Squid 3.4.9 no traffic in transparent mode.



  • This has me going all night.

    Just updated from Squid dev 3.3 to Squid 3.4.9, update went smooth, no errors.
    Squid starts ok, but only works when leaving it as "non-transparent" and pointing the browser to port 3128 on the server.
    I can see the access logs getting populated, and there are no errors in Squid's cache log.

    But as soon as I check the "transparent proxy" check box, browsing stops and I get errors like "Empty reply" or "No socket".
    It seems that there is a problem with the automatically created rules in the firewall part, better said I suspect they are not being created.
    The firewall doesn't log anything strange, blocked or otherwise.

    Are there any steps I can take to troubleshoot this issue?     
    PfSense is at the latest RC.

    Cheers.



  • Is there something that I can do to troubleshoot this?
    Can the hidden firewall rules be viewed in any form?

    Cheers.



  • SSH in and run:

    pfctl -sr



  • Thank you for your help KOM, I ran the command before enabling transparent proxy and after.
    After enabling the transparent proxy, rules are being created:

    pass in quick on igb0_vlan32 proto tcp from any to ! (igb0_vlan32) port = http flags S/SA keep state
    pass in quick on igb1 proto tcp from any to ! (igb1) port = http flags S/SA keep state
    pass in quick on igb0_vlan60 proto tcp from any to ! (igb0_vlan60) port = http flags S/SA keep state
    pass in quick on igb0_vlan31 proto tcp from any to ! (igb0_vlan31) port = http flags S/SA keep state
    pass in quick on igb0_vlan33 proto tcp from any to ! (igb0_vlan33) port = http flags S/SA keep state
    pass in quick on igb0_vlan10 proto tcp from any to ! (igb0_vlan10) port = http flags S/SA keep state
    pass in quick on igb0_vlan20 proto tcp from any to ! (igb0_vlan20) port = http flags S/SA keep state
    pass in quick on igb0_vlan40 proto tcp from any to ! (igb0_vlan40) port = http flags S/SA keep state
    pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = http flags S/SA keep state
    pass in quick on igb0_vlan32 proto tcp from any to ! (igb0_vlan32) port = 3128 flags S/SA keep state
    pass in quick on igb1 proto tcp from any to ! (igb1) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan60 proto tcp from any to ! (igb0_vlan60) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan31 proto tcp from any to ! (igb0_vlan31) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan33 proto tcp from any to ! (igb0_vlan33) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan10 proto tcp from any to ! (igb0_vlan10) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan20 proto tcp from any to ! (igb0_vlan20) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan40 proto tcp from any to ! (igb0_vlan40) port = 3128 flags S/SA keep state
    pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = 3128 flags S/SA keep state
    

    But, browsing is still not possible when transparent proxy enabled. Only https loads fine, because it doesn't go through the proxy.
    HTTP traffic shows "empty reply" or "no socket" so it seems to be a Squid issue after all.
    Could I have overlooked something?
    I have Squid binding to all vlan interfaces. Not to localhost (didn't work).

    Edit:
    This is what Squid's realtime monitor shows on the GUI:

    12.12.2014 16:00:01	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 16:00:01	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 16:00:00	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 16:00:00	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 15:59:59	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 15:59:59	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 15:59:59	192.168.10.5	TAG_NONE/400	/pulse?authon&user=F127E5691F260DA87C2C31E30EE741ED&url_heartbeat=1,0,9,9,0&db_conn=1,0,0,0,0	-	-
    12.12.2014 15:59:57	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    12.12.2014 15:59:57	192.168.10.4	TAG_NONE/400	/squid_monitor_data.php	-	-
    

    Cheers.



  • Maybe you should post your Services - Proxy server - General screenshot.  You have validated all your settings to make sure the upgrade didn't reset them?



  • The only two events that could have caused the issue are:

    • Squid 3.3-dev was installed and when upgrading to 3.4.9 I didn't uninstall the old package. My impression was it would just replace 3.3 dev, but
      it turned out that they got installed BOTH.
      I since uninstalled both versions and installed only 3.4.9, but the issue remains.

    • I had previously applied a workaround to get Squid 3.3 dev working, copying some files. There may be some leftovers, but I could not find them.
      This was the previous fix:

    cd /usr/pbi/squid-amd64/
    cp -r ./local/* /usr/local/
    rm -rf ./local
    ln -s /usr/local ./local
    sync
    squid
    

    Here are the settings on Squid General, note that transparent proxy is disabled at the moment, ssl filtering is disabled also.

    Cheers.



  • Settings look good.  I've seen cases where after uninstalling squid, you had to shell in and manually rm -r /var/squid, but I don't remember exactly and I can't check at the moment.



  • I've just totally cleared out all Squid traces, installed Suid 3.4.9.
    Created one symlink to get rid of mime.cfg error, and Squid started.

