Help - pfsense x86 v2.2 + squid3 + c-icap + https + squidguard-dev
-
hi,
search help for my setup. Before i run pfsense 2.1.5 with squid + c-icap + https + squidguard without problem. After upgrade to pfsense 2.2 i have problem configure squid3 to work with i-cap. all services is runing but when i want open some pages from client pc i get c-icap error (no communication). Without c-icap and squidguard all works (include HTTPS). here are my configs:
Squid3:
Integrations:url_rewrite_program /usr/pbi/squidguard-devel-i386/bin/squidGuard -c /usr/pbi/squidguard-devel-i386/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=Custom ACLS:
always_direct allow all ssl_bump server-first all icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service service_req reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/squidclamavSquid antivirus:
squidclamav.conf:#----------------------------------------------------------------------------- # SquidClamav default configuration file # # To know to customize your configuration file, see squidclamav manpage # or go to http://squidclamav.darold.net/ # #----------------------------------------------------------------------------- # # Global configuration # # Maximum size of a file that may be scanned. Any file bigger that this value # will not be scanned. maxsize 5000000 # When a virus is found then redirect the user to this URL redirect http://127.0.0.1/squid_clwarn.php # Path to the squiGuard binary if you want URL filtering, note that you'd better # use the squid configuration directive 'url_rewrite_program' instead. #squidguard /usr/local/squidGuard/bin/squidGuard # Path to the clamd socket, use clamd_local if you use Unix socket or if clamd # is listening on an Inet socket, comment clamd_local and set the clamd_ip and # clamd_port to the corresponding value. clamd_local /var/run/clamav/clamd.sock #clamd_ip 192.168.1.5,127.0.0.1 #clamd_port 3310 # Set the timeout for clamd connection. Default is 1 second, this is a good # value but if you have slow service you can increase up to 3. timeout 1 # Force SquidClamav to log all virus detection or squiguard block redirection # to the c-icap log file. logredir 0 # Enable / disable DNS lookup of client ip address. Default is enabled '1' to # preserve backward compatibility but you must desactivate this feature if you # don't use trustclient with hostname in the regexp or if you don't have a DNS # on your network. Disabling it will also speed up squidclamav. dnslookup 1 # Enable / Disable Clamav Safe Browsing feature. You mus have enabled the # corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf # Enabling it will first make a safe browsing request to clamd and then the # virus scan request. safebrowsing 0 # # Here is some defaut regex pattern to have a high speed proxy on system # with low resources. # # Do not scan images #abort ^.*\.(ico|gif|png|jpg)$ #abortcontent ^image\/.*$ # Do not scan text files #abort ^.*\.(css|xml|xsl|js|html|jsp)$ #abortcontent ^text\/.*$ #abortcontent ^application\/x-javascript$ # Do not scan streamed videos #abortcontent ^video\/x-flv$ #abortcontent ^video\/mp4$ # Do not scan flash files #abort ^.*\.swf$ #abortcontent ^application\/x-shockwave-flash$ # Do not scan sequence of framed Microsoft Media Server (MMS) data packets #abortcontent ^.*application\/x-mms-framed.*$ # White list some sites #whitelist .*\.clamav.net # See also 'trustuser' and 'trustclient' configuration directivesc-icap.conf:
# # This file contains the default settings for c-icap # # # TAG: PidFile # Format: PidFile pid_file # Description: # The file to store the pid of the main process of the c-icap server. # Default: # PidFile /var/run/c-icap/c-icap.pid PidFile /var/run/c-icap/c-icap.pid # TAG: CommandsSocket # Format: CommandsSocket socket_file # Description: # The path of file to use as control socket for c-icap # Default: # CommandsSocket /var/run/c-icap/c-icap.ctl CommandsSocket /var/run/c-icap/c-icap.ctl # TAG: Timeout # Format: Timeout seconds # Description: # The time in seconds after which a connection without activity # can be cancelled. # Default: # Timeout 300 Timeout 300 # TAG: MaxKeepAliveRequests # Format: MaxKeepAliveRequests number # Description: # The maximum number of requests can be served by one connection # Set it to -1 for no limit # Default: # MaxKeepAliveRequests 100 MaxKeepAliveRequests 100 # TAG: KeepAliveTimeout # Format: KeepAliveTimeout seconds # Description: # The maximum time in seconds waiting for a new requests before a # connection will be closed. # If the value is set to -1, there is no timeout. # Default: # KeepAliveTimeout 600 KeepAliveTimeout 600 # TAG: StartServers # Format: StartServers number # Description: # The initial number of server processes. Each server process # generates a