Squid3 can't find libmd5.so.0

marcelloc

@mhab12:

Will the same procedure work on 2.1.5?

On 2.1.5, install squid3-dev package. I uses squid 3.3.10

marcelloc

@mrancier:

Transparent proxy still does not work :(

Maybe related to some 2.2 RC issues, not squid itself.

Check if you don't have this error on your system logs

php: rc.filter_configure: PHP ERROR: Type: 2, File: /etc/inc/util.inc, Line: 184, Message: fsockopen(): unable to connect to unix:///var/run/check_reload_status:-1 (No such file or directory)

tracking this issue I've found this:

ldd /usr/local/sbin/check_reload_status
/usr/local/sbin/check_reload_status:
        libsbuf.so.6 => /lib/libsbuf.so.6 (0x80084c000)
        libevent-2.0.so.5 => not found (0)
        libc.so.7 => /lib/libc.so.7 (0x800a4f000)

trying a manual fix:

ln -s /usr/local/lib/libevent-2.0.so.5 /lib/libevent-2.0.so.5

and check_reload_status seems to be ok again

ldd /usr/local/sbin/check_reload_status
/usr/local/sbin/check_reload_status:
        libsbuf.so.6 => /lib/libsbuf.so.6 (0x80084c000)
        libevent-2.0.so.5 => /lib/libevent-2.0.so.5 (0x800a4f000)
        libc.so.7 => /lib/libc.so.7 (0x800c91000)
        libthr.so.3 => /lib/libthr.so.3 (0x801023000)

and also transparent proxy

grep 3128 /tmp/rules.debug
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
pass in quick on em1 proto tcp from any to !(em1) port {80,443,3128,3127} flags S/SA keep state

I've opened a redmine for it, so core team can check this issue

mrancier

I can confirm that error.  It was also accompanied by sshd being unable to start.  Reverting changes didn't help, but reinstalling the snapshot fixed sshd.  I will try the fix you described sometime tomorrow.  Thank you!

@marcelloc:

@mrancier:

Transparent proxy still does not work :(

Maybe related to some 2.2 RC issues, not squid itself.

Check if you don't have this error on your system logs

php: rc.filter_configure: PHP ERROR: Type: 2, File: /etc/inc/util.inc, Line: 184, Message: fsockopen(): unable to connect to unix:///var/run/check_reload_status:-1 (No such file or directory)

tracking this issue I've found this:

ldd /usr/local/sbin/check_reload_status
/usr/local/sbin/check_reload_status:
        libsbuf.so.6 => /lib/libsbuf.so.6 (0x80084c000)
        libevent-2.0.so.5 => not found (0)
        libc.so.7 => /lib/libc.so.7 (0x800a4f000)

trying a manual fix:

ln -s /usr/local/lib/libevent-2.0.so.5 /lib/libevent-2.0.so.5

and check_reload_status seems to be ok again

ldd /usr/local/sbin/check_reload_status
/usr/local/sbin/check_reload_status:
        libsbuf.so.6 => /lib/libsbuf.so.6 (0x80084c000)
        libevent-2.0.so.5 => /lib/libevent-2.0.so.5 (0x800a4f000)
        libc.so.7 => /lib/libc.so.7 (0x800c91000)
        libthr.so.3 => /lib/libthr.so.3 (0x801023000)

and also transparent proxy

grep 3128 /tmp/rules.debug
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
pass in quick on em1 proto tcp from any to !(em1) port {80,443,3128,3127} flags S/SA keep state

I've opened a redmine for it, so core team can check this issue

jeepster

marcelloc

I ran into a small problem after following your steps
"(squid-1): Cannot open '/var/squid/logs/access.log' for writing. The parent directory must be writeable by the user 'proxy', which is the cache_effective_user set in squid.conf." 
I was able to 'monkey' around with winscp to change permissions, not sure what I did but got past that. What would be the correct way of 'doing it right'

transparent proxy still not working, under the real time tab this is what I see

09.01.2015 09:27:24	192.168.1.2	TCP_MISS/403	http://yahoo.com/favicon.ico	-	127.0.0.1
09.01.2015 09:27:24	127.0.0.1	TCP_DENIED/403	http://yahoo.com/favicon.ico	-	-
09.01.2015 09:27:24	192.168.1.2	TCP_MISS/403	http://www.squid-cache.org/Artwork/SN.png	-	127.0.0.1
09.01.2015 09:27:24	127.0.0.1	TCP_DENIED/403	http://www.squid-cache.org/Artwork/SN.png	-	-

grep 3128 /tmp/rules.debug
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state