    Still no browsing in transparent mode, browser returned: ERR_SOCKET_NOT_CONNECTED.
    Perhaps there is an old redirect to Squidguard and that's why it wont't load pages.
    Just guessing, I'm out of options.

    Cheers.



  • I have same problem
    "squid -v" give configure options. In they are present:
    '–disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent'
    Can this explain problem?



  • @firstzerg:

    I have same problem
    "squid -v" give configure options. In they are present:
    '–disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent'
    Can this explain problem?

    If these options are set, surely it will affect transparent proxy. Going to read up on those options, if this proves to be true the only thing we can do is roll back to a
    previous version, or the devs may need to update the Squid package.

    Cheers.



  • Definitely a problem with the package. Read here for intercept not working on 3.4.x:

    https://forums.freebsd.org/threads/transparent-proxy-with-squid33-and-pf.48038/
    

    As this affect transparent proxy on PfSense, the next thing to do is submitting a bugreport.
    If above is not correct, please feel free to comment, else I'm off to fill in the bugreport.

    Cheers.



  • @Escorpiom:

    Definitely a problem with the package. Read here for intercept not working on 3.4.x:

    https://forums.freebsd.org/threads/transparent-proxy-with-squid33-and-pf.48038/
    

    As this affect transparent proxy on PfSense, the next thing to do is submitting a bugreport.
    If above is not correct, please feel free to comment, else I'm off to fill in the bugreport.

    Cheers.

    I am experiencing the same problem with transparent squid3 on the latest 2.2-RC.  I ran the squid -v and saw the same compile flags mentioning disabling transparent proxy.  I have just finished a re-install with the latest RC to see if my efforts to troubleshoot screwed up squid3, but no luck.

    Escorpiom, if you are filing a bug for this, can you also add the changes necessary to get squid3 to run in non-transparency mode?  The user HMH had posted the necessary symlinks to resolve some missing libraries:

    ln -s /lib/libmd.so.6 /usr/lib/libmd5.so.0
    ln -s /usr/pbi/squid-amd64/local/etc/squid /usr/local/etc/squid
    ln -s /usr/pbi/squid-amd64/local/libexec/squid /usr/local/libexec/squid
    

    adjusting amd64 for i386 as necessary.  I had to set these links in versions prior to the RC and also with the latest RC this afternoon.



  • Just got to the bottom of this.
    This Squid package for 2.2RC is not build correctly and actually it's quite sloppy.

    Three errors:

    • Package need to be compiled with "–enable-pf-transparent" as pointed out by firstzerg
    • Use the "tproxy" directive to be a completely transparent proxy
    • Instead of port 3128, use port 3129 for intercepted traffic.

    Details can be found here:

    http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
    

    If Squid 3.4.9 is a beta package you may as well remove it from the list, because it definitely doesn't work.

    Cheers.



  • @Escorpiom:

    Just got to the bottom of this.
    This Squid package for 2.2RC is not build correctly and actually it's quite sloppy.

    Three errors:

    • Package need to be compiled with "–enable-pf-transparent" as pointed out by firstzerg
    • Use the "tproxy" directive to be a completely transparent proxy
    • Instead of port 3128, use port 3129 for intercepted traffic.

    Details can be found here:

    http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
    

    If Squid 3.4.9 is a beta package you may as well remove it from the list, because it definitely doesn't work.

    Cheers.

    The nov 25th build seemed to work fine, if you figure out how to get it installed let me know
    https://files.pfsense.org/packages/10/All/

    squid-3.4.9 works
    squid-3.3.11_1 works

    squid-3.4.9_1 broken
    squid-3.3.13_2 broken



  • Sorry but so far I did the troubleshooting and it's a confirmed problem with the package.
    I'm fairly new here and maybe I misunderstand the priorities of the devs, or maybe Squid is not an essential PFSense component.

    Anyway I do not feel we have to fiddle around with packages that are broken or have install issues, simple request: If it isn't finished just don't release it.
    Don't let people sort things out on their own without even commenting on issues.

    Bug report created:

    https://redmine.pfsense.org/issues/4114
    

    Cheers.



  • squid3-dev 3.3.13_2 is now working in transparent mode.

    I installed 12/20 RC build and then performed a clean install of squid3-dev.  When I first enabled transparent mode, it failed.  I left it configured for transparent mode and simply rebooted the firewall.  When it came up, it all works (verified by real time tab).

    I will see if the simple reboot works for the squid3 3.4.9_1 package later when I can reboot router without impacting users.



  • Yes, 3.3.13 works.
    Sadly I'm in the same boat, it's not possible to experiment without causing trouble for my users.
    I'll test stuff after midnight.

