Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [RESOLVIDO] Squid3-dev [não bloqueia em modo transparente]

    Portuguese
    3
    21
    2238
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      victorfmaraujo last edited by

      Prezados, boa tarde

      Estou com um pequeno problema

      Pfsense 2.1.3 i386
      squid3-dev 3.3.10 pkg 2.2.8

      Só vou utilizar para alguns bloqueios bem básicos incluindo extensão de arquivo e tamanho de arquivo (Não utilizarei interceptação SSL)

      o que ocorre é o seguinte.  Quando habilito o proxy transparente na LAN, não navega.  Na estação de trabalho coloquei um firefox com firebug e não está aparecendo o ip do firewall com a porta 3128.

      Aparece o IP resolvido do site na porta 80, só que não navega.

      Olhei nos logs de firewall e está me retornando essa mensagem no momento em que habilito Transparent HTTP proxy.

      php: /pkg_edit.php: The command '/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was 'squid: ERROR: No running copy' 
      

      Uma informação importante.  Nesse firewall estava instalado o squid2 e resolvi colocar o 3.  Inclusive modifiquei manualmente o arquivo config.xml apagando tudo relacionado ao squid2 após desinstalar.

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        Execute o squid -k parse na console

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • V
          victorfmaraujo last edited by

          @marcelloc:

          Execute o squid -k parse na console

          
          [2.1.3-RELEASE][admin@pfsense.mu.local]/root(2): squid -k parse
          2015/01/27 21:07:42| Startup: Initializing Authentication Schemes ...
          2015/01/27 21:07:42| Startup: Initialized Authentication Scheme 'basic'
          2015/01/27 21:07:42| Startup: Initialized Authentication Scheme 'digest'
          2015/01/27 21:07:42| Startup: Initialized Authentication Scheme 'negotiate'
          2015/01/27 21:07:42| Startup: Initialized Authentication Scheme 'ntlm'
          2015/01/27 21:07:42| Startup: Initialized Authentication.
          2015/01/27 21:07:42| Processing Configuration File: /usr/pbi/squid-i386/etc/squid/squid.conf (depth 0)
          2015/01/27 21:07:42| Processing: http_port 192.168.254.1:3128
          2015/01/27 21:07:42| Processing: icp_port 0
          2015/01/27 21:07:42| Processing: dns_v4_first on
          2015/01/27 21:07:42| Processing: pid_filename /var/run/squid.pid
          2015/01/27 21:07:42| Processing: cache_effective_user proxy
          2015/01/27 21:07:42| Processing: cache_effective_group proxy
          2015/01/27 21:07:42| Processing: error_default_language pt-br
          2015/01/27 21:07:42| Processing: icon_directory /usr/pbi/squid-i386/etc/squid/icons
          2015/01/27 21:07:42| Processing: visible_hostname localhost
          2015/01/27 21:07:42| Processing: cache_mgr email@email
          2015/01/27 21:07:42| Processing: access_log /var/squid/logs/access.log
          2015/01/27 21:07:42| Processing: cache_log /var/squid/logs/cache.log
          2015/01/27 21:07:42| Processing: cache_store_log none
          2015/01/27 21:07:42| Processing: netdb_filename /var/squid/logs/netdb.state
          2015/01/27 21:07:42| Processing: pinger_enable on
          2015/01/27 21:07:42| Processing: pinger_program /usr/pbi/squid-i386/libexec/squid/pinger
          2015/01/27 21:07:42| Processing: logfile_rotate 30
          2015/01/27 21:07:42| Processing: debug_options rotate=30
          2015/01/27 21:07:42| Processing: shutdown_lifetime 3 seconds
          2015/01/27 21:07:42| Processing: httpd_suppress_version_string on
          2015/01/27 21:07:42| Processing: uri_whitespace strip
          2015/01/27 21:07:42| Processing: acl dynamic urlpath_regex cgi-bin \?
          2015/01/27 21:07:42| Processing: cache deny dynamic
          2015/01/27 21:07:42| Processing: cache_mem 512 MB
          2015/01/27 21:07:42| Processing: maximum_object_size_in_memory 32 KB
          2015/01/27 21:07:42| Processing: memory_replacement_policy heap GDSF
          2015/01/27 21:07:42| Processing: cache_replacement_policy heap LFUDA
          2015/01/27 21:07:42| Processing: cache_dir ufs /var/squid/cache 100 16 256
          2015/01/27 21:07:42| Processing: minimum_object_size 0 KB
          2015/01/27 21:07:42| Processing: maximum_object_size 1024 KB
          2015/01/27 21:07:42| Processing: offline_mode off
          2015/01/27 21:07:42| Processing: cache_swap_low 80
          2015/01/27 21:07:42| Processing: cache_swap_high 85
          2015/01/27 21:07:42| Processing: acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
          2015/01/27 21:07:42| Processing: cache deny donotcache
          2015/01/27 21:07:42| Processing: cache allow all
          2015/01/27 21:07:42| Processing: acl allsrc src all
          2015/01/27 21:07:42| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
          2015/01/27 21:07:42| Processing: acl sslports port 443 563
          2015/01/27 21:07:42| Processing: acl purge method PURGE
          2015/01/27 21:07:42| Processing: acl connect method CONNECT
          2015/01/27 21:07:42| Processing: acl HTTP proto HTTP
          2015/01/27 21:07:42| Processing: acl HTTPS proto HTTPS
          2015/01/27 21:07:42| Processing: acl allowed_subnets src 192.168.254.0/24
          2015/01/27 21:07:42| Processing: http_access allow manager localhost
          2015/01/27 21:07:42| Processing: http_access deny manager
          2015/01/27 21:07:42| Processing: http_access allow purge localhost
          2015/01/27 21:07:42| Processing: http_access deny purge
          2015/01/27 21:07:42| Processing: http_access deny !safeports
          2015/01/27 21:07:42| Processing: http_access deny CONNECT !sslports
          2015/01/27 21:07:42| Processing: quick_abort_min 0 KB
          2015/01/27 21:07:42| Processing: quick_abort_max 0 KB
          2015/01/27 21:07:42| Processing: request_body_max_size 0 KB
          2015/01/27 21:07:42| Processing: reply_body_max_size 1000000 KB allsrc
          2015/01/27 21:07:42| Processing: delay_pools 1
          2015/01/27 21:07:42| Processing: delay_class 1 2
          2015/01/27 21:07:42| Processing: delay_parameters 1 393216/393216 131072/131072
          2015/01/27 21:07:42| Processing: delay_initial_bucket_level 100
          2015/01/27 21:07:42| Processing: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
          2015/01/27 21:07:42| Processing: delay_access 1 allow throttle_exts
          2015/01/27 21:07:42| Processing: delay_access 1 deny allsrc
          2015/01/27 21:07:42| Processing: http_access allow allowed_subnets
          2015/01/27 21:07:42| Processing: http_access deny allsrc
          2015/01/27 21:07:42| Initializing https proxy context
          [2.1.3-RELEASE][admin@pfsense.mu.local]/root(3):
          
          
          1 Reply Last reply Reply Quote 0
          • tiagopesantos
            tiagopesantos last edited by

            estou com o mesmo problema também, só que no pfsense 2.2 com squid 3.4.10_2 pkg 0.2.6, proxy transparente marcado não navega, ao menos que eu configure o proxy no navegador.

            1 Reply Last reply Reply Quote 0
            • marcelloc
              marcelloc last edited by

              Aparentemente você não marcou a lan nas configurações do Proxy transparente.

              So tem a chamada do Proxy sem interceptação.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • V
                victorfmaraujo last edited by

                @marcelloc:

                Aparentemente você não marcou a lan nas configurações do Proxy transparente.
                So tem a chamada do Proxy sem interceptação.

                Não seja por isso rsrs.  Esqueci de habilitar para rodar o comando.  Não podia deixar o cliente sem navegar.

