Squid 3.3.4 package for pfsense with ssl filtering

packeteer

@marcelloc:

@packeteer:

It is closed.

Next step is to check why squid is not starting…

The service is running, just doesn't listen to the port.

marcelloc

@packeteer:

The service is running, just doesn't listen to the port.

Enable ipv6 on pfsense and then killall and start squid daemon.

It's something on squid 3.3 version, I have a squid 3.3 version on my repo without ipv6 that works fine.

If you do not want to enable ipv6 on your server, install squid 3.3.4 form my repo using pkg_delete and pkg_add from console/ssh

packeteer

@marcelloc:

@packeteer:

The service is running, just doesn't listen to the port.

Enable ipv6 on pfsense and then killall and start squid daemon.

It's something on squid 3.3 version, I have a squid 3.3 version on my repo without ipv6 that works fine.

If you do not want to enable ipv6 on your server, install squid 3.3.4 form my repo using pkg_delete and pkg_add from console/ssh

Thank you very much! Enabling ipv6 works.

;D

ataru75

MULTIWAN

Hello, you work the proxy-dev ver. 3.3.8 with the multi-WAN? Before working with version 2.7.9 using this guide http://forum.pfsense.org/index.php?topic=60977.0, now I installed version 3.3.8-dev and it does not work. With the release of squid that is found in this post (3.3.4) will it work?
thanks
greetings

marcelloc

Did you upgraded pfsense too?

What version are you using?

dld121

• If you are getting missing libs erros like Shared object "libgssapi.so.10" not found, required by "squid"',
  Copy it from my personal repo or from any freebsd with the same version.
  These are libs that are not included on pfsense base install bu required to sasl.
  save it to /usr/local/lib
  amd64
  http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

  i386
  http://e-sac.siteseguro.ws/pfsense/8/All/ldd/

• Shared object "libheimntlm.so.10" not found,

dld121

@marcelloc:

@stanthewizard:

sorry I don't understand

On console/ssh use  pkg_delete to remove squid-3.3.4 and pkg_add to get squid 3.3.5

i386 systems
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

amd64 systems
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

Can you provide a URL that is available from the USA?  This URL returns  "Unable to get the … and Operation timed out."

The URL when Pinged gives me an IP address, but I cannot replace the "e-sac.siteseguro.ws" with an IP address and have it work.

David

marcelloc

@dld121:

Can you provide a URL that is available from the USA?

Unfortunately No.  :(

Do you have pfblocker enabled with brazil on your block list?

To get squid working without changing package files, just enable ipv6 on your 2.0.x version and get missing files from any freebsd 8.1 server.

@dld121:

The URL when Pinged gives me an IP address, but I cannot replace the "e-sac.siteseguro.ws" with an IP address and have it work.

It's a hosting server, only dns http headers will reach my files.

mromero

Tested:

i386 systems
pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

amd64 systems
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

and they are dead for us as well.

marcelloc

Check your firewall rules and blocked ips.

I've just tested and it's working.

Use default package binaries with ipv6 enabled.

fetch missing files from any freebsd 8.1 for pfsense 2.0.x

Legion

Interestingly it's timing out for me too Marcello. And it's worked for me before, many times. I'm at work, in Oz, corporate firewall but it's not blocking.

gemmiu

Sorry for my bad english.

Can someone explain, how to block https urls with squid3 + squidguard?

Http urls are blocked correctly, but https urls won't be blocked :(

Thank you so much.

marcelloc

• Create a Certificate authority on pfsense

• Export ca certificate on gui and import on each client you what to filter ssl without certificate error messages

• Enable ssl interception/transparent proxy on squid3-dev gui.

mromero

Marcelloc I am telling you it is DEAD. We have tried going outside pFsense, direct to our ISP, and also on our VPN.

It is unreachable.

The PBI manager within pFsense works fine.

Why not update the Squid 3.3.8.package so we can access it from within pFsense rather than from a third-party website?

@Legion:

Interestingly it's timing out for me too Marcello. And it's worked for me before, many times. I'm at work, in Oz, corporate firewall but it's not blocking.

marcelloc

@mromero:

Why not update the Squid 3.3.8.package so we can access it from within pFsense rather than from a third-party website?

As I told you on other post.

• Install squid3-dev

• Enable ipv6 on system advanced

• fetch missing libs from any freebsd 8.3

I've asked core team to include these libs on official repo, this way, postfix, freeradius2, squid3 and other package I do not remember now can be installed automatically via gui. But I had no success on it.

The libs are there to help people not  to mess things up.

Last point. It's a dev package, not a release or stable one. So people who tries it must know how to workaround things.

Nachtfalke

Hi,

I am planning tu use squid3 for transparent proxy for http and ssl intercepting proxy (443) on a Multi-WAN environment.
So my question ist not directly related to the package but how do you use loadbalancing for ports 80/443 if these connections alsways have the same source like 127.0.0.1 ?

To make it a little bit clearer
I am not asking how to configure a pfsense with Multi-WAN and squid to use all WAN connections and not only one.
I am interested in how to make it work that port 80 and port 443 can be loadbalanced even if the source is always squid/pfsense itself (127.0.0.1) and so I can not balance based on the source-IP. Policy based routing for these two ports will not make sense and sticky connections - I think they will always use one WAN for these two ports.

I explained a little bit more here:
http://forum.pfsense.org/index.php/topic,68120.0.html

I would really appreciate any help so that I can configure my test machine and do some tests ;-)

marcelloc

Maybe with a lot of acls based on source ip acls to define tcp_outgoing address.