    A few days ago there was a second package released for Squid 3.4.9, but that one still won't work for transparent proxy.
    Also tried creating a rule to intercept port 80 traffic and redirect to port 3128 or port 3129, but Squid didn't pick it up.
    This makes me believe that there may be other issues besides transparent proxy not working.

    Cheers.



  • I have found every time I do a firmware update in 2.2 rc build's, I have to re-install the squid  2.7.9 pkg v.4.3.6 package every time and all is well. Settings are still the same just refresh the package install. If am unable to surf the web! I have no special settings pretty much basic and in transparent mode!



  • I've just made some more tests with Squid 3.4.9.
    As transparent proxy doesn't work, it would be possible to create NAT rules to redirect traffic to Squid.
    Setting the browser config to use the proxy on port 3128 works, so redirect port 80 to port 3128 should work just fine…

    Not so. I found that Squid somehow strips the "http" part, resulting in an "invalid url".
    This is the output from the access log:

    192.168.31.27 TAG_NONE/400 3555 GET /?host=m.telegraaf.nl&hdn=%2FhmMlNFJ%2FfNLigi3ZtUwuQ%3D%3D - HIER_NONE/- text/html
    1419307530.384      0 192.168.31.27 TAG_NONE/400 3551 GET /article/23484473/skiester-14-zwaargewond-door-botsing-tirol - HIER_NONE/- text/html
    

    the NAT redirect rule however works fine. It's Squid that somehow doesn't know how to process redirected traffic.
    So in short, I still haven't got a clue.

    Cheers.



  • Today the Squid package was updated to 3.4.10.
    Issues still remain, it is not possible to redirect traffic by means of a NAT rule, error persist:

    "invalid URL".

    Cheers.

    Edit:
    Activating the transparent proxy option now yields a different error instead of "no traffic received", observe the pic:



  • Todays update did not resolve the issues with transparent proxy.
    Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.

    Cheers.



  • @Escorpiom:

    Todays update did not resolve the issues with transparent proxy.
    Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.

    Cheers.

    squid3 beta 3.4.10_2 pkg 0.2.1 has –enable-pf-transparent compilation flag…
    but now there is another problems:

    no libecap.so.2 in path variable
    this help my:

    ln -s /lib/libmd.so.6 /usr/lib/libmd5.so.0
    ln -s /usr/pbi/squid-amd64/local/lib/libecap.so.2 /usr/lib/libecap.so.2
    ln -s /usr/pbi/squid-amd64/local/etc/squid /usr/local/etc/squid
    ln -s /usr/pbi/squid-amd64/local/libexec/squid /usr/local/libexec/squid
    

    with transparent requests in access.log looks like this:

    1420270719.456      0 127.0.0.1 TCP_DENIED/403 4169 GET http://google.com/ - HIER_NONE/- text/html
    1420270719.456      1 192.168.56.9 TCP_MISS/403 4271 GET http://google.com/ - ORIGINAL_DST/127.0.0.1 text/html
    

    I have no idea why squid blocks localhost and why there are two requests
    Оther sources suggest to redirect through ipfw… but pfsens is not working with ipfw

    P.S. Sorry for my english  :)



  • The squid 3 package is currently only a disaster with 2.2 :/

    • Transparent Mode does not work
    • Required lib-paths are not available
    • .pbirun hangs after installed squid3 package and causes high cpu load
    • the tcp port 3128 is set to closed, instead to listen  (tested with netstat)


  • Thanks both for sharing your findings.
    Port 3128 is not closed I believe.
    I found that adding this directive in squid.conf:

    http_port 3128 accel vhost allow-direct
    

    and restarting squid from the console (not GUI)
    makes the proxy work in "transparent" mode.
    I put it in quotes because normally the directive "intercept" should work for Squid 3.
    So for me it's unclear if "accel vhost allow-direct" does something else.

    Cheers.



  • squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0



  • @firstzerg:

    squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0

    Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.

    https://redmine.pfsense.org/issues/4114
    https://redmine.pfsense.org/issues/4059



  • seems to be working fine



  • Feedback is in the bugreport, seems transparent proxy is still not working for some.
    Perhaps it's because of PfSense RC build, I'm still on a December build.

    Cheers.



  • ~~Also in the newest package, the tcp port will be closed :/

    Squid 2.7 works fine

    What did I do wrong ?

    /usr/local/libexec/squid: netstat -a | grep 3128
    tcp4       0      0 172.21.0.1.3128        *.*                    CLOSED
    tcp4       0      0 fw1.3128               *.*                    CLOSED
    ```~~
    
    Edit:
    
    Problem solved !
    
    I have enable ipv6 in the Firewall Settings, that solved the Problem.


