Squid3 can't find libmd5.so.0
-
I think I figured out the issue with squid.pid… Well at least a workaround for now. This is for the pbi install of 3.4.10_2 pkg 0.2.2 only
I installed a fresh copy of 2.2 amd64... And I noticed this in my log when I would save the squid config
Jan 10 20:52:24 check_reload_status: Reloading filter Jan 10 20:52:24 php-fpm[53753]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy' Jan 10 20:52:24 php-fpm[53753]: /pkg_edit.php: Reloading Squid for configuration sync Jan 10 20:52:20 php-fpm[53753]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no Jan 10 20:52:20 check_reload_status: Reloading filter Jan 10 20:52:20 check_reload_status: Syncing firewall Jan 10 20:52:20 php-fpm[53753]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy' Jan 10 20:52:20 php-fpm[53753]: /pkg_edit.php: Reloading Squid for configuration sync Jan 10 20:52:16 php-fpm[53753]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no Jan 10 20:51:33 squid[58129]: Squid Parent: (squid-1) process 58656 started Jan 10 20:51:33 squid[58129]: Squid Parent: will start 1 kids Jan 10 20:51:33 php-fpm[51398]: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'squid: No running copy' Jan 10 20:51:17 syslogd: kernel boot file is /boot/kernel/kernelI checked to see if its running and it is. Paths are a little off but its running
proxy 11491 24.0 1.3 112428 26212 - S 8:50PM 0:00.18 (squid-1) -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf (squid) root 10590 21.0 0.7 71468 13908 - Ss 8:50PM 0:00.00 /usr/local/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf root 19788 0.0 0.1 18884 2384 0 S+ 8:50PM 0:00.00 grep squidI then did a search for squid.pid "find /-name squid.pid" It came up empty.. This is bad, because the reconfigure/rotate commands wont be able to hook into the process that is running.
I then ran squid -v and noticed its compiled with option '–with-pidfile=/var/run/squid/squid.pid' but the config file is using /var/run/squid.pid. Is this the reason?
Probably not, thinking it has to be a permission issue, where squid can't create its own pid since its run as user proxyHere is my workaround until it can be fix in the pbi/package itself
run the following from cmdline
mkdir /var/run/squid chown proxy:wheel /var/run/squid chmod 777 /var/run/squid #not ideal but it works for nowEdit file /usr/local/pkg/squid.inc
On line 943 you will find $pidfile = "{$g['varrun_path']}/squid.pid"; change it to:
$pidfile = "{$g['varrun_path']}/squid/squid.pid";Now killall squid or stop the squid service.. Click on Save within the Squid GUI and you should have a /var/run/squid/squid.pid
Click Save again and the timestamp should change for the pid file.
Hope this help!
edit:
bug report
https://redmine.pfsense.org/issues/4196 -
Here is my workaround until it can be fix in the pbi/package itself
run the following from cmdline
mkdir /var/run/squid chown proxy:wheel /var/run/squid chmod 777 /var/run/squid #not ideal but it works for nowEdit file /usr/local/pkg/squid.inc
On line 943 you will find $pidfile = "{$g['varrun_path']}/squid.pid"; change it to:
$pidfile = "{$g['varrun_path']}/squid/squid.pid";Now killall squid or stop the squid service.. Click on Save within the Squid GUI and you should have a /var/run/squid/squid.pid
Click Save again and the timestamp should change for the pid file.
Hope this help!
edit:
bug report
https://redmine.pfsense.org/issues/4196I followed this and it now works with the most recent 2.2RC. Thanks so much Cino - funny how the missing PID file would cause such strange behavior.
Additionally the sshd service now works with this mornings 2.2RC update. It is now echoing ssh debug messages to the console which it was not doing before:
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1I'll look around to see what that is.
Thanks again Cino
-
Nothing particular that could point me in the right direction so far.
To be fairly honest, I didn't test it like it should be so can't say much so far.From what I've seen it will always try to forward pfsense webgui on the external FQDN, regardless of what you've set on the backend servers/redirets/mappings etc.
Again, I doubt it's a matter of settings since the same net, same webservers and so on are working right now on 2.1.5.