This seems to be fixed with the latest build 2.2-RC (amd64) built on Fri Jan 09 01:08:06 CST 2015

ldd /usr/local/sbin/check_reload_status
/usr/local/sbin/check_reload_status:
        libsbuf.so.6 => /lib/libsbuf.so.6 (0x80084c000)
        libevent-2.0.so.5 => /usr/local/lib/libevent-2.0.so.5 (0x800a4f000)
        libc.so.7 => /lib/libc.so.7 (0x800c91000)
        libthr.so.3 => /lib/libthr.so.3 (0x801023000)

thanks for the steps, I'm learning a lot

marcelloc

@jeepster:

transparent proxy still not working, under the real time tab this is what I see

09.01.2015 09:27:24	192.168.1.2	TCP_MISS/403	http://yahoo.com/favicon.ico	-	127.0.0.1
09.01.2015 09:27:24	127.0.0.1	TCP_DENIED/403	http://yahoo.com/favicon.ico	-	-
09.01.2015 09:27:24	192.168.1.2	TCP_MISS/403	http://www.squid-cache.org/Artwork/SN.png	-	127.0.0.1
09.01.2015 09:27:24	127.0.0.1	TCP_DENIED/403	http://www.squid-cache.org/Artwork/SN.png	-	-

fetch squid34_pfsense22.tar again. I've changed a compile option to include only pf transparent proxy.

remove squid package and reinstall it

pkg delete squid-3.4.10_2

pkg add squid-3.4.10_2.txz

jeepster

marcelloc, it appears to be working now, websites are loading and the log looks back to normal - thanks!!

Pakken

Talking about transparent proxy, latest 0.2.2 package works on Pfsense 2.2RC.

I still can't get squid 3 reverse to work, which is basically the main reason why I'm using squid3.
Same settings on 2.1.5 work like a charm.

Thank you for all the efforts you are putting in fixing this.

/chapeau!

Cino

I haven't tried reverse proxy yet which is another feature I use from squid but I start-up another instance of squid using a conf i've created. For me, it keeps the logs separate since I use proxy for logging with lightsquid.

Anything in your system or squid logs that could pin point the issue?

Pakken

Nothing particular that could point me in the right direction so far.
To be fairly honest, I didn't test it like it should be so can't say much so far.

From what I've seen it will always try to forward pfsense webgui on the external FQDN, regardless of what you've set on the backend servers/redirets/mappings etc.

Again, I doubt it's a matter of settings since the same net, same webservers and so on are working right now on 2.1.5.
Will try to provide you some more informations as soon as I can.
Cheers ;)

Cino

just a wild guess, compare your advanced settings under system. I think you have to disable the web GUI redirect

trouserless

@jeepster:

marcelloc, it appears to be working now, websites are loading and the log looks back to normal - thanks!!

I'm not having as much luck unfortunately.  I've updated to the latest pfsense 2.2 release, removed squid3 package, recursively deleted /var/squid and re-installed squid3 and it is not working properly.  With transparent proxy enabled it is passing http traffic (vs. error pages before) but the access.log is empty (not created actually) and the cache.log has a single entry in it from the installation:

2015/01/10 12:24:58 kid1| Creating missing swap directories

am I missing something here?  I'm not running squidGuard or havp in conjunction with this, just attempting squid3 in transparent mode.

Cino

Check the folder permissions for /var/squid/logs. Make sure it's set to proxy:proxy. I ran into this earlier on my test box. After correcting the permissions, the access.log was created and started to log entries. I don't use transparent mode, but I don't think its related.

jeepster

trouserless, install squid package from pfsense gui - 3.4.10_2 pkg 0.2.2 its been updated tp working. Once I configured the settings I had to stop and restart the service to get it going

Pakken

@Cino:

just a wild guess, compare your advanced settings under system. I think you have to disable the web GUI redirect

That's the first thing I've checked.
The reverse proxy part seems to be broken, at least for me, at the moment.

trouserless

@Cino:

Check the folder permissions for /var/squid/logs. Make sure it's set to proxy:proxy. I ran into this earlier on my test box. After correcting the permissions, the access.log was created and started to log entries. I don't use transparent mode, but I don't think its related.

tried that and it is proxy:proxy

$ ls -la /var/squid/logs
total 24
drwxr-xr-x  2 proxy  proxy  512 Jan 10 12:43 .
drwxr-xr-x  6 root   wheel  512 Jan 10 12:24 ..
-rw-r-----  1 proxy  proxy    0 Jan 10 12:43 access.log
-rw-r-----  1 proxy  proxy  518 Jan 10 13:34 cache.log

I checked the cache.log because it had grown and found:

$ cat /var/squid/logs/cache.log
2015/01/10 12:24:58 kid1| Creating missing swap directories
2015/01/10 12:43:37 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.0...
2015/01/10 12:43:38 kid1| /var/run/squid.pid: (1) Operation not permitted
2015/01/10 12:43:38 kid1| WARNING: Could not write pid file
2015/01/10 13:33:55 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.0...
2015/01/10 13:33:56 kid1| /var/run/squid.pid: (1) Operation not permitted
2015/01/10 13:33:56 kid1| WARNING: Could not write pid file

I checked the /var/run directory is owned by root:wheel which looks proper.