number of threads, which serve the requests. # Default: # StartServers 3 StartServers 3 # TAG: MaxServers # Format: MaxServers number # Description: # The maximum allowed number of server processes. # Default: # MaxServers 10 MaxServers 10 # TAG: MinSpareThreads # Format: MinSpareThreads number # Description: # If the number of the available threads is less than number, # the c-icap server starts a new child. # Default: # MinSpareThreads 10 MinSpareThreads 10 # TAG: MaxSpareThreads # Format: MaxSpareThreads number # Description: # If the number of the available threads is more than number then # the c-icap server kills a child. # Default: # MaxSpareThreads 20 MaxSpareThreads 20 # TAG: ThreadsPerChild # Format: ThreadsPerChild number # Description: # The number of threads per child process. # Default: # ThreadsPerChild 10 ThreadsPerChild 10 # TAG: MaxRequestsPerChild # Format: MaxRequestsPerChild number # Description: # The maximum number of requests that a child process can serve. # After this number has been reached, process dies. The goal of this # parameter is to minimize the risk of memory leaks and increase the # stability of c-icap. It can be disabled by setting its value to 0. # Default: # MaxRequestsPerChild 0 MaxRequestsPerChild 0 # TAG: Port # Format: Port port # Description: # The port number that the c-icap server uses to listen to requests. # Default: # Port 1344 Port 1344 # TAG: User # Format: User username # Description: # The user owning c-icap's processes. By default, the owner is the # user who runs the program. # Default: # No value # Example: # User wwwrun # TAG: Group # Format: Group groupname # Description: # The group of users owning c-icap's processes, which, by default # is the group of the current user. # Default: # No value # Example: # Group nogroup # TAG: ServerAdmin # Format: ServerAdmin admin_mail # Description: # The Administrator of this server. Used when displaying information # about this server (logs, info service, etc) # Default: # No value ServerAdmin admin@aaa.ss # TAG: ServerName # Format: ServerName aServerName # Description: # A name for this server. Used when displaying information about this # server (logs, info service, etc) # Default: # No value ServerName brana2 # TAG: TmpDir # Format: TmpDir dir # Description: # dir is the location of temporary files. # Default: # TmpDir /var/tmp TmpDir /var/tmp # TAG: MaxMemObject # Format: MaxMemObject bytes # Description: # The maximum memory size in bytes taken by an object which # is processed by c-icap . If the size of an object's body is # larger than the maximum size a temporary file is used. # Default: # MaxMemObject 131072 MaxMemObject 131072 # TAG: DebugLevel # Format: DebugLevel level # Description: # The level of debugging information to be logged. # The acceptable range of levels is between 0 and 10. # Default: # DebugLevel 1 DebugLevel 1 # TAG: Pipelining # Format: Pipelining on|off # Description: # Enable or disable ICAP requests pipelining # Default: # Pipelining on Pipelining on # TAG: SupportBuggyClients # FORMAT: SupportBuggyClients on|off # Description: # Try to handle requests from buggy clients, for example ICAP requests # missing "\r\n" sequences # Default: # SupportBuggyClients off SupportBuggyClients off # TAG: ModulesDir # Format: ModulesDir dir # Description: # The location of modules # Default: # ModulesDir /usr/local/lib/c_icap ModulesDir /usr/local/lib/c_icap # TAG: ServicesDir # Format: ServicesDir dir # Description: # The location of services # Default: # ServicesDir /usr/local/lib/c_icap ServicesDir /usr/local/lib/c_icap # TAG: TemplateDir # Format: TemplateDir dir # Description: # The location of the text templates used by c-icap and its services, # categorized by language and services/modules # Default: # No value # Example: TemplateDir /usr/local/share/c_icap/templates/ # TAG: TemplateDefaultLanguage # Format: TemplateDefaultLanguage lang # Description: # Sets the default language to use for text templates # Default: # TemplateDefaultLanguage en TemplateDefaultLanguage en #TemplateReloadTime 360 #TemplateCacheSize 20 #TemplateMemBufSize 8192 # TAG: LoadMagicFile # Format: LoadMagicFile path # Description: # Load a c-icap magic file. A magic file contains various # data type definitions. Look inside default c-icap.magic file # for more informations. # It can be used more than once to use multiple magic files. # Default: # LoadMagicFile /usr/local/etc/c-icap/c-icap.magic LoadMagicFile /usr/local/etc/c-icap/c-icap.magic # TAG: RemoteProxyUsers # Format: RemoteProxyUsers onoff # Description: # Set it to on if you want to use username provided by the proxy server. # This is the recomended way to use users in c-icap. # If the RemoteProxyUsers is off and c-icap configured to use users or # groups