Will try to provide you some more informations as soon as I can.
Cheers ;)Quoting myself, anyone tried Squid's reverse proxy within the new 0.2.2 package yet?
-
Have you tried the squid.pid workaround yet? Could be related since squid can't reconfigure itself. Don't have time right now but I'll try a simple redirect setup and see if it works.
-
Installed from GUI today and can confirm it works for me as well (transparent proxy included). No need for the 'ln-fix' for the libs and etc dirs, the pid-file issue is however a there but it can be solved with the workaround from Cino (though I didn´t do the chmod:ing since it didn´t seemed to be needed).
-
Installed from GUI today and can confirm it works for me as well (transparent proxy included). No need for the 'ln-fix' for the libs and etc dirs, the pid-file issue is however a there but it can be solved with the workaround from Cino (though I didn´t do the chmod:ing since it didn´t seemed to be needed).
it wouldn't create the pid for me… i'll knock it down to 755 and try it again
-
Nothing particular that could point me in the right direction so far.
To be fairly honest, I didn't test it like it should be so can't say much so far.From what I've seen it will always try to forward pfsense webgui on the external FQDN, regardless of what you've set on the backend servers/redirets/mappings etc.
Again, I doubt it's a matter of settings since the same net, same webservers and so on are working right now on 2.1.5.
Will try to provide you some more informations as soon as I can.
Cheers ;)Quoting myself, anyone tried Squid's reverse proxy within the new 0.2.2 package yet?
I did a basic setup and I'm able to get 'Unable to forward this request at this time.' error… The way I have my test VM setup, it wont be able to send to any external servers... What I did notice is that it couldn't bind to port 80. I was able to change the port to 9080 and it was able to bind with it. So I think its working but something is preventing it from binding with port 80. My normal practice for reverse proxy is setup a WAN NAT Port 80 redirect it to loopback:9080. Have a reverse proxy listen to loopback:9080... Maybe something like that will work for you?
Noticed this in the squid.log
2015/01/11 18:51:15 kid1| commBind: Cannot bind socket FD 35 to 192.168.0.70:80: (13) Permission denied
2015/01/11 18:51:15 kid1| commBind: Cannot bind socket FD 36 to 192.168.120.128:80: (13) Permission denied -
Fiddled around with Squid again, and it seemed the PID issue Cino described also affected my configuration; the pid was not present.
It was necessary to drop permissions to 755 to make Cino's fix work.Now the pid file is being created, but it's only a step further because another issue popped up:
2015/01/12 01:09:47 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.0... 2015/01/12 01:09:48| pinger: Initialising ICMP pinger ... 2015/01/12 01:09:48| icmp_sock: (1) Operation not permitted 2015/01/12 01:09:48| pinger: Unable to start ICMP pinger. 2015/01/12 01:09:48| icmp_sock: (1) Operation not permitted 2015/01/12 01:09:48| pinger: Unable to start ICMPv6 pinger. 2015/01/12 01:09:48| FATAL: pinger: Unable to open any ICMP sockets.Did the chmod 755 on the pinger, but it yielded no positive result.
Squid appears to be running, but still not transparent.
I must admit that the multiple issues with this package really got me going in circles.Cheers.
-
Nothing particular that could point me in the right direction so far.
To be fairly honest, I didn't test it like it should be so can't say much so far.From what I've seen it will always try to forward pfsense webgui on the external FQDN, regardless of what you've set on the backend servers/redirets/mappings etc.
Again, I doubt it's a matter of settings since the same net, same webservers and so on are working right now on 2.1.5.
Will try to provide you some more informations as soon as I can.
Cheers ;)Quoting myself, anyone tried Squid's reverse proxy within the new 0.2.2 package yet?
I did a basic setup and I'm able to get 'Unable to forward this request at this time.' error… The way I have my test VM setup, it wont be able to send to any external servers... What I did notice is that it couldn't bind to port 80. I was able to change the port to 9080 and it was able to bind with it. So I think its working but something is preventing it from binding with port 80. My normal practice for reverse proxy is setup a WAN NAT Port 80 redirect it to loopback:9080. Have a reverse proxy listen to loopback:9080... Maybe something like that will work for you?
