Interesting squid Chrome/Edge firewall differences



  • I decided to put this question in General because it might not be squid specific.

    My environment is:

    pfSense 2.6
    Windows 10 box
    Chrome_something_recent
    Edge
    squid in http transparent mode on port 3128

    I'm teaching myself node.js. I have a server running on port 3000. I can access http://localhost:3000 on Edge, no problem. When I do, nothing appears in the Squid realtime logs. However on Chrome http://localhost:3000 is intercepted by Squid and the destination it tries is ::1 and it misses with a 503 or a 000. If I try http://127.0.0.1:3000 it also fails (with a 302), but that might be due to a Squid/squidguard setup thing.

    Both Edge and Chrome are directed to the same Squid proxy:port in their network settings.

    It's probably a super noob question but can someone point out what I'm doing wrong?



  • This isn't your issue but you're mixing transparent and explicit mode.  Pick one, preferably explicit mode with WPAD.  Second, going to http://127.0.0.1:3000 isn't going to show on the proxy logs because 127.0.0.1 is localhost, your Win10 PC, so you're trying to access a page on your local box which doesn't require the proxy.  I don't know what Chrome is doing (DNS?), but ::1 is localhost for IPv6.  If you aren't running IPv6, you might want to disable it in pfSense, and set Squid to Resolve DNS IPv4 First.

    It's probably a super noob question but can someone point out what I'm doing wrong?

    You're expecting the proxy to come into play when you're only fetching resources from the local client.  Squid caches content from WAN, typically.



  • OK thanks, that gives me enough to get started.

    I do have wpad but a while ago I found it was performing slowly with whatever config I had at the time and transparent mode was easier.

    No ipv6 but I also found that interesting.



  • I do have wpad but a while ago I found it was performing slowly with whatever config I had at the time

    WPAD only helps your clients find the proxy automatically.  It has no bearing on the speed of the proxy or anything like that.

    and transparent mode was easier.

    … until you get to anything that uses HTTPS, which is a LOT of the web these days.  Then Transparent mode is a tremendous hassle because you have to install a pfSense certificate on every client that will use the proxy.



  • (Some of) My clients are/were slow to find wpad, or so it seemed.

    I just use direct https still, no proxy. I never bothered to try to set that up when squid/https became available.

    You led me to a solution. I left transparent mode on, but instead of pointing the W10 machine to the proxy I pointed it to wpad and in wpad I added the previously missing option for localhost to pass DIRECT instead of through squid.



  • IIRC, when you have a proxy configured, the behavior of browsers can change and they may not try to resolve resources for themselves.  IOW, the host may be sending the request for "localhost:3000" over to the proxy, which is then trying to hit port 3000 on the pfSense box and failing (because you presumably don't have it open / have a service on it).

    I know that IE up through 11 has an option under the Proxy settings to not use the proxy for "LAN traffic."  I can't remember if it's smart enough to realize that localhost is LAN (actually, on the local machine), but I suspect it is… and I think that option is enabled by default.

    My hunch is that Edge is behaving the same way - sees the request for your own machine and just sends it there.  Chrome is trying to send everything to the proxy, which it probably shouldn't.


Log in to reply