the internal authentication mechanism will be used. # Default: # RemoteProxyUsers off RemoteProxyUsers off # TAG: RemoteProxyUserHeader # Format: RemoteProxyUserHeader Header # Description: # Used to specify the icap header used by the proxy server to send # the authenticated client username to c-icap server # Default: # RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeader X-Authenticated-User # TAG: RemoteProxyUserHeaderEncoded # Format: RemoteProxyUserHeaderEncoded onoff # Description: # Set it to off if the RemoteProxyUserHeader is not base64 encoded # Default: # RemoteProxyUserHeaderEncoded on RemoteProxyUserHeaderEncoded on # TAG: AuthMethod # Format: AuthMethod Method Authenticator # Description: # Used to define the internal authentication mechanism to use. This # feature is not well tested and may cause problems. It is better to use # RemoteProxyUser configuration. # Method is the authentication method to use (basic, digest, etc). # Currently only basic authentication method is implemented as build in # module # Authenticator currently can only be "basic_simple_db" # It can be considered as a user/password store and can be # implemented as external module. The basic_simple_db is implemented as # build it module # Default: # No set # Example: # AuthMethod basic basic_simple_db # TAG: basic.Realm # Format: basic.Realm ARealm # Description: # Specify the basic method realm # Default: # basic.Realm "Basic authentication" # Example: # basic.Realm "c-icap server authentication" # TAG: basic_simple_db.UsersDB # Format: basic_simple_db.UsersDB LookupTable # Description: # Specify the lookup table where the usernames/passwords pairs # are stored. The paswords must be unencrypted # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No value # Example: # basic_simple_db.UsersDB hash:/usr/local/c-icap/etc/c-icap-users.txt # TAG: GroupSourceByGroup # Format: GroupSourceByGroup LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by group. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByGroup hash:/usr/local/c-icap/etc/c-icap-groups.txt # TAG: GroupSourceByUser # Format: GroupSourceByUser LookupTable # Description: # Defines a lookup table where the groups of users are stored indexed # by user. It can be used more than once. # For more information about c-icap lookup tables read c-icap server # manual page # Default: # No set # Example: # GroupSourceByUser hash:/usr/local/c-icap/etc/c-icap-user-groups.txt # TAG: acl # Format: acl name type[{param}] value1 [value2] [...] # Description: # Supported acl types are: # acl aclname service service1 ... # The servicename # acl aclname type OPTIONS|RESPMOD|REQMOD ... # The icap method # acl aclname port port1 ... # The icap server port # acl aclname src ip1/netmask1 ... # The client ip address # acl aclname srvip ip1/netmask1 ... # The c-icap server ip address # acl aclname icap_header{HeaderName} value1 ... # Matches the icap header HeaderName with value1 ... # The values are in regex form: /avalue/ # acl aclname icap_resp_header{HeaderName} value1 ... # The icap response header # The values are in regex form: /avalue/ # acl aclname http_req_header{HeaderName} value1 ... # The http request header # The values are in regex form: /avalue/ # acl aclname http_resp_header{HeaderName} value1 ... # The http response header # The values are in regex form: /avalue/ # acl aclname data_type type1 ... # The data type as recognized by the internal data type # recognizer. The types are defined in c-icap.magic file # acl aclname auth username|* ... # The authenticated users. Using * instead of username means # all users. # acl aclname group group1 ... # if the user of request belongs to given groups # Default: # None set # Examples: # acl OPTIONS type OPTIONS # acl RESPMOD type RESPMOD # acl REQMOD type REQMOD # acl ALLREQUESTS type OPTIONS RESPMOD REQMOD # acl XHEAD icap_header{X-Test} /value/ # acl ECHO service echo # acl localnet src 192.168.1.0/255.255.255.0 # acl localhost src 127.0.0.1/255.255.255.255 # acl all src 0.0.0.0/0.0.0.0 # TAG: icap_access # Format: icap_access allow|deny [!]acl1 ... # Description: # Allowing or denying ICAP access based on defined access lists # Default: # None set # Example: # icap_access deny XHEAD # #Allow OPTIONS method for all: # icap_access allow localnet OPTIONS # #Require authentication for all users from local network: # icap_access allow AUTH localnet # icap_access deny all # TAG: client_access # Format: client_access allow|deny acl1 [acl2] [...] # Description: # Allowing or denying connections on c-icap based on # defined access lists. Only the acl types src, srvip and port # can be used. # Default: # None set # Example: # client_access allow all # TAG: LogFormat # Format: LogFormat Name Format # Description: # Name is a name for this log format. # Format is a string with embedded % format codes. % format codes # has the following form: # % [-] [width] [{argument}] formatcode # if - is specified then the output is left aligned # if width specified then the field is exactly width size # some formatcodes support arguments given as {argument} # # Format codes: # %a: Remote IP-Address # %la: Local IP Address # %lp: Local port # %>a: Http Client IP Address. Only supported if the proxy # client supports the "X-Client-IP" header # %<a: http="" server="" ip="" address.