                
                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(1): squid -k parse
                2015/01/27 22:37:35| Startup: Initializing Authentication Schemes ...
                2015/01/27 22:37:35| Startup: Initialized Authentication Scheme 'basic'
                2015/01/27 22:37:35| Startup: Initialized Authentication Scheme 'digest'
                2015/01/27 22:37:35| Startup: Initialized Authentication Scheme 'negotiate'
                2015/01/27 22:37:35| Startup: Initialized Authentication Scheme 'ntlm'
                2015/01/27 22:37:35| Startup: Initialized Authentication.
                2015/01/27 22:37:35| Processing Configuration File: /usr/pbi/squid-i386/etc/squid/squid.conf (depth 0)
                2015/01/27 22:37:35| Processing: http_port 192.168.254.1:3128
                2015/01/27 22:37:35| Processing: http_port 127.0.0.1:3128 intercept
                2015/01/27 22:37:35| Starting Authentication on port 127.0.0.1:3128
                2015/01/27 22:37:35| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
                2015/01/27 22:37:35| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled)
                2015/01/27 22:37:35| Processing: icp_port 0
                2015/01/27 22:37:35| Processing: dns_v4_first on
                2015/01/27 22:37:35| Processing: pid_filename /var/run/squid.pid
                2015/01/27 22:37:35| Processing: cache_effective_user proxy
                2015/01/27 22:37:35| Processing: cache_effective_group proxy
                2015/01/27 22:37:35| Processing: error_default_language pt-br
                2015/01/27 22:37:35| Processing: icon_directory /usr/pbi/squid-i386/etc/squid/icons
                2015/01/27 22:37:35| Processing: visible_hostname localhost
                2015/01/27 22:37:35| Processing: cache_mgr email@email.com
                2015/01/27 22:37:35| Processing: access_log /var/squid/logs/access.log
                2015/01/27 22:37:35| Processing: cache_log /var/squid/logs/cache.log
                2015/01/27 22:37:35| Processing: cache_store_log none
                2015/01/27 22:37:35| Processing: netdb_filename /var/squid/logs/netdb.state
                2015/01/27 22:37:35| Processing: pinger_enable on
                2015/01/27 22:37:35| Processing: pinger_program /usr/pbi/squid-i386/libexec/squid/pinger
                2015/01/27 22:37:35| Processing: logfile_rotate 30
                2015/01/27 22:37:35| Processing: debug_options rotate=30
                2015/01/27 22:37:35| Processing: shutdown_lifetime 3 seconds
                2015/01/27 22:37:35| Processing: acl localnet src  192.168.254.0/24
                2015/01/27 22:37:35| Processing: httpd_suppress_version_string on
                2015/01/27 22:37:35| Processing: uri_whitespace strip
                2015/01/27 22:37:35| Processing: acl dynamic urlpath_regex cgi-bin \?
                2015/01/27 22:37:35| Processing: cache deny dynamic
                2015/01/27 22:37:35| Processing: cache_mem 512 MB
                2015/01/27 22:37:35| Processing: maximum_object_size_in_memory 32 KB
                2015/01/27 22:37:35| Processing: memory_replacement_policy heap GDSF
                2015/01/27 22:37:35| Processing: cache_replacement_policy heap LFUDA
                2015/01/27 22:37:35| Processing: cache_dir ufs /var/squid/cache 100 16 256
                2015/01/27 22:37:35| Processing: minimum_object_size 0 KB
                2015/01/27 22:37:35| Processing: maximum_object_size 1024 KB
                2015/01/27 22:37:35| Processing: offline_mode off
                2015/01/27 22:37:35| Processing: cache_swap_low 80
                2015/01/27 22:37:35| Processing: cache_swap_high 85
                2015/01/27 22:37:35| Processing: acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
                2015/01/27 22:37:35| Processing: cache deny donotcache
                2015/01/27 22:37:35| Processing: cache allow all
                2015/01/27 22:37:35| Processing: acl allsrc src all
                2015/01/27 22:37:35| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
                2015/01/27 22:37:35| Processing: acl sslports port 443 563
                2015/01/27 22:37:35| Processing: acl purge method PURGE
                2015/01/27 22:37:35| Processing: acl connect method CONNECT
                2015/01/27 22:37:35| Processing: acl HTTP proto HTTP
                2015/01/27 22:37:35| Processing: acl HTTPS proto HTTPS
                2015/01/27 22:37:35| Processing: acl allowed_subnets src 192.168.254.0/24
                2015/01/27 22:37:35| Processing: http_access allow manager localhost
                2015/01/27 22:37:35| Processing: http_access deny manager
                2015/01/27 22:37:35| Processing: http_access allow purge localhost
                2015/01/27 22:37:35| Processing: http_access deny purge
                2015/01/27 22:37:35| Processing: http_access deny !safeports
                2015/01/27 22:37:35| Processing: http_access deny CONNECT !sslports
                2015/01/27 22:37:35| Processing: quick_abort_min 0 KB
                2015/01/27 22:37:35| Processing: quick_abort_max 0 KB
                2015/01/27 22:37:35| Processing: request_body_max_size 0 KB
                2015/01/27 22:37:35| Processing: reply_body_max_size 1000000 KB allsrc
                2015/01/27 22:37:35| Processing: delay_pools 1
                2015/01/27 22:37:35| Processing: delay_class 1 2
                2015/01/27 22:37:35| Processing: delay_parameters 1 393216/393216 131072/131072
                2015/01/27 22:37:35| Processing: delay_initial_bucket_level 100
                2015/01/27 22:37:35| Processing: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
                2015/01/27 22:37:35| Processing: delay_access 1 allow throttle_exts
                2015/01/27 22:37:35| Processing: delay_access 1 deny allsrc
                2015/01/27 22:37:35| Processing: http_access allow allowed_subnets
                2015/01/27 22:37:35| Processing: http_access allow localnet
                2015/01/27 22:37:35| Processing: http_access deny allsrc
                2015/01/27 22:37:35| Initializing https proxy context
                