  • @cmb:

    @firstzerg:

    squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0

    Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.

    https://redmine.pfsense.org/issues/4114
    https://redmine.pfsense.org/issues/4059

    I've added a couple more =D

    https://redmine.pfsense.org/issues/4196  squid.pid issue
    https://redmine.pfsense.org/issues/4197  not related to transparent mode but the anti-virus feature



  • The issue as described by rubinho does not apply to my configuration, tested for closed ports and this is the output:

    /usr/local/libexec/squid: netstat -a | grep 3128
    tcp4       0      0 localhost.3128         *.*                    LISTEN
    tcp4       0      0 192.168.50.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.40.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.20.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.10.2.3128      *.*                    LISTEN
    tcp4       0      0 192.168.33.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.31.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.60.1.3128      *.*                    LISTEN
    tcp4       0      0 192.168.168.4.3128     *.*                    LISTEN
    tcp4       0      0 server.3128            *.*                    LISTEN
    

    As said before, setting the browser manually to use port 3128 does work fine.
    Transparent proxy however still does not work.

    Cheers.



  • @Escorpiom
    Transparent proxy does not works for me too. (Invalid URL)

    The problem with closed ports was already in general Proxy operating.
    But the problem is now solved (Closed Ports)

    Excuse the Mess



  • It's 4 a.m. and this finally works OK with the latest 0.2.4 package.
    There is something strange with the redirect rules, will expand later on that.

    Cheers.



  • The transparent mode is fixed since 0.2.2 but /var/run/squid check(that was preventing squid reload on config changes) was fixed only in 0.2.3



  • pfSense 2.2-RC (amd64) built on Thu Jan 15 08:01:35 CST 2015
    squid3 3.4.10_2 pkg 0.2.4
    when i apply limiters in Firewall rules the traffic is blocked (see attachment)
    config imported from working pfsensen install 2.1.3
    i try reset settings and reinstall pfsense and squid3 but no changes, traffic is blocked when set limiters in firewall rules

    ![Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg](/public/imported_attachments/1/Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg)
    ![Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg_thumb](/public/imported_attachments/1/Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg_thumb)



  • Chris said:

    "Disable transparent proxy in Squid and add your own port forward to do it, then edit the associated rule and apply the limiter."

    Cheers.

    Edit: Sorry about that, the port forward rule are actually TWO rules. This is what I found out in the ruleset:

    no rdr on igb1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on igb1 proto tcp from any to !(igb1) port 80 -> 127.0.0.1 port 3128
    

    That's the idea, I've got a couple of vlans and the principle is the same.
    I don't understand why we need the first rule, but it only works like this, a single rule does not work.



  • @rubinho:

    @Escorpiom
    Transparent proxy does not works for me too. (Invalid URL)

    The problem with closed ports was already in general Proxy operating.
    But the problem is now solved (Closed Ports)

    Excuse the Mess

    Same for me RC 64 bit Pfsense and squid 3.4.10

    I will say that I can go to some sites though.. like www.yahoo.com and not sure how many others but most do not work.
    Ahh not thought of this.. maybe the sites that work are https: sites  secure ones ::: Confirmed HTTPS are able to be browsed with Transparent on but http is not.

    Also note: CPU usage on my Intel is 100% cause of squid..

    ERROR

    The requested URL could not be retrieved

    The following error was encountered while trying to retrieve the URL: /2015/01/15/byron-scott-divorce-wife-demands-baller-lifestyle-i-cant-live-without-my-gucci/

    Invalid URL

    Some aspect of the requested URL is incorrect.

    Some possible problems are:

    Missing or incorrect access protocol (should be http:// or similar)

    Missing hostname

    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.

    Your cache administrator is webmaster.

    Generated Fri, 16 Jan 2015 04:27:47 GMT by pfSense.localdomain (squid/3.4.10)



  • Could it be that the syntax changed from Squid2 tot Squid3++.
    Instead of the tickbox option to disable "Disable X-Forward", I use "forwarded_for transparent" in the "Custom ACLS (Before_Auth)" box.

    Can't test on 2.2, maybe the forward_for options should become a pull-down list in place of a tickbox.

    http://www.squid-cache.org/Versions/v3/3.4/cfgman/forwarded_for.html

    X-Forwarded-For: unknown

    If set to "transparent", Squid will not alter the
    X-Forwarded-For header in any way.

    If set to "delete", Squid will delete the entire
    X-Forwarded-For header.

    If set to "truncate", Squid will remove all existing
    X-Forwarded-For entries, and place the client IP as the sole entry.



  • Check squid config gui options on all tabs and/or run squid  -k parse on console



  • What I meant was with forward_for you used to have "on" or "off".
    Now with 3.3 and 3.4 you have multiple settings. (since 3.1)

    
    forward_for "on" # (default, send client IP info in forward for header)
    forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!)
    forward_for "transparant" # (do not touch anything, more private?)
    forward_for "delete" # (remove the header info entirely)
    forward_for "truncate" # (single, last, client IP info in the forward for header)