="" only="" supported="" if="" the="" proxy<br=""># client supports the "X-Server-IP" header # %ts: Seconds since epoch # %tl: Local time. Supports optional strftime format argument # %tg: GMT time. Supports optional strftime format argument # %>ho: Modified Http request header. Supports header name # as argument. If no argument given the first line returned # %huo: Modified Http request url # %<ho: modified="" http="" reply="" header.="" supports="" header="" name<br=""># as argument. If no argument given the first line returned # %iu: Icap request url # %im: Icap method # %is: Icap status code # %>ih: Icap request header. Supports header name # as argument. If no argument given the first line returned # %<ih: icap="" response="" header.="" supports="" header="" name<br=""># as argument. If no argument given the first line returned # %Ih: Http bytes received # %Oh: Http bytes sent # %Ib: Http body bytes received # %Ob: Http body bytes sent # %I: Bytes received # %O: Bytes sent # %bph: The first 5 bytes of the body preview data. Non # printable characters printed in hex form. # Supports the number of bytes to output as argument. # %un: Username # %Sl: Service log string # %Sa: Attribute value set by service. The attribute name must # given as argument. # Default: # None set # Example: # LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph" # TAG: ServerLog # Format: ServerLog LogFile # Description: # the file used by the build-in logger file_logger to # store debugging information, errors and other # information about the c-icap server. # Default: # ServerLog /var/log/c-icap/server.log ServerLog /var/log/c-icap/server.log # TAG: AccessLog # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...] # Description: # LogFile is a file where to log access information. # LogFormat is the log format to use. If ommited c-icap uses: # "%tl, %la %a %im %iu %is" # Also acls can be used to select certain requests to be logged. # This directive can be used more than once to specify more than # one access log files # Default: # AccessLog /var/log/c-icap/access.log # Example: # AccessLog /var/log/c-icap/access.log MyFormat all AccessLog /var/log/c-icap/access.log # TAG: Logger # Format: Logger LoggerName # Description: # Specify wich logger to use. By default uses the build in "file_logger" which # uses files for access and server logging. # Default: # Logger file_logger # Example: # Logger sys_logger # TAG: Module # Format: Module Type ModuleFile # Description: # Load an external module/plugin to c-icap. # ModuleFile is the filename of the module. If no full path given then c-icap # searche in path defined by the ModulesDir configuration parameter. # Type is the type of the external module and can be one of the following: # - "logger" for modules implement a logger # - "common" for general purpose modules # Default: # # Example: # Module logger sys_logger.so # TAG: Service # Format: Service aName ServiceFile # Description: # It loads the service ServiceFile. The argument aName used # as alias name for the service # Default: # # Example: # Service echo_service srv_echo.so # TAG: ServiceAlias # Format: ServiceAlias AliasName ServiceName[?param1=value1¶m2=value2...] # Description: # Used to define an alias name for a service. # Default: # # Example: # ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple # # TAG: General configuration parameters for all services # Description: # PreviewSize: The preview data size to advertise to the icap client # MaxConnections: The client should not use more than MaxConnections # for this service. # TransferPreview: The list of file extensions, seperated by commas, # for which the client should send preview data. # TransferIgnore: The list of file extensions that should not be sent # to the icap server # TransferComplete: The list of file extensions that should be sent # in their entirety, without preview, to the icap server # OptionsTTL: The options ttl for the service. The "sec[s]", "min" or # "hour[s]" can be used to secify that the time is in seconds # minutes or hours respectively. If no time-units given # seconds are assumed. # Allow206 on|off: Enable/disable advertise of 206 responses. # # Example: # echo.PreviewSize 512 # echo.TransferIgnore