Squid Blocking Web Access

marcelloc · May 13, 2012, 2:19 PM

qwaven,

If you have a backup file before squid install, just restore it to remove squid conf.

If you do not have, you can try to backup the config, edit file to remove squid options and the restore.

Do this carefully so as not to spoil your pfsense.

qwaven · May 14, 2012, 3:45 PM

Hi Marcelloc,

Thanks for your help.

I've since reinstalled the firewall system. Unfortunately I appear to be having the exact same issue. I believe there is some issue with the Squid package or a setting I'm missing within Snort or Squid.

Steps I took:

-Install PF Sense and verify normal network activity works
-Install SNORT; setup; and tested loading websites works fine. Service is loaded without issue.
-Installed Squid3; setup; started. Turn on transparent mode and the error appears!
If I turn off transparent and direct my browser to the firewall ip port 3128 I can surf the internet through the proxy.

-I even tried keeping Squid transparent mode off, and manually adding a firewall rule to redirect port 80 to Squid (same as transparent mode) and I get the SAME error.


ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /

The following error was encountered:

    Invalid URL 

Some aspect of the requested URL is incorrect. Possible problems:

    Missing or incorrect access protocol (should be `http://'' or similar)
    Missing hostname
    Illegal double-escape in the URL-Path
    Illegal character in hostname; underscores are not allowed 

Your cache administrator is admin@admin.com.

Any thoughts? No other setup has been done with PF Sense; fresh install.

Thanks!

marcelloc · May 15, 2012, 2:15 AM

check if first lines of squid.conf has the transparent set in front of listening ip address(es).

qwaven · May 15, 2012, 1:20 PM

Thanks. You will need to advise how to do that. I am very unfamiliar with how to do this on PF Sense. I take it this would be via command line?

Please let me know,

Cheers!

marcelloc · May 15, 2012, 3:35 PM

You can use at console/ssh/diagnostics-> command prompt : head -20 /usr/local/etc/squid/squid.conf

qwaven · May 15, 2012, 11:20 PM

Hi,

I see the following for my interfaces.


http_port 10.10.10.1:3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 7

Does that look correct or should my LAN IP also have the intercept?

Thanks for your help!

marcelloc · May 16, 2012, 3:18 AM

change this line (using Diagnostics-> edit file) on /usr/local/etc/squid/squid.conf

from:
http_port 10.10.10.1:3128

to:
http_port 10.10.10.1:3128 transparent

and test transparent access after executing killall -HUP squid on console/ssh/diagnostics-> command prompt

qwaven · May 17, 2012, 12:57 AM

I was having trouble getting the command to work. Squid would not start at all with transparent keyword.

However if I use intercept


10.10.10.1:3128 intercept

Squid will start, but I still encounter the same error. :(

NOW, I did some experimenting and found that if I omit the IP Address and just use:


http_port 3128 intercept

This WORKS! at last. Verified on an http header site and I see that "it" sees my proxy details.

Is there any issue with me doing this? Security concerns primarily? All of my internal networks should pass through the proxy anyhow, I just have not configured them yet! :)

Thanks for your help!

Update: Turns out I have one more issue! If I reboot, my configuration reverts back to before I made any changes…. Is there like an "apply" I need to activate? I did the changes via SSH.

marcelloc · May 17, 2012, 3:09 AM

@qwaven:

Is there any issue with me doing this? Security concerns primarily? All of my internal networks should pass through the proxy anyhow, I just have not configured them yet! :)

You need firewall rules to prevent external access to you squid this way.
I'll check the intercept option on squid3 package

@qwaven:

]Update: Turns out I have one more issue! If I reboot, my configuration reverts back to before I made any changes…. Is there like an "apply" I need to activate? I did the changes via SSH.

Config file is built every time you boot or apply settings on squid gui.

qwaven · May 17, 2012, 1:56 PM

Thanks for your help.

If I cannot retain my settings after reboot I'm not sure this will work. :(

Please do let me know what you find via Squid 3 package. Although I had originally started with the default 2.x installed package.

Cheers.

qwaven · May 18, 2012, 6:54 PM

Any update?

I've tried using Dansguardian with a firewall rule redirecting port 80 instead of Squid/SquidGuard intercept mode. This seems to work so far. Wondering if I should just stick with D then?

Not really clear on the difference between the two softwares.

Thanks for your help.