Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 - New GUI with sync, normal and reverse proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    428 Posts 104 Posters 473.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DonnyD
      Donny
      last edited by

      Hello all,

      I have tested between Squid3 with LDAP (Windows Server 2008). I can use domain users to authentication login to web browser and successes.

      pfSense configuration detail

      System > General setup > DNS Servers :
      172.31.21.10       (Internal DNS, DHCP Windows Sever 2008 )
      208.67.222.222    (OpenDNS)
      208.67.220.220    (OpenDNS)

      Sevices > DNS forwarders : Enable DNS forwarders has checked.

      On Windows Server 2008

      At DNS forwarder tab I forward to
      172.31.21.1        pfSense
      208.67.222.222   OpenDNS
      208.67.220.220   OpenDNS
      also I have made pfsense record name on DNS server.

      After domain users  successes login with web browser (Firefox, IE,Opera and Chrome). At system log I got DNS-rebind attack as the detail below.

      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: ForestDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: DomainDnsZones.xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
      Apr 22 13:13:31 	dnsmasq[30943]: possible DNS-rebind attack detected: xxxx.dsns
      

      I tried to find another solution by google search and some pfsense forum but can not solve this problem. Also I tried to "disable DNS Rebinding Checks" or "Alternate Hostnames" or
      "Browser HTTP_REFERER enforcement" at System > Advanced and domain overrides but when I do this I can not login with domain users to web browser. finally reboot pfSense and it does not help.

      Any suggestion !

      1 Reply Last reply Reply Quote 0
      • DonnyD
        Donny
        last edited by

        Hello Marcelloc,

        I just would like to inform you that Squid3 authentication with LDAP Windows Server 2008 does not work very well with OpenDNS. When I only use OpenDNS 208.67.222.222 and 208.67.220.220 at System > General Setup > DNS Servers, and I try to login via web browser with domain users name, the web browser still hang up only "loading" and take too long before the web page is coming up.

        The way I solved this problem is :

        1. Use DNS Server from ISP : 67.xx.xxx.xx and 203.xx.xxx.xx or Use DNS Server from google : 8.8.8.8 and 8.8.4.4
        2. At System > General Setup > DNS Servers. I take off IP address from internal DNS Server Windows 2008 because it will cause "DNS-rebind attack detected" If I still use internal dns ip address.

        So, at System > General Setup > DNS Servers, I only use DNS Server from my ISP (67.xx.xxx.xx and 203.xx.xxx.xx) or use Google DNS Server 8.8.8.8 and 8.8.4.4. that's it.
        Now I can use domain users to authenticate login via web browser and I don't get any DNS-rebind attack detected anymore. Every users from the domain that I tested, it's succeses.

        SARG report at "View Report and Realtime tab", I have success to use a real user name from domain users (Windows Server 2008).

        See screenshot.

        Thank u very much Marcelloc

        SargRealtimeLdapW2k8.png_thumb
        SargRealtimeLdapW2k8.png
        SargViewReporLdapW2K8.png
        SargViewReporLdapW2K8.png_thumb
        SargViewLdapW2K8.png
        SargViewLdapW2K8.png_thumb

        1 Reply Last reply Reply Quote 0
        • DonnyD
          Donny
          last edited by

          Hello Marcello,

          When I reboot pfSense. At the console I saw some warning: Invalid argument supplied for foreach() in /usr/local/pkg/squid.inc on line 946.
          This is squid.inc code and **this is a line 946>**foreach ($config['installedpackages']['squidremote']['config'] as $settings)

          function squid_resync_upstream() {
             global $config;
             $conf = "\n#Remote proxies\n";
          foreach ($config['installedpackages']['squidremote']['config'] as $settings){
                if ($settings['enable'] == 'on') {
                   $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} ";
                   if ($settings['icpport'] == '7')
                        $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} ";
                    else
                         $conf .= "{$settings['icpport']} ";
                      #auth settings
                   if (!empty($settings['username']) && !empty($settings['password'])){
                      $conf .= " login={$settings['username']}:{$settings['password']}";
                      }
                   else{
                      $conf .= "{$settings['authoption']} ";
                   }
                   #other options settings
                   if (!empty($settings['weight']))
                      $conf .= "weight={$settings['weight']} ";
                   if (!empty($settings['basetime']))
                      $conf .= "basetime={$settings['basetime']} ";
                   if (!empty($settings['ttl']))
                      $conf .= "ttl={$settings['ttl']} ";
                   if (!empty($settings['nodelay']))
                      $conf .= "no-delay";
                }
                $conf .= "\n";
              }
             return $conf;
          }
          
