Squid 3.4.9 no traffic in transparent mode.
-
Todays update did not resolve the issues with transparent proxy.
Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.Cheers.
-
Todays update did not resolve the issues with transparent proxy.
Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.Cheers.
squid3 beta 3.4.10_2 pkg 0.2.1 has –enable-pf-transparent compilation flag…
but now there is another problems:no libecap.so.2 in path variable
this help my:ln -s /lib/libmd.so.6 /usr/lib/libmd5.so.0 ln -s /usr/pbi/squid-amd64/local/lib/libecap.so.2 /usr/lib/libecap.so.2 ln -s /usr/pbi/squid-amd64/local/etc/squid /usr/local/etc/squid ln -s /usr/pbi/squid-amd64/local/libexec/squid /usr/local/libexec/squidwith transparent requests in access.log looks like this:
1420270719.456 0 127.0.0.1 TCP_DENIED/403 4169 GET http://google.com/ - HIER_NONE/- text/html 1420270719.456 1 192.168.56.9 TCP_MISS/403 4271 GET http://google.com/ - ORIGINAL_DST/127.0.0.1 text/htmlI have no idea why squid blocks localhost and why there are two requests
Оther sources suggest to redirect through ipfw… but pfsens is not working with ipfwP.S. Sorry for my english :)
-
The squid 3 package is currently only a disaster with 2.2 :/
- Transparent Mode does not work
- Required lib-paths are not available
- .pbirun hangs after installed squid3 package and causes high cpu load
- the tcp port 3128 is set to closed, instead to listen (tested with netstat)
-
Thanks both for sharing your findings.
Port 3128 is not closed I believe.
I found that adding this directive in squid.conf:http_port 3128 accel vhost allow-directand restarting squid from the console (not GUI)
makes the proxy work in "transparent" mode.
I put it in quotes because normally the directive "intercept" should work for Squid 3.
So for me it's unclear if "accel vhost allow-direct" does something else.Cheers.
-
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
-
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.
https://redmine.pfsense.org/issues/4114
https://redmine.pfsense.org/issues/4059 -
seems to be working fine
-
Feedback is in the bugreport, seems transparent proxy is still not working for some.
Perhaps it's because of PfSense RC build, I'm still on a December build.Cheers.
-
~~Also in the newest package, the tcp port will be closed :/
Squid 2.7 works fine
What did I do wrong ?
/usr/local/libexec/squid: netstat -a | grep 3128 tcp4 0 0 172.21.0.1.3128 *.* CLOSED tcp4 0 0 fw1.3128 *.* CLOSED ```~~ Edit: Problem solved ! I have enable ipv6 in the Firewall Settings, that solved the Problem. -
@cmb:
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.
https://redmine.pfsense.org/issues/4114
https://redmine.pfsense.org/issues/4059I've added a couple more =D
https://redmine.pfsense.org/issues/4196 squid.pid issue
https://redmine.pfsense.org/issues/4197 not related to transparent mode but the anti-virus feature -
The issue as described by rubinho does not apply to my configuration, tested for closed ports and this is the output:
/usr/local/libexec/squid: netstat -a | grep 3128 tcp4 0 0 localhost.3128 *.* LISTEN tcp4 0 0 192.168.50.1.3128 *.* LISTEN tcp4 0 0 192.168.40.1.3128 *.* LISTEN tcp4 0 0 192.168.20.1.3128 *.* LISTEN tcp4 0 0 192.168.10.2.3128 *.* LISTEN tcp4 0 0 192.168.33.1.3128 *.* LISTEN tcp4 0 0 192.168.31.1.3128 *.* LISTEN tcp4 0 0 192.168.60.1.3128 *.* LISTEN tcp4 0 0 192.168.168.4.3128 *.* LISTEN tcp4 0 0 server.3128 *.* LISTENAs said before, setting the browser manually to use port 3128 does work fine.
Transparent proxy however still does not work.Cheers.
-
@Escorpiom
Transparent proxy does not works for me too. (Invalid URL)The problem with closed ports was already in general Proxy operating.
But the problem is now solved (Closed Ports)Excuse the Mess
-
It's 4 a.m. and this finally works OK with the latest 0.2.4 package.
There is something strange with the redirect rules, will expand later on that.Cheers.
-
The transparent mode is fixed since 0.2.2 but /var/run/squid check(that was preventing squid reload on config changes) was fixed only in 0.2.3
-
pfSense 2.2-RC (amd64) built on Thu Jan 15 08:01:35 CST 2015
squid3 3.4.10_2 pkg 0.2.4
when i apply limiters in Firewall rules the traffic is blocked (see attachment)
config imported from working pfsensen install 2.1.3
i try reset settings and reinstall pfsense and squid3 but no changes, traffic is blocked when set limiters in firewall rules
 -
Chris said:
"Disable transparent proxy in Squid and add your own port forward to do it, then edit the associated rule and apply the limiter."
Cheers.
Edit: Sorry about that, the port forward rule are actually TWO rules. This is what I found out in the ruleset:
no rdr on igb1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80 rdr on igb1 proto tcp from any to !(igb1) port 80 -> 127.0.0.1 port 3128That's the idea, I've got a couple of vlans and the principle is the same.
I don't understand why we need the first rule, but it only works like this, a single rule does not work. -
@Escorpiom
Transparent proxy does not works for me too. (Invalid URL)The problem with closed ports was already in general Proxy operating.
But the problem is now solved (Closed Ports)Excuse the Mess
Same for me RC 64 bit Pfsense and squid 3.4.10
I will say that I can go to some sites though.. like www.yahoo.com and not sure how many others but most do not work.
Ahh not thought of this.. maybe the sites that work are https: sites secure ones ::: Confirmed HTTPS are able to be browsed with Transparent on but http is not.Also note: CPU usage on my Intel is 100% cause of squid..
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: /2015/01/15/byron-scott-divorce-wife-demands-baller-lifestyle-i-cant-live-without-my-gucci/
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol (should be http:// or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed.
Your cache administrator is webmaster.
Generated Fri, 16 Jan 2015 04:27:47 GMT by pfSense.localdomain (squid/3.4.10)
-
Could it be that the syntax changed from Squid2 tot Squid3++.
Instead of the tickbox option to disable "Disable X-Forward", I use "forwarded_for transparent" in the "Custom ACLS (Before_Auth)" box.Can't test on 2.2, maybe the forward_for options should become a pull-down list in place of a tickbox.
http://www.squid-cache.org/Versions/v3/3.4/cfgman/forwarded_for.html
X-Forwarded-For: unknown
If set to "transparent", Squid will not alter the
X-Forwarded-For header in any way.If set to "delete", Squid will delete the entire
X-Forwarded-For header.If set to "truncate", Squid will remove all existing
X-Forwarded-For entries, and place the client IP as the sole entry. -
Check squid config gui options on all tabs and/or run squid -k parse on console
-
What I meant was with forward_for you used to have "on" or "off".
Now with 3.3 and 3.4 you have multiple settings. (since 3.1)forward_for "on" # (default, send client IP info in forward for header) forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!) forward_for "transparant" # (do not touch anything, more private?) forward_for "delete" # (remove the header info entirely) forward_for "truncate" # (single, last, client IP info in the forward for header)