                

                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(2):

                Outras informações:

                Rodando o comando sockstat | grep 3128

                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(82): sockstat | grep 3128
                proxy    squid      21837 27 tcp4   192.168.254.1:3128    *:*
                proxy    squid      21837 28 tcp4   127.0.0.1:3128        *:*
                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(83):
                

                Comando ps aux | grep squid

                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(88): ps aux | grep squid
                root   21463  0.0  0.5 13756  9572  ??  INs  10:19PM   0:00.00 /usr/pbi/squid-i386/sbin/squid -f /usr/pbi/squid-i386/etc/squid/squid.conf
                proxy  21837  0.0  0.7 24008 14636  ??  IN   10:19PM   0:00.05 (squid-1) -f /usr/pbi/squid-i386/etc/squid/squid.conf (squid)
                root   19080  0.0  0.0  1816   692   0  R+   10:40PM   0:00.00 grep squid
                [2.1.3-RELEASE][admin@pfsense.mu.local]/root(89):
                
                

                mas rodando ps aux | grep 3128

                e a estação ¬¬
                https://www.dropbox.com/s/yjtrc6sqj3fkxyg/micro.JPG?dl=0

                1 Reply Last reply Reply Quote 0
                • marcelloc
                  marcelloc last edited by

                  alguma informação no cache.log?

                  ps: use a opção code para colocar logs e saída de comando. fica mais facil ler.

                  Anexar imagens pela opção attachments and other options também facilita.

                  Só pra ter certeza que não tem nenhuma outra interceptação atrapalhando, desmarcou o redirecionamento http para https em system advanced?

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • V
                    victorfmaraujo last edited by

                    @marcelloc:

                    alguma informação no cache.log?

                    ps: use a opção code para colocar logs e saída de comando. fica mais facil ler.

                    Anexar imagens pela opção attachments and other options também facilita.