I'm seeing some posts related to problems with 127.0.0.1 load balance on 2.1

Nachtfalke

@marcelloc:

Maybe with a lot of acls based on source ip acls to define tcp_outgoing address.

I'm seeing some posts related to problems with 127.0.0.1 load balance on 2.1

Interesting point. tcp_outgoing_address and ACL with source IP and source port 443 could do the trick. 3 tcp_outgoing each for every of the 3 WAN connection. Port 80 can be probably done with the gateway groups of pfsense in Manual Outbound NAT. Will give that a try.

ipis

Hi marcelloc. Does this version capable of blocking https sites in transparent mode?

Nachtfalke

@ipis:

Hi marcelloc. Does this version capable of blocking https sites in transparent mode?

Yes.

ipis

Thanks natchflake. I'm trying to download squid-3.3.5 from the above address given by marcelloc using also the procedure as instructed, but i'wasn't able to download it. It says Unable to fetch the file. Can I download it manually and save it in any pfsense folder using file manager packages? IF yes how can i install it once i've save it? for example i saved it to /usr/local..

Thanks

Nachtfalke

@ipis:

Thanks natchflake. I'm trying to download squid-3.3.5 from the above address given by marcelloc using also the procedure as instructed, but i'wasn't able to download it. It says Unable to fetch the file. Can I download it manually and save it in any pfsense folder using file manager packages? IF yes how can i install it once i've save it? for example i saved it to /usr/local..

Thanks

Hi,

please try to install squid3-dev form pfsense package manager. This will give you all you need. After that you have to fetch some single files from command shell. This should be enough.

This post should explain it:
http://forum.pfsense.org/index.php/topic,62256.msg371582.html#msg371582

At the moment I do not find the post where marcelloc posted all the missing libs/files you need to fetch manually.

marcelloc

for amd64

fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

for i386

fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10

You can also fetch from any frebsd 8.3

ipis

Hi nachtfalke

Sorry I'm mean this url http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

I wasn't able to get the missing libs.  to make squid working and squidguard too

Nachtfalke

@ipis:

Hi nachtfalke

Sorry I'm mean this url http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

I wasn't able to get the missing libs.  to make squid working and squidguard too

Did you see the post marcelloc posted on top of your post?

ipis

Hi, while i continue reading

I'v found this instructed by marcelloc to other member.

. cd /usr/local/lib
. fetch url_for_libs

Download all libs from my ldd folder.

What doe's he mean by the  "fetch url_for_libs" ?

Because what I tried is this on console "fetch //http://e-sac.siteseguro.ws/pfsense/8/All/ldd/"

and it says not found. Did I do it correctly?

ipis

Sorry I didn't see it earlier.

Thanks Nachtfalke and marcelloc :)

marcelloc

@ipis:

Sorry I'm mean this url http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

No need to fetch 3.3.5. Use default 3.3.8 from oficial repository.

ipis

Guys what i did was this to be exact

• (8) shell
• cd /usr/local/lib
• fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10

But it says not found.

I feel ashamed cause i wasn't able to install them while others can  :(

ipis

Is there a way to copy the missing libs directly to the pfsense without fetching?

marcelloc

@ipis:

Is there a way to copy the missing libs directly to the pfsense without fetching?

Unfortunately no. I've asked core team to copy these libs to official repo but I had no luck with that.

These are missing so libs for gssapi. Other packages(freeradius2, postfix) need this libs too.

ipis

I hope all missing libs are included soon. I really wan't to block certain secured sites on my work. And I think this version is amazing.

Does anyone has a workaround in fetching libs?

Nachtfalke

@ipis:

I hope all missing libs are included soon. I really wan't to block certain secured sites on my work. And I think this version is amazing.

Does anyone has a workaround in fetching libs?

Just try with this command:

cd /usr/local/lib

and in this folder:

fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10

Perhaps you have to check the file permissions after you copied the files.

Or download the libs via your webbrowser and copy these files to pfsense using the GUI:
DIAGNOSTICS –> Command Prompt

ipis

Thanks  Nachtfalke

How stupid i'am. I a'm using the word "ALL" instead of "All" plus. I erase all my config to squid, I uncheked everything before re-fetching. Thanks again :)

ipis

Hi. Its already working fine but I've noticed that the other browser like google chrome. I've noticed that it wont trust the certificate when entering into secured sites. It says the Certificate is not trusted and theres no option for the user to continue and accept it. Unlike to other browser theres an optio to get the certificate and continue to the website. Or to trust the cerficate.. Is this normal, or theres a way to overcome this? Thanks

marcelloc

@ipis:

Is this normal, or theres a way to overcome this? Thanks

Yes, to avoid these erros, play with squid cert options and include pfsense CA as a trusted CA on each browsers. This way you will not get any ssl error for https sites.

Services that use same ssl port(tor, ultrasurf) will always fail.

ipis

Thanks marcelloc. I've fixed the certificated error. also I re-enabled the transparent ssl and it helps  :)

ipis

Hi, I have a question. I just visited a government agency website, its an organization that handles employers contribution. or employees contribution. Ive noticed that after accepting the certificate and continuing to website. The website did not respond and it says webpage not avalable. According to other forums ubuntu to be exact, theres a site that sometimes block this kind of interception, i mean we will not be availbe to continue that's why they added some code.

Can we adopt their  code to our pfsense? I think their added it in squid.conf

marcelloc

@ipis:

Can we adopt their  code to our pfsense? I think their added it in squid.conf

If you find what code is it, I can add to squid.conf.

ipis

Hi marcerlloc, check this pic that ive uploaded