Squid - 3.3.5 not working?



  • Hey all,

    Cannot get a transparent proxy working with Squid 3.3.5.

    I have it setup all right as far as I can tell but none of the client traffic is going through the proxy server…

    What am I doing wrong?

    screen shot of my settings:



  • ahh Just seen this in the logs:
    no idea what it means though!?

    Jun 20 13:13:59 php: : SQUID is installed but not started. Not installing "filter" rules.
    Jun 20 13:13:59 php: : SQUID is installed but not started. Not installing "pfearly" rules.
    Jun 20 13:13:59 php: : SQUID is installed but not started. Not installing "nat" rules.
    Jun 20 13:13:56 check_reload_status: Reloading filter
    Jun 20 13:13:46 php: /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'
    Jun 20 13:13:46 php: /pkg_edit.php: Starting Squid
    Jun 20 13:13:46 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/clamav-clamd start' returned exit code '127', the output was '/usr/local/etc/rc.d/clamav-clamd: not found'
    Jun 20 13:13:46 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/c-icap start' returned exit code '1', the output was 'Starting c_icap. su: unknown login: clamav /usr/local/etc/rc.d/c-icap: WARNING: failed to start c_icap'
    Jun 20 13:13:46 root: /usr/local/etc/rc.d/c-icap: WARNING: failed to start c_icap
    Jun 20 13:13:46 php: /pkg_edit.php: [Squid] - Squid_resync function call pr: bp: rpc:no
    Jun 20 13:13:46 check_reload_status: Syncing firewall
    Jun 20 13:12:48 php: : SQUID is installed but not started. Not installing "filter" rules.
    Jun 20 13:12:48 php: : SQUID is installed but not started. Not installing "pfearly" rules.
    Jun 20 13:12:48 php: : SQUID is installed but not started. Not installing "nat" rules.
    Jun 20 13:12:45 check_reload_status: Reloading filter
    Jun 20 13:12:37 php: : SQUID is installed but not started. Not installing "filter" rules.
    Jun 20 13:12:37 php: : SQUID is installed but not started. Not installing "pfearly" rules.
    Jun 20 13:12:37 php: : SQUID is installed but not started. Not installing "nat" rules.
    Jun 20 13:12:35 php: /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'
    Jun 20 13:12:35 php: /pkg_edit.php: Starting Squid
    Jun 20 13:12:35 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/clamav-clamd start' returned exit code '127', the output was '/usr/local/etc/rc.d/clamav-clamd: not found'
    Jun 20 13:12:35 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/c-icap start' returned exit code '1', the output was 'Starting c_icap. su: unknown login: clamav /usr/local/etc/rc.d/c-icap: WARNING: failed to start c_icap'
    Jun 20 13:12:35 root: /usr/local/etc/rc.d/c-icap: WARNING: failed to start c_icap
    Jun 20 13:12:35 php: /pkg_edit.php: [Squid] - Squid_resync function call pr: bp: rpc:no
    Jun 20 13:12:35 check_reload_status: Syncing firewall
    Jun 20 13:12:35 check_reload_status: Reloading filter



  • Right I have got it working now by downloading those missing files.

    HOWEVER.

    I cannot pass any traffic over the proxy!

    Using transparent proxy just doesn't work  :(

    settings are the same as above.

    Any ideas?



  • read the first post in this thread :
    http://forum.pfsense.org/index.php/topic,62256.0.html

    You need the libs offered my marcelloc. Download the appropriate version (386 / AMD64) and install them by hand (winSCP + chmod 755 ).



  • Thanks I have the LIBs installed but now I just can't pass any traffic over the proxy.

    I can see that the proxy service has started.  but whether I use transparent proxy or point my PC to the proxy server/port it just doesn't work.



  • Do you mean : You can't browse with the client PC? or Do you think the proxy doesn't do anything?

    After installing the LIBs, did you use the dashboard to restart squid? or use the save button in the proxy server page?

    p.s. Clamav is NOT working!! (disable for now)



  • @Tikimotel:

    Do you mean : You can't browse with the client PC? or Do you think the proxy doesn't do anything?

    After installing the LIBs, did you use the dashboard to restart squid? or use the save button in the proxy server page?

    I can't browse any page on my Client PC and I cannot see any of the squid logs indicating that traffic is being passed.
    Also I restated the service, pressed save, and rebooted the FW to see if that helped - none of them did.



  • Clamav is NOT working, please disable and only use squid options for now.

    After squid has started does "/var/squid/logs/cache.log" contain new data?



  • @Tikimotel:

    Clamav is NOT working, please disable and only use squid options for now.