gif, jpeg # echo.OptionsTTL 3 min ###################################################### # External modules comming with core c-icap server # # Module: echo # Description: # Simple test service # Example: # Service echo srv_echo.so Service echo srv_echo.so # Module: sys_logger # Description: # Add support for logging access and server events to syslog server # Use "Module" configuration parameter to load this module and "Logger" # to make it default logger for the c-icap. # Example: # Module logger sys_logger.so # Logger sys_logger # TAG: sys_logger.Prefix # Format: sys_logger.Prefix string # Description: # string is be presented in every syslog message. # Default: # sys_logger.Prefix "C-ICAP:" # TAG: sys_logger.Facility # Format: sys_logger.Facility daemon|user|local1|local2|local3|local4|local5|local6|local7 # Description: # specifies the facility type of syslog. # Default: # sys_logger.Facility daemon # TAG: sys_logger.access_priority # Format: sys_logger.access_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the access log message # Default: # sys_logger.access_priority info # TAG: sys_logger.server_priority # Format: sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning # Description: # determines the importance of the server log message # Default: # sys_logger.server_priority crit # TAG: sys_logger.LogFormat # Format: sys_logger.LogFormat LOGFORMAT # Description: # The log format to use. If no log format defined then # the following will be used: # "%la %a %im %iu %is" # Default: # None set # Example: # Logformat BasicFormat "%la %a %im %iu %is" # sys_logger.LogFormat BasicFormat # TAG: sys_logger.access # Format: sys_logger.access [!]acl1 ... # Description: # Allow selecting ICAP requests to be logged using acls. # By default all requests will be logged. # Default: # None set # Example: # sys_logger.access all # End module: sys_logger # Module: bdb_tables # Description: # Add support for Berkeley DB based lookup tables. The format for # bdb path of the lookup table is: # bdb:/path/to/bdb # Use the c-icap-mkbdb utility to build Berkeley DB c-icap lookup tables # Example: # Module common bdb_tables.so # End module: bdb_tables # Module: dnsbl_tables # Description: # Add support for dns lookup tables. Can be used to access # dns block lists. The dnsbl lookup table path definition is: # dnsbl:domainname # For example the lookup table for accessing the black.uribl.com # dns black list is: # dnsbl:black.uribl.com # Example: # Module common dnsbl_tables.so # End module: dnsbl_tables Service squid_clamav squidclamav.so    [/s][/s]</ih:></ho:></a:>
-
Try these steps…
https://forum.pfsense.org/index.php?topic=87424.msg480232#msg480232
-
dear sir, thanks for your time.
i already try that and now i can start all services but i cant use c-icap. i thing, that is something wrong with my configuration i posted.
myybe this is problem:
ps ax | grep -i fresclam or tail -f /var/log/clamav/freshclam.logoutput:
$ ps ax | grep -i fresclam or tail -f /var/log/clamav/freshclam.log grep: fresclam: No such file or directory grep: or: No such file or directory grep: tail: No such file or directoryedit: run from ssh "service clamav-freshclam onestart", wait for update, check log in "/var/log/clamav/freshclam.log". Seva all setting on all tabs, restart clamd, c-icap, squid. still nothing.
-
If you updated you system from 2.1, I suggest you cleaning all config files on antivirus tab ro load default config again.
Check if it loaded correcwand save again to check config warnings.
-
i reinstalled plugins squid3 and squidguard-devel. Cleaned antivirus settings. Disable antiviru, enable antivirus, click save. Some errors about wrong config, correct configs (in c-icap). Save. Restart pfsense. Nothing work…. :'(
when i disable c-icap all work (transparent proxy with filter). But when i enable, broke all. :'( :'( :'( :'(
-
Not sure what happens with your install. I've tested my setup many times but no tests with nanobsd or cfcards.
Can you try amd64 pfsense version?
-
yes, but must completly reinstall. I thing, that pfsense backuped configuration i cant use (if i want to know, if it all work on fresh install x64). Hm, maybe tommorow if i will have time to play and test in work. ")))
-
ok, i totaly reinstall pfsense box with x64 bit version pfsense v2.2. All working well (sqid3 - transparent mode with antivirus + squidguard + suricata + pfblockerng). big thank to all that spen time on pfsense. 8)
-
This has inspired me to do a fresh install.
-
I have similar problems, this time with fresh install. Strange this is that c-icap binds only to IPv6 socket:
netstat -na | grep 1344
tcp6 0 0 *.1344 . LISTENIs it the same on every installation? Can I enforce to bind it to ipv4? Same problem here - squid is unable to communicate with icap.