          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Donny,

            I've pushed a fix for these array right now, wait 15 minutes, reinstall the package, and check if it stops the bootup error.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • DonnyD
              Donny
              last edited by

              @marcelloc:

              Donny,

              I've pushed a fix for these array right now, wait 15 minutes, reinstall the package, and check if it stops the bootup error.

              Hello Marcelloc,

              After reinstall Squid3 and reboot system, the bootup error problem has solved.

              Thank u

              1 Reply Last reply Reply Quote 0
              • T
                tester_02
                last edited by

                I am getting the following error after installing squid 3.  I've looked at the folder and there is no mime.conf file.

                I had squid 2 + squidguard.  I installed squid 3, then uninstalled squid 2 and this started happening (had originally thought 3 would overwrite 2, but both were shown in the packages).    I've even tried installing 3 again, but the same error happens.  I would have stayed with 2, but I've always had trouble with ncix.com and some youtube videos (preview window plays video and then it runs another preview in the preview)

                Apr 24 22:00:06 squid: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory
                Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "filter" rules.
                Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "pfearly" rules.
                Apr 24 21:59:32 php: : SQUID is installed but not started. Not installing "nat" rules.
                Apr 24 21:59:26 check_reload_status: Reloading filter
                Apr 24 21:59:18 php: : SQUID is installed but not started. Not installing "filter" rules.
                Apr 24 21:59:17 php: : SQUID is installed but not started. Not installing "pfearly" rules.
                Apr 24 21:59:17 php: : SQUID is installed but not started. Not installing "nat" rules.
                Apr 24 21:59:16 php: /pkg_edit.php: The command '/usr/local/sbin/squid' returned exit code '1', the output was '2012/04/24 21:59:16| ERROR: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory FATAL: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory Squid Cache (Version 3.1.19): Terminated abnormally. CPU Usage: 0.007 seconds = 0.007 user + 0.000 sys Maximum Resident Size: 5744 KB Page faults with physical i/o: 0'
                Apr 24 21:59:16 squid: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory

                So I manually created a blank mime.conf file.  That error went away and I then I in turn got a missing "icons" folder in the same location.  I created that, and no squid works, but squidguard fails to work..

                squid[58395]: Squid Parent: child process 58727 exited due to signal 6 with status 0

                Closer, but not quite working at this stage for me…
                hints anyone?

                1 Reply Last reply Reply Quote 0
                • T
                  tester_02
                  last edited by

                  Update:
                  Saved all screens in squid and squidguard for luck, and now it's up.  I was scared to reinstall squidguard as I had read that squidguard would reinstall squid 2 again.

                  So finally squid 3 + squidguard working good.  ncix.com even works!  now to just watch some youtube videos and see if the problem comes up again.

                  installer still does need a fix for the missing file and missing folder.

                  Also getting error 22 invalid argument if I try to edit the message above this.

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    When you are able to make PBIs for installing Squid3 on 2.1-DEVELOPMENT I am happy to test it. No rush - I see that you already have plenty of work just now!

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @phil.davis:

                      When you are able to make PBIs for installing Squid3 on 2.1-DEVELOPMENT I am happy to test it. No rush - I see that you already have plenty of work just now!

                      On 2.1, install package gui and then go to console to pkg_add -r binaries until I find time to build and test pbi

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • I
                        IGIdeus
                        last edited by

                        Hi,

                        I looked at throttle_exts.acl generated with "Throttle multimedia files" option checked. IMHO it lacks of extensions: wma, wav, mka, mkv, ogg, oga, ogm, ogv, rmvb.