Noticed this in the squid.log
2015/01/11 18:51:15 kid1| commBind: Cannot bind socket FD 35 to 192.168.0.70:80: (13) Permission denied
2015/01/11 18:51:15 kid1| commBind: Cannot bind socket FD 36 to 192.168.120.128:80: (13) Permission deniedThank you for those infos. :)
I've usually never set up a NAT rule to make reverse proxy work properly.
All I had to do was pulling out a wan rule with destination wan address on port 80/443, and everything was ready to go.
That's pretty strange. Will see what I can get out of it.
Cheers! -
it wouldn't create the pid for me… i'll knock it down to 755 and try it again
It was necessary to drop permissions to 755 to make Cino's fix work.
Hm.. do we have different umask? Strange that you would have to change the permissions otherwise..
Mine is 0022 anyway. -
Hi guys.
The /var/run/squid issue pointed by cino will be fixed on next package update
The Cannot bind socket FD 30 to 192.168.1.1:443: (13) Permission denied on reverse proxy maybe related to this
https://www.freebsd.org/doc/handbook/mac-policies.htmlFor now, listen squid on high ports and nat it too 80,443 until I find a way to workaround it.To fix it without mac-policies, edit net.inet.ip.portrange.first system tunable(system advanced menu) option from 1024 to 0.
After config option change, stop and start squid.
-
Thanks Marcelloc!!!
Do you think the below error could also be related to the permissions of the user?
2015/01/12 01:09:47 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.0... 2015/01/12 01:09:48| pinger: Initialising ICMP pinger ... 2015/01/12 01:09:48| icmp_sock: (1) Operation not permitted 2015/01/12 01:09:48| pinger: Unable to start ICMP pinger. 2015/01/12 01:09:48| icmp_sock: (1) Operation not permitted 2015/01/12 01:09:48| pinger: Unable to start ICMPv6 pinger. 2015/01/12 01:09:48| FATAL: pinger: Unable to open any ICMP sockets. -
Do you think the below error could also be related to the permissions of the user?
I'll try to test it too.
BTW, you can disable icmp pinger on squid config options.
-
Marcelloc, do you have any tips how we can troubleshoot the transparent proxy issue?
Cheers.
-
Marcelloc, do you have any tips how we can troubleshoot the transparent proxy issue?
Transparent proxy is working on my tests…
-
Marcelloc, do you have any tips how we can troubleshoot the transparent proxy issue?
Transparent proxy is working on my tests…
This is strange - I've updated to the latest 2.2RC as of 1/13/15 and I still have to create the /var/run/squid directory, change perms and chmod it in order to get squid3 to work. I've also noticed that once this starts running for a little while my load average climbs very high. I have an 8-core atom (c2758) and it scales to over 13x load average. When running top it shows either the squid or proxy user running 12 instances of .pbirun with WCPU evenly divided between the process (~8-9% each totally just shy of 100%). The proxy is working - the only other CPU intensive process is snort (and that is barley using any CPU according to top).
Anyone else see this?
-
This is strange - I've updated to the latest 2.2RC as of 1/13/15 and I still have to create the /var/run/squid directory, change perms and chmod it in order to get squid3 to work.
The new PBIs for squid haven't been build yet.
from https://files.pfsense.org/packages/10/All/
squid-3.4.10_2-amd64.pbi 09-Jan-2015 20:25 19231214 squid-3.4.10_2-amd64.pbi.sha256 09-Jan-2015 20:25 65 squid-3.4.10_2-i386.pbi 09-Jan-2015 20:45 18317590 squid-3.4.10_2-i386.pbi.sha256 09-Jan-2015 20:45 65 -
wait pkg version bump (maybe 0.2.3)…
-
0.2.3 package version is out! :)
https://github.com/pfsense/pfsense-packages/pull/786
-
0.2.3 package version is out! :)
https://github.com/pfsense/pfsense-packages/pull/786
Awesome!! You da the man!
I'm installing on a fresh amd64 install and will let you know if I run into any problems.
