Squid-dev 3.3.8 Setup HOW TO! [SOLVED]

  • EDIT: I JUST REBOOT THE MACHINE AFTER THE chown -R proxy:proxy /var/squid/lib/  and ssld_crtd en Just Work Smooth
    This Could be a HOW TO PROCEDURE :D xD

    Hello! i have an issue setting up squid-dev 3.3.8 on https filtering, here is my config,  got 26 vlans,

    xxx.xxx.xxx.xxx (ip show are not real ones, just to be graphical)

    my setup

    2.1-RELEASE (amd64) 
    built on Wed Sep 11 18:17:48 EDT 2013 
    FreeBSD 8.3-RELEASE-p11

    My Equipment:

    Intel(R) Xeon(R) CPU 5120 @ 1.86GHz
    2 CPUs: 1 package(s) x 2 core(s)

    ok now, i been trying to use https filtering with interception, for the moment the proxy works smooth with non transparent config, i cant intercept https: and filer and so on, when i check the mark of proxy transparent can make it work, first ask for the ssl-bump option and squid can run says that the options is missing,so  searching over internet made with a solution

    2013/10/01 16:21:06| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.                                                                                                        
    FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 24: https_port intercept abnormally.                                           
    Squid Cache (Version 3.3.8): Terminated abnormally.                                 
    CPU Usage: 0.019 seconds = 0.019 user + 0.000 sys                                                               
    Maximum Resident Size: 30576 KB                                                                                                                  
    Page faults with physical i/o: 0    

    that is

    https_port intercept ssl-bump key=/path/to/my/cerfile/serverkey.pem cert=/path/to/my/cerfile/serverkey.pem clientca=/path/to/my/cerfile/serverkey.pem cafile=/path/to/my/cerfile/serverkey.pem capath=/path/to/my/cerfile/

    after added that config not error shown about that, the next err that i have is

    FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

    dig over in google and i found that some guy on the main squid forum has a solution, checkit here  http://www.squid-cache.org/mail-archive/squid-users/201209/0086.html

    in the thread of this forum @hisoka01 has a similar issues so… i try...

    (ssl_crtd): Uninitialized SSL certificate database directory: /var/squid/lib/ssl_db. To initialize, r
    un "ssl_crtd -c -s /var/squid/lib/ssl_db".

    so i delete the

     /var/squid/lib/ssl_db folder

    did the command

     ssl_crtd -c -s /var/squid/lib/ssl_db". (the "ssl_crtd" was  in /usr/pbi/squid-amd64/libexec/squid)


     chown -R proxy:proxy /var/squid/lib/  

    NOTHING, i think that in the last thread @marcelloc says something about dns4v on or something like that so, i turned off, reboot the machine and nothing happend,
    (Btw if marcelloc wasnt sorry, i think that was u, i'll check later)

    i have the problem with the missing libraries libheimntlm.so.10 and so on
    i have fetch from  http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/ here….

    here is my config file

    # This file is automatically generated by pfSense
    # Do not edit manually !
    http_port xxx.xxx.10.1:3128 
    http_port xxx.xxx.19.1:3128 
    http_port xxx.xxx.20.1:3128 
    http_port xxx.xxx.21.1:3128 
    http_port xxx.xxx.22.1:3128 
    http_port xxx.xxx.23.1:3128 
    http_port xxx.xxx.30.1:3128 
    http_port xxx.xxx.31.1:3128 
    http_port xxx.xxx.33.1:3128 
    http_port xxx.xxx.40.1:3128 
    http_port xxx.xxx.41.1:3128 
    http_port xxx.xxx.11.1:3128 
    http_port xxx.xxx.12.1:3128 
    http_port xxx.xxx.13.1:3128 
    http_port xxx.xxx.14.1:3128 
    http_port xxx.xxx.15.1:3128 
    http_port xxx.xxx.16.1:3128 
    http_port xxx.xxx.17.1:3128 
    http_port xxx.xxx.18.1:3128 
    http_port intercept 
    https_port intercept ssl-bump key=/path/to/certfile/serverkey.pem cert=/path/to/certfile/serverkey.pem clientca=/path/to/certfile/serverkey.pem cafile=/path/to/certfile/serverkey.pem capath=/path/to/certfile/
    icp_port 7
    dns_v4_first off
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language es
    icon_directory /usr/pbi/squid-amd64/etc/squid/icons
    visible_hostname proxyserver
    cache_mgr mail@domain.org
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    sslcrtd_children 50
    logfile_rotate 15
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  xxx.xxx.10.0/24 xxx.xxx.19.0/24 xxx.xxx.20.0/24 xxx.xxx.21.0/24 xxx.xxx.22.0/24 xxx.xxx.23.0/24 xxx.xxx.30.0/24 xxx.xxx.31.0/24 xxx.xxx.33.0/24 xxx.xxx.40.0/24 xxx.xxx.41.0/24 xxx.xxx.11.0/24 xxx.xxx.12.0/24 xxx.xxx.13.0/24 xxx.xxx.14.0/24 xxx.xxx.15.0/24 xxx.xxx.16.0/24 xxx.xxx.17.0/24 xxx.xxx.18.0/24
    httpd_suppress_version_string on
    uri_whitespace strip
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    cache_mem 8 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 10000 16 256
    minimum_object_size 0 KB
    maximum_object_size 4 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    # No redirector configured
    #Remote proxies
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
    acl sslports port 443 563
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src xxx.xxx.0.0/24 xxx.xxx.11.0/24 xxx.xxx.12.0/24
    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
    acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer. 
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    # Reverse Proxy settings
    always_direct allow whitelist
    ssl_bump none whitelist
    # Custom options
    # Always allow access to whitelist domains
    http_access allow whitelist
    # Block access to blacklist domains
    http_access deny blacklist
    always_direct allow all
    ssl_bump server-first all
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc

  • How to fech the libraries!

    fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
    fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
    fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
    fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
    fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
    fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

  • I think that in the dozens of posts scattered about here on how to get Squid 3.3.8 Dev working Marcelloc has added that you need to enable IPV6 on Squid 2.1.

    Someone should consider putting together a coherent How To on Squid 3.3.8 Dev on a Wiki or somewhere until this package is properly configured for install on the PFSENSE Package Installer.

  • pfsense 2.1 has enabled by default ipv6, so that is why i dont mention that!, let put this things clear and make a "decent how to"

  • The point is if you do not enable this options, squid3.3.x does not listen configured port. This is not related to package gui I'm doing but on ipv6=yes squid compile option.

Log in to reply