[SOLVED] Squid blocking all sites except Google and a few others

alltime · Aug 25, 2014, 11:21 PM

Hi,

I have the strangest thing going on here. For some reason, SQUID is blocking every website except for Google when transparent mode is set. There is no real specification showing that this should occur.

My network is on the same subnet as pfsense which is 192.168.1.0/24 so there shouldn't be any blocking whatsoever (ACLs).
We are using Google DNS in addition to our own.
There are no specified firewall rules that should block users.
Below is the Squid configuration from the pfSense XML. Please let me know if this is not what is needed.

What gives?

<squid><config><active_interface>opt2</active_interface>
<proxy_port>3128</proxy_port>
<icp_port><allow_interface>on</allow_interface>
<patch_cp><dns_v4_first>on</dns_v4_first>
<disable_pinger><dns_nameservers><transparent_proxy><transparent_active_interface>opt2</transparent_active_interface>
<private_subnet_proxy_off><defined_ip_proxy_off><defined_ip_proxy_off_dest><ssl_proxy>on</ssl_proxy>
<ssl_active_interface>opt2</ssl_active_interface>
<ssl_proxy_port><dca>53dac4f051ce5</dca>
<sslcrtd_children><interception_checks><interception_adapt><log_enabled><log_dir>/var/squid/logs</log_dir>
<log_rotate><visible_hostname>localhost</visible_hostname>
<admin_email>admin@localhost</admin_email>
<error_language>en</error_language>
<disable_xforward><disable_via><log_sqd><uri_whitespace>strip</uri_whitespace>
<disable_squidversion></disable_squidversion></log_sqd></disable_via></disable_xforward></log_rotate></log_enabled></interception_adapt></interception_checks></sslcrtd_children></ssl_proxy_port></defined_ip_proxy_off_dest></defined_ip_proxy_off></private_subnet_proxy_off></transparent_proxy></dns_nameservers></disable_pinger></patch_cp></icp_port></config></squid>

tanniit · Aug 23, 2014, 7:42 AM

disable the squid and give a try. usually by default squid will not block any website.
posting some of the pfsense config screenshot and logs from firewall and squid will be helpful.

alltime · Aug 23, 2014, 11:10 PM

Without Squid, pfSense works flawlessly and has been for several years. Now i'm seeing that forum.pfsense.org also works now and a few other SSL enabled sites. Not all.

WAN Firewall Rules

Wireless (LAN) Firewall Rules

Squid Configuration

Squid Log:

All that I see within /var/squid/logs is cache.log:


2014/08/22 17:58:30 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/08/22 17:58:30 kid1| Unable to load default error language files. Reset to backups.
2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/08/22 17:58:30 kid1| WARNING: failed to find or read error text file error-details.txt
2014/08/22 17:58:30 kid1| sendto FD 22: (1) Operation not permitted
2014/08/22 17:58:30 kid1| ipcCreate: CHILD: hello write test failed
2014/08/23 16:08:47 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/08/23 16:08:47 kid1| Unable to load default error language files. Reset to backups.
2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/08/23 16:08:47 kid1| WARNING: failed to find or read error text file error-details.txt
2014/08/23 16:08:47 kid1| sendto FD 33: (1) Operation not permitted
2014/08/23 16:08:47 kid1| ipcCreate: CHILD: hello write test failed
2014/08/23 18:09:20 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/08/23 18:09:20 kid1| Unable to load default error language files. Reset to backups.
2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/08/23 18:09:20 kid1| WARNING: failed to find or read error text file error-details.txt
2014/08/23 18:09:20 kid1| sendto FD 33: (1) Operation not permitted
2014/08/23 18:09:20 kid1| ipcCreate: CHILD: hello write test failed

Firewall log:

tanniit · Aug 24, 2014, 1:40 PM

try
1. check the "transparent http proxy"
2. in your firewall log, the "x", click on that to see which firewall rule is blocking your traffic.

alltime · Aug 24, 2014, 6:51 PM

The issue mentioned in the first post only occurs when ""transparent http proxy" is checked. My apologies for not being clear.

Within our firewall log, the only real errors that I see are below after clicking each X. However, according to: https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

this seems to be normal.

@5 block drop in log inet all label "Default deny rule IPv4"

AIMS-Informatique · Aug 25, 2014, 3:20 PM

Don't know why, but to have transparent proxy to work, we had to add these lines in "Custom Option field" :

redirect_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5

I dont have a clue of what it does exactly, but it did work…

alltime · Aug 25, 2014, 11:20 PM

Figured it out! So apparently within the Squid Allowed ports, despite Squid configuration page stating:

This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535

I had to make the following modifications:


acl safeports: 21-65535
acl sslports: 443 563 995

All good :o