                    Só pra ter certeza que não tem nenhuma outra interceptação atrapalhando, desmarcou o redirecionamento http para https em system advanced?

                    Blz, havia esquecido de colocar na primeira saída, mas rapidamente coloquei hehehe.

                    Sim, a opção estava desmarcada.  Marquei aguardei 20 segundos e testei novamente (Sem sucesso).

                    Segue dados do access.log

                    2015/01/27 22:05:57 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                    2015/01/27 22:05:58 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/pt-br/error-details.txt
                    2015/01/27 22:05:58 kid1| Unable to load default error language files. Reset to backups.
                    2015/01/27 22:05:58 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
                    2015/01/27 22:05:58 kid1| WARNING: failed to find or read error text file error-details.txt
                    2015/01/27 22:05:58 kid1| sendto FD 25: (1) Operation not permitted
                    2015/01/27 22:05:58 kid1| ipcCreate: CHILD: hello write test failed
                    2015/01/27 22:06:57 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                    2015/01/27 22:06:57 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/pt-br/error-details.txt
                    2015/01/27 22:06:57 kid1| Unable to load default error language files. Reset to backups.
                    2015/01/27 22:06:57 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
                    2015/01/27 22:06:57 kid1| WARNING: failed to find or read error text file error-details.txt
                    2015/01/27 22:06:58 kid1| sendto FD 28: (1) Operation not permitted
                    2015/01/27 22:06:58 kid1| ipcCreate: CHILD: hello write test failed
                    2015/01/27 22:18:21 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                    2015/01/27 22:18:21 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/pt-br/error-details.txt
                    2015/01/27 22:18:21 kid1| Unable to load default error language files. Reset to backups.
                    2015/01/27 22:18:21 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
                    2015/01/27 22:18:21 kid1| WARNING: failed to find or read error text file error-details.txt
                    2015/01/27 22:18:21 kid1| sendto FD 26: (1) Operation not permitted
                    2015/01/27 22:18:21 kid1| ipcCreate: CHILD: hello write test failed
                    2015/01/27 22:18:28 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                    2015/01/27 22:18:28 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/pt-br/error-details.txt
                    2015/01/27 22:18:28 kid1| Unable to load default error language files. Reset to backups.
                    2015/01/27 22:18:28 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
                    2015/01/27 22:18:28 kid1| WARNING: failed to find or read error text file error-details.txt
                    2015/01/27 22:18:28 kid1| sendto FD 26: (1) Operation not permitted
                    2015/01/27 22:18:28 kid1| ipcCreate: CHILD: hello write test failed
                    2015/01/27 22:19:35 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                    2015/01/27 22:19:35 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/pt-br/error-details.txt
                    2015/01/27 22:19:35 kid1| Unable to load default error language files. Reset to backups.
                    2015/01/27 22:19:35 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
                    2015/01/27 22:19:35 kid1| WARNING: failed to find or read error text file error-details.txt
                    2015/01/27 22:19:35 kid1| sendto FD 29: (1) Operation not permitted
                    2015/01/27 22:19:35 kid1| ipcCreate: CHILD: hello write test failed
                    [2.1.3-RELEASE][admin@pfsense.mu.local]/var/squid/logs(104): PuTTYPuTTYPuTTY
                    
                    

                    Acho que tem algum resíduo do squid2

                    Olhando esse arquivo dentro de /usr/pbi/squid-i386/etc/squid/errors//pt-br/templates/error-details.txt