One other bit of strangeness is that I no longer have access via ssh (I'm using the command prompt feature for the above troubleshooting).  I goto the services page and sshd is showed as stopped.  I try and start it and it does not.  It worked before and it is enabled via the GUI toggle.  I checked system logs and nothing about sshd.  Is anyone else seeing this issue with sshd?  Thanks for the help/ideas Cino (and others)

akvadrat

Are you using the official pbi from http://files.pfsense.org/packages/10/All/ now (i.e via pfsense GUI) or are you still using the manual method?
I noticed that there just have been an update to the pbi and curious to see if works the "official way" now.
squid-3.4.10_2-amd64.pbi, 09-Jan-2015 20:25
Would try it myself but I not at home this weekend…

Cino

I think I figured out the issue with squid.pid… Well at least a workaround for now. This is for the pbi install of 3.4.10_2 pkg 0.2.2 only

I installed a fresh copy of 2.2 amd64...  And I noticed this in my log when I would save the squid config

Jan 10 20:52:24 	check_reload_status: Reloading filter
Jan 10 20:52:24 	php-fpm[53753]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy'
Jan 10 20:52:24 	php-fpm[53753]: /pkg_edit.php: Reloading Squid for configuration sync
Jan 10 20:52:20 	php-fpm[53753]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
Jan 10 20:52:20 	check_reload_status: Reloading filter
Jan 10 20:52:20 	check_reload_status: Syncing firewall
Jan 10 20:52:20 	php-fpm[53753]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy'
Jan 10 20:52:20 	php-fpm[53753]: /pkg_edit.php: Reloading Squid for configuration sync
Jan 10 20:52:16 	php-fpm[53753]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
Jan 10 20:51:33 	squid[58129]: Squid Parent: (squid-1) process 58656 started
Jan 10 20:51:33 	squid[58129]: Squid Parent: will start 1 kids
Jan 10 20:51:33 	php-fpm[51398]: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'squid: No running copy'
Jan 10 20:51:17 	syslogd: kernel boot file is /boot/kernel/kernel

I checked to see if its running and it is. Paths are a little off but its running

proxy   11491  24.0  1.3 112428 26212  -  S     8:50PM   0:00.18 (squid-1) -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf (squid)
root    10590  21.0  0.7  71468 13908  -  Ss    8:50PM   0:00.00 /usr/local/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf
root    19788   0.0  0.1  18884  2384  0  S+    8:50PM   0:00.00 grep squid

I then did a search for squid.pid "find /-name squid.pid" It came up empty.. This is bad, because the reconfigure/rotate commands wont be able to hook into the process that is running.

I then ran squid -v and noticed its compiled with option '–with-pidfile=/var/run/squid/squid.pid' but the config file is using /var/run/squid.pid. Is this the reason?
Probably not, thinking it has to be a permission issue, where squid can't create its own pid since its run as user proxy

Here is my workaround until it can be fix in the pbi/package itself

run the following from cmdline

mkdir /var/run/squid
chown proxy:wheel /var/run/squid
chmod 777 /var/run/squid  #not ideal but it works for now

Edit file /usr/local/pkg/squid.inc

On line 943 you will find $pidfile = "{$g['varrun_path']}/squid.pid";  change it to:

	$pidfile = "{$g['varrun_path']}/squid/squid.pid";

Now killall squid or stop the squid service.. Click on Save within the Squid GUI and you should have a /var/run/squid/squid.pid

Click Save again and the timestamp should change for the pid file.

Hope this help!

edit:
bug report
https://redmine.pfsense.org/issues/4196

trouserless

@Cino:

Here is my workaround until it can be fix in the pbi/package itself

run the following from cmdline

mkdir /var/run/squid
chown proxy:wheel /var/run/squid
chmod 777 /var/run/squid  #not ideal but it works for now

Edit file /usr/local/pkg/squid.inc

On line 943 you will find $pidfile = "{$g['varrun_path']}/squid.pid";  change it to:

	$pidfile = "{$g['varrun_path']}/squid/squid.pid";

Now killall squid or stop the squid service.. Click on Save within the Squid GUI and you should have a /var/run/squid/squid.pid

Click Save again and the timestamp should change for the pid file.

Hope this help!

edit:
bug report
https://redmine.pfsense.org/issues/4196

I followed this and it now works with the most recent 2.2RC.  Thanks so much Cino - funny how the missing PID file would cause such strange behavior.

Additionally the sshd service now works with this mornings 2.2RC update.  It is now echoing ssh debug messages to the console which it was not doing before:

debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1

I'll look around to see what that is.

Thanks again Cino

Pakken

@Pakken:

Nothing particular that could point me in the right direction so far.
To be fairly honest, I didn't test it like it should be so can't say much so far.

From what I've seen it will always try to forward pfsense webgui on the external FQDN, regardless of what you've set on the backend servers/redirets/mappings etc.

Again, I doubt it's a matter of settings since the same net, same webservers and so on are working right now on 2.1.5.
Will try to provide you some more informations as soon as I can.
Cheers ;)

Quoting myself, anyone tried Squid's reverse proxy within the new 0.2.2 package yet?

Cino

Have you tried the squid.pid workaround yet? Could be related since squid can't reconfigure itself. Don't have time right now but I'll try a simple redirect setup and see if it works.