bootup error problem has solved.

Thank u

tester_02

I am getting the following error after installing squid 3. I've looked at the folder and there is no mime.conf file.

I had squid 2 + squidguard. I installed squid 3, then uninstalled squid 2 and this started happening (had originally thought 3 would overwrite 2, but both were shown in the packages). I've even tried installing 3 again, but the same error happens. I would have stayed with 2, but I've always had trouble with ncix.com and some youtube videos (preview window plays video and then it runs another preview in the preview)

Apr 24 22:00:06 squid: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory
Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "filter" rules.
Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "pfearly" rules.
Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "nat" rules.
Apr 24 21:59:26 check_reload_status: Reloading filter
Apr 24 21:59:18 php: : SQUID is installed but not started. Not installing "filter" rules.
Apr 24 21:59:17 php: : SQUID is installed but not started. Not installing "pfearly" rules.
Apr 24 21:59:17 php: : SQUID is installed but not started. Not installing "nat" rules.
Apr 24 21:59:16 php: /pkg_edit.php: The command '/usr/local/sbin/squid' returned exit code '1', the output was '2012/04/24 21:59:16| ERROR: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory FATAL: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory Squid Cache (Version 3.1.19): Terminated abnormally. CPU Usage: 0.007 seconds = 0.007 user + 0.000 sys Maximum Resident Size: 5744 KB Page faults with physical i/o: 0'
Apr 24 21:59:16 squid: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory

So I manually created a blank mime.conf file. That error went away and I then I in turn got a missing "icons" folder in the same location. I created that, and no squid works, but squidguard fails to work..

squid[58395]: Squid Parent: child process 58727 exited due to signal 6 with status 0

Closer, but not quite working at this stage for me…
hints anyone?

tester_02

Update:
Saved all screens in squid and squidguard for luck, and now it's up. I was scared to reinstall squidguard as I had read that squidguard would reinstall squid 2 again.

So finally squid 3 + squidguard working good. ncix.com even works! now to just watch some youtube videos and see if the problem comes up again.

installer still does need a fix for the missing file and missing folder.

Also getting error 22 invalid argument if I try to edit the message above this.

phil.davis

When you are able to make PBIs for installing Squid3 on 2.1-DEVELOPMENT I am happy to test it. No rush - I see that you already have plenty of work just now!

marcelloc

@phil.davis:

When you are able to make PBIs for installing Squid3 on 2.1-DEVELOPMENT I am happy to test it. No rush - I see that you already have plenty of work just now!

On 2.1, install package gui and then go to console to pkg_add -r binaries until I find time to build and test pbi

IGIdeus

Hi,

I looked at throttle_exts.acl generated with "Throttle multimedia files" option checked. IMHO it lacks of extensions: wma, wav, mka, mkv, ogg, oga, ogm, ogv, rmvb.

Best regards
IGIdeus

pizetta

Hi,
At "Proxy server: Traffic management" we can manage a single delay pool with the options: Per-host throttling / Overall bandwidth throttling / Maximum upload size.
I need to manage many groups of delay pools and set to different networks/Ips. This is very usefull, are you going to implement this?

Thanks in advance.

marcelloc

@pizetta:

I need to manage many groups of delay pools and set to different networks/Ips. This is very usefull, are you going to implement this?

No plans for this feature yet. But if you need it, you can post a bountry or make a donation for that ;)

Do you have any config sample for this?