                    [2.1.3-RELEASE][admin@pfsense.mu.local]/usr/pbi/squid-i386/etc/squid/errors/pt-br(151): cat error-details.txt
                    name: SQUID_ERR_SSL_HANDSHAKE
                    detail: "%ssl_error_descr: %ssl_lib_error"
                    descr: "Handshake with SSL server failed"
                    
                    name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate does not match domainname"
                    
                    name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
                    detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
                    descr: "Unable to get issuer certificate"
                    
                    name: X509_V_ERR_UNABLE_TO_GET_CRL
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unable to get certificate CRL"
                    
                    name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unable to decrypt certificate's signature"
                    
                    name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unable to decrypt CRL's signature"
                    
                    name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
                    detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
                    descr: "Unable to decode issuer public key"
                    
                    name: X509_V_ERR_CERT_SIGNATURE_FAILURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate signature failure"
                    
                    name: X509_V_ERR_CRL_SIGNATURE_FAILURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "CRL signature failure"
                    
                    name: X509_V_ERR_CERT_NOT_YET_VALID
                    detail: "SSL Certficate is not valid before: %ssl_notbefore"
                    descr: "Certificate is not yet valid"
                    
                    name: X509_V_ERR_CERT_HAS_EXPIRED
                    detail: "SSL Certificate expired on: %ssl_notafter"
                    descr: "Certificate has expired"
                    
                    name: X509_V_ERR_CRL_NOT_YET_VALID
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "CRL is not yet valid"
                    
                    name: X509_V_ERR_CRL_HAS_EXPIRED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "CRL has expired"
                    
                    name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
                    detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
                    descr: "Format error in certificate's notBefore field"
                    
                    name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
                    detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
                    descr: "Format error in certificate's notAfter field"
                    
                    name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Format error in CRL's lastUpdate field"
                    
                    name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Format error in CRL's nextUpdate field"
                    
                    name: X509_V_ERR_OUT_OF_MEM
                    detail: "%ssl_error_descr"
                    descr: "Out of memory"
                    
                    name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
                    detail: "Self-signed SSL Certificate: %ssl_subject"
                    descr: "Self signed certificate"
                    
                    name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
                    detail: "Self-signed SSL Certificate in chain: %ssl_subject"
                    descr: "Self signed certificate in certificate chain"
                    
                    name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
                    detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
                    descr: "Unable to get local issuer certificate"
                    
                    name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unable to verify the first certificate"
                    
                    name: X509_V_ERR_CERT_CHAIN_TOO_LONG
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate chain too long"
                    
                    name: X509_V_ERR_CERT_REVOKED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate revoked"
                    
                    name: X509_V_ERR_INVALID_CA
                    detail: "%ssl_error_descr: %ssl_ca_name"
                    descr: "Invalid CA certificate"
                    
                    name: X509_V_ERR_PATH_LENGTH_EXCEEDED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Path length constraint exceeded"
                    
                    name: X509_V_ERR_INVALID_PURPOSE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unsupported certificate purpose"
                    
                    name: X509_V_ERR_CERT_UNTRUSTED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate not trusted"
                    
                    name: X509_V_ERR_CERT_REJECTED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Certificate rejected"
                    
                    name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
                    detail: "%ssl_error_descr: %ssl_ca_name"
                    descr: "Subject issuer mismatch"
                    
                    name: X509_V_ERR_AKID_SKID_MISMATCH
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Authority and subject key identifier mismatch"
                    
                    name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
                    detail: "%ssl_error_descr: %ssl_ca_name"
                    descr: "Authority and issuer serial number mismatch"
                    
                    name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Key usage does not include certificate signing"
                    
                    name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unable to get CRL issuer certificate"
                    
                    name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unhandled critical extension"
                    
                    name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "key usage does not include CRL signing"
                    
                    name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unhandled critical CRL extension"
                    
                    name: X509_V_ERR_INVALID_NON_CA
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "invalid non-CA certificate (has CA markings)"
                    
                    name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "proxy path length constraint exceeded"
                    
                    name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "key usage does not include digital signature"
                    
                    name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "proxy certificates not allowed, please set the appropriate flag"
                    
                    name: X509_V_ERR_INVALID_EXTENSION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "invalid or inconsistent certificate extension"
                    
                    name: X509_V_ERR_INVALID_POLICY_EXTENSION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "invalid or inconsistent certificate policy extension"
                    
                    name: X509_V_ERR_NO_EXPLICIT_POLICY
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "no explicit policy"
                    
                    name: X509_V_ERR_DIFFERENT_CRL_SCOPE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Different CRL scope"
                    