    After squid has started does "/var/squid/logs/cache.log" contain new data?

    Right thanks done that - the new data below..seems it can't write to some directory or sometihng?

    2013/06/20 18:32:44 kid1| helperOpenServers: Starting 5/8 'ssl_crtd' processes
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| Logfile: opening log /var/squid/logs/access.log
    2013/06/20 18:32:44 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log'
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| Unlinkd pipe opened on FD 31
    2013/06/20 18:32:44 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
    2013/06/20 18:32:44 kid1| Store logging disabled
    2013/06/20 18:32:44 kid1| Swap maxSize 7680000 + 524288 KB, estimated 631099 objects
    2013/06/20 18:32:44 kid1| Target number of buckets: 31554
    2013/06/20 18:32:44 kid1| Using 32768 Store buckets
    2013/06/20 18:32:44 kid1| Max Mem  size: 524288 KB
    2013/06/20 18:32:44 kid1| Max Swap size: 7680000 KB
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| Rejecting swap file v1 to avoid cache index corruption. Forcing a full cache index rebuild. See Squid bug #3441.
    2013/06/20 18:32:44 kid1| Rebuilding storage in /var/squid/cache (no log)
    2013/06/20 18:32:44 kid1| Using Least Load store dir selection
    2013/06/20 18:32:44 kid1| Current Directory is /usr/local/www
    2013/06/20 18:32:44 kid1| Loaded Icons.
    2013/06/20 18:32:44 kid1| HTCP Disabled.
    2013/06/20 18:32:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2013/06/20 18:32:44 kid1| sendto FD 39: (1) Operation not permitted
    2013/06/20 18:32:44 kid1| ipcCreate: CHILD: hello write test failed



  • my settings:  nothing wrong with them?



  • What version of pfsense you have?



  • 2.0.3-RELEASE (amd64)
    built on Fri Apr 12 10:27:15 EDT 2013
    FreeBSD 8.1-RELEASE-p13

    You are on the latest version.

    :)



  • Enable ipv6 and see if works.



  • okay that looks to be working….

    Just one weird thing...

    So I have a few servers here, desktop PC and my laptop.

    Seems my laptop is the only one which is still getting the web pages but not going through the proxy?!

    all the others I can see the traffic going throuhg the proxy...just not the laptop!?



  • Ignore that last one!

    All working :)

    Just one thing - now im getting

    The site's security certificate is not trusted!

    when visiting https sites - are my settings wrong on this?
    Thanks for your help!



  • hmm just seen this:

    "Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection."

    Not really worth it for me - Can I disable ssl man in the middle filtering or did I read somewhere that transparent proxy doesn't work without SSL interception also>



  • Ha not working again!

    Not having much luck with this squid…

    Error messages in log:

    Jun 20 23:38:33 squid[45037]: Squid Parent: (squid-1) process 46711 exited with status 1
    Jun 20 23:38:33 (squid-1): msgget failed
    Jun 20 23:38:32 squid[45037]: Squid Parent: (squid-1) process 46711 started
    Jun 20 23:38:29 squid[45037]: Squid Parent: (squid-1) process 45612 exited with status 1
    Jun 20 23:38:29 (squid-1): msgget failed
    Jun 20 23:38:29 squid[45037]: Squid Parent: (squid-1) process 45612 started
    Jun 20 23:38:29 squid[45037]: Squid Parent: will start 1 kids
    Jun 20 23:38:27 php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'squid: ERROR: Could not send signal 15 to process 3384: (3) No such process'
    Jun 20 23:38:26 squid[46131]: Squid Parent: (squid-1) process 21999 exited with status 1
    Jun 20 23:38:26 (squid-1): msgget failed
    Jun 20 23:38:25 squid[46131]: Squid Parent: (squid-1) process 21999 started
    Jun 20 23:38:22 squid[46131]: Squid Parent: (squid-1) process 53784 exited with status 1
    Jun 20 23:38:22 (squid-1): msgget failed



  • @Deadringers:

    hmm just seen this:

    "Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection."

    Not really worth it for me - Can I disable ssl man in the middle filtering or did I read somewhere that transparent proxy doesn't work without SSL interception also>

    Check what part of certificate ssl is not working. Ca or common name?



  • Right well a reboot of the firewall sorted out the problem.

    Have to say I didn't get along with squid.
    I found the performance tweaks here on the forum and through google.  Still not good IMO.

    Pages were taking too long to load, youtube (and other sites) videos were also affected slightly even though I hadn't turned on dynamic caching.

    So I have un-installed squid for now.  I might create a stand alone squid server at some point but who knows.

    Thanks for your time mate :)


Log in to reply