                        Best regards
                        IGIdeus

                        1 Reply Last reply Reply Quote 0
                        • P
                          pizetta
                          last edited by

                          Hi,
                          At "Proxy server: Traffic management" we can manage a single delay pool with the options: Per-host throttling / Overall bandwidth throttling / Maximum upload size.
                          I need to manage many groups of delay pools and set to different networks/Ips. This is very usefull, are you going to implement this?

                          Thanks in advance.

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @pizetta:

                            I need to manage many groups of delay pools and set to different networks/Ips. This is very usefull, are you going to implement this?

                            No plans for this feature yet. But if you need it, you can post a bountry or make a donation  for that  ;)

                            Do you have any config sample for this?

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • P
                              pizetta
                              last edited by

                              Something like this…

                              delay_pools 3                                     ######3 delay pools
                              delay_class 1 2
                              delay_parameters 1 -1/-1 12800/12800
                              delay_access 1 allow client_100k           ######limited clients 100kbps

                              delay_class 2 2
                              delay_parameters 2 -1/-1 25600/25600
                              delay_access 2 allow clientes_200k       ######limited clients 200kbps

                              delay_class 3 2
                              delay_parameters 3 -1/-1 38400/38400
                              delay_access 3 allow clientes_300k      ######limited clients 300kbps

                              I wish to manage as many pools as I can, grouping users to limit the use of internet. I'll take a look at bounties.
                              Best regards!

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yosu
                                last edited by

                                Hi,

                                I am using package squid3 version 3.1.19 pkg 2.0.5_2.

                                In /usr/local/pkg/squid.inc I think this line:

                                http_access deny CONNECT !sslports

                                should be:

                                http_access deny connect !sslports

                                Also in reverse proxy web gui I need to set port 443 in order to https work. If I left blank reverse HTTPS port, it doesn't open port 443.

                                Also the reverse proxy HTTPS always redirect to the reverse HTTPS default site. Don't mind what mappings you use.

                                HTTP reverse proxy works fine.

                                Best regards.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  nutt318
                                  last edited by

                                  When using the Reverse Proxy in theory will it redirect the traffic based upon the URL?

                                  I've got 2 internal webservers with one public IP, should I be able to route the traffic based upon server1.mydomain.com to 192.168.1.50 and say server2.mydomain.com to 192.168.1.51 ?

                                  It seems I've configured the reverse proxy properly and added a rule to allow http traffic to each private address but i'm not having any luck.

                                  Anyone have any ideas or a detailed instructions?

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    @nutt318:

                                    When using the Reverse Proxy in theory will it redirect the traffic based upon the URL?

                                    I've got 2 internal webservers with one public IP, should I be able to route the traffic based upon server1.mydomain.com to 192.168.1.50 and say server2.mydomain.com to 192.168.1.51 ?

                                    yes,

                                    @nutt318:

                                    It seems I've configured the reverse proxy properly and added a rule to allow http traffic to each private address but i'm not having any luck.

                                    what you got on squid access log?

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      nutt318
                                      last edited by

                                      Here is what I see in the access.log file /var/squid/logs - I only see internal traffic. Shouldn't I see attempts from public IP's that are trying to access the web servers?

                                      1338991913.168 179241 MY.DESKTOP.I.P TCP_MISS/504 1290 GET http://domain1.mydomain.com/ - DIRECT/MY.PUBLIC.I.P text/html

                                      I'll try and add some screenshots of my setup

                                      EDIT: added screenshots





                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        The setup looks fine, I'll try to simulate it.

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • Y
                                          yosu
                                          last edited by

                                          @nutt318:

                                          Make URI textbox blank in order to get:

                                          acl test1 url_regex -i http://test1.mydomain.com.*$

                                          Now you get:

                                          acl test1 url_regex -i test1.mydomain.com/http://test1.mydomain.com.*$

                                          You can look at /usr/local/etc/squid/squid.conf in a ssh shell.

                                          Best regards.

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            nutt318
                                            last edited by

                                            That made it work from internal on the LAN, but I still cant get to it from the outside.

                                            Any other ideas?

                                            Thanks!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.