                    name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Unsupported extension feature"
                    
                    name: X509_V_ERR_UNNESTED_RESOURCE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "RFC 3779 resource not subset of parent's resources"
                    
                    name: X509_V_ERR_PERMITTED_VIOLATION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "permitted subtree violation"
                    
                    name: X509_V_ERR_EXCLUDED_VIOLATION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "excluded subtree violation"
                    
                    name: X509_V_ERR_SUBTREE_MINMAX
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "name constraints minimum and maximum not supported"
                    
                    name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unsupported name constraint type"
                    
                    name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unsupported or invalid name constraint syntax"
                    
                    name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "unsupported or invalid name syntax"
                    
                    name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "CRL path validation error"
                    
                    name: X509_V_ERR_APPLICATION_VERIFICATION
                    detail: "%ssl_error_descr: %ssl_subject"
                    descr: "Application verification failure"
                    [2.1.3-RELEASE][admin@pfsense.mu.local]/usr/pbi/squid-i386/etc/squid/errors/pt-br(152):
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • marcelloc
                      marcelloc last edited by

                      Esse bug é de uma das versões do squid, nada relacionado ao pacote. Se não me engano, basta remover as entradas que ele não reconhece.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • V
                        victorfmaraujo last edited by

                        @marcelloc:

                        Esse bug é de uma das versões do squid, nada relacionado ao pacote. Se não me engano, basta remover as entradas que ele não reconhece.

                        Hummm, quais seriam essas entradas?  Na web gui?

                        1 Reply Last reply Reply Quote 0
                        • marcelloc
                          marcelloc last edited by

                          @victorfmaraujo:

                          Hummm, quais seriam essas entradas?  Na web gui?

                          Nos arquivos de erro do squid mesmo. Seguindo os erros apontados pelo log.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • V
                            victorfmaraujo last edited by

                            @marcelloc:

                            @victorfmaraujo:

                            Hummm, quais seriam essas entradas?  Na web gui?

                            Nos arquivos de erro do squid mesmo. Seguindo os erros apontados pelo log.

                            Rapazzzz.  Sem querer ser chato mas já sendo rsrs.

                            realmente não entendi exatamente esses erros.

                            esse arquivo error-details.txt  só me retrata erros de ssl (Não estou utilizando proxy https)

                            Poderia me apontar o norte, ou se possível o X do mapa do tesouro?

                            só para você saber.  Limpei o cache do squid e criei um diretório para salvar esses arquivos caso eu precise e reiniciei o pfsense para ele criar um novo cache.log

                            Não resolveu :(

                            Abçs

                            1 Reply Last reply Reply Quote 0
                            • marcelloc
                              marcelloc last edited by

                              Remova do arquivo de erro as entradas que estão impedindo o serviço subir.

                              Veja se o cache.log da uma dica.

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • tiagopesantos
                                tiagopesantos last edited by

                                Caro Victor, informo também que instalei a versão do Pfsense 2.2 com o squid 3 last version, e está acontecendo o mesmo problema de navegar com proxy transparente marcado. fiz a instalação do zero para tirar duvida se era vestígios do squid anterior, mas não é !!  :-\

                                1 Reply Last reply Reply Quote 0
                                • marcelloc
                                  marcelloc last edited by

                                  O que vejo de diferente da minha instalação é somente a arquitetura.  Eu uso a versão 64bits.

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    victorfmaraujo last edited by

                                    @marcelloc:

                                    O que vejo de diferente da minha instalação é somente a arquitetura.  Eu uso a versão 64bits.

                                    Blz marcelloc, vou pesquisar e vejo se consigo.

                                    Não creio que a arquitetura possa interferir nisso.

                                    Outra coisa interessante é.  Mesmo com esses problemas, configurei o LoadBallance do Pfsense para escutar as duas loopbacks e nos status do loadballance, as duas davam como Off. (Detalhe, rodando o sockstats | grep 3128, apareciam lá as duas loopbacks escutando a porta 3128.  Muito estranho).

                                    Eu partucularmente acho que seja um problema de NAT, onde o squid não esteja capturando o tráfego que vem da Lan Net para qualquer destino na porta 80.

                                    Achei esse tópico seu no fórum internacional
                                    https://forum.pfsense.org/index.php?topic=62256.msg341632#msg341632

                                    acha que vale a pena eu tirar o squid3 3.3.10 pkg 2.2.8 que estou utilizando e colocar o 3.3.5 que você cita no mesmo tópico?
                                    Preciso fazer o download de alguma lib caso faça isso?

                                    On console/ssh use  pkg_delete to remove squid-3.3.4 and pkg_add to get squid 3.3.5

                                    i386 systems
                                    pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/squid-3.3.5.tbz

                                    amd64 systems
                                    pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/squid-3.3.5.tbz

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      victorfmaraujo last edited by

                                      Acho que encontrei o problema

                                      [2.1.3-RELEASE][admin@pfsense.mu.local]/var/squid/logs(41): cat cache.log
                                      2015/01/28 10:23:49 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
                                      2015/01/28 10:23:50 kid1| commBind: Cannot bind socket FD 24 to 127.0.0.1:3128: (48) Address already in use
                                      2015/01/28 10:23:50 kid1| sendto FD 25: (1) Operation not permitted
                                      2015/01/28 10:23:50 kid1| ipcCreate: CHILD: hello write test failed
                                      

                                      alguém tem idéia do que seja isso?

                                      Outra coisa, li em algum lugar que em alguns servidores Linux, tem um parâmetro que vc define o PID do squid, será que pode ser isso?  Estou chutando.

                                      1 Reply Last reply Reply Quote 0
                                      • marcelloc
                                        marcelloc last edited by

                                        @victorfmaraujo:

                                        Não creio que a arquitetura possa interferir nisso.

                                        Na 2.1 o antivirus não funciona com amd64 e na 2.2 aparentemente o proxy transparente está quebrado por conta de compilação talvez.

                                        @victorfmaraujo:

                                        acha que vale a pena eu tirar o squid3 3.3.10 pkg 2.2.8 que estou utilizando e colocar o 3.3.5 que você cita no mesmo tópico?

                                        Não. este binário é para a versão 2.0.

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          victorfmaraujo last edited by

                                          @marcelloc:

                                          @victorfmaraujo:

                                          Não creio que a arquitetura possa interferir nisso.

                                          Na 2.1 o antivirus não funciona com amd64 e na 2.2 aparentemente o proxy transparente está quebrado por conta de compilação talvez.

                                          @victorfmaraujo:

                                          acha que vale a pena eu tirar o squid3 3.3.10 pkg 2.2.8 que estou utilizando e colocar o 3.3.5 que você cita no mesmo tópico?

                                          Não. este binário é para a versão 2.0.

                                          Descobri o problema.

                                          Em alguns posts do fórum internacional estavam falando sobre habilitar o IPV6 no pfsense.  Fiz isso e funcionou.

                                          Obrigado marcelloc pela atenção que deu a esse post mesmo com o horário avançado..

                                          1 Reply Last reply Reply Quote 0
                                          • marcelloc
                                            marcelloc last edited by

                                            @victorfmaraujo:

                                            Em alguns posts do fórum internacional estavam falando sobre habilitar o IPV6 no pfsense.  Fiz isso e funcionou.

                                            Porque isso estava desabilitado no seu pfsense 2.1? ???

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • V
                                              victorfmaraujo last edited by

                                              @marcelloc:

                                              @victorfmaraujo:

                                              Em alguns posts do fórum internacional estavam falando sobre habilitar o IPV6 no pfsense.  Fiz isso e funcionou.

                                              Porque isso estava desabilitado no seu pfsense 2.1? ???

                                              kkkkkkk

                                              Rapaz, não faço idéia.  Temos esse cliente tem uns 6 meses e o pfsense não foi instalado por nós.

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post