Bug #10749

squid + captive portal authentication not working

Added by Viktor Gurov 4 months ago. Updated 2 days ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:

Since the last update (2.4.5-RELEASE-p1), i can't get to work my squid with Captive Portal authentication. If i enable it, all request on internet show "Access denied", HTTP or HTTPS. When i disable authentication on squid conf, Internet browsing is OK. Someone have the same problem?

After enabling Captive Portal authentication, I can helper error on each connection attempt:

2020/07/10 14:29:11 kid1| Starting Squid Cache version 4.10 for amd64-portbld-freebsd12.1...
2020/07/10 14:29:11 kid1| Service Name: squid
2020/07/10 14:29:14 kid1| WARNING: check_cp #Hlpr1 exited
2020/07/10 14:29:14 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help!
2020/07/10 14:29:15 kid1| WARNING: check_cp #Hlpr2 exited
2020/07/10 14:29:15 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help!

Seems Squid 4 issue,
but changing external_acl_type to the correct format (%>a instead of %SRC, see, doesn't help

'echo "" | /usr/local/bin/check_ip.php' works fine


#1 Updated by Christophe PLUMEL 4 months ago

I have same problem (WPAD + explicit Squid with Captive Portal authentication) since I update pfSense to 2.4.5 and squid package to 0.4.44_28
Everything works perfectly before update
Symptom : no user authentication in Squid and access denied (TCP_DENIED/403).

I've tried a lot of things but nothing work, it's not a network setting problem.

I hope someone will find a solution! :)

#2 Updated by Bruno Le Fellic 6 days ago

I have the same problem on a fresh new installation with versions :
- pfSense 2.4.4-RELEASE-p1
- Squid 0.4.44_32
The authenticated user is seen as Logged in page "Status > Capture Portal". It get always 403 error except for domains in ACLs whitelist of squid config.

#3 Updated by Brendan Gallagher 3 days ago

It appears that squid is passing an extra "-" after the ip address to check_ip.php
e.g. -
I am not proficient in modifying the squid config file so my workaround was to modify check_ip.php
$check_ip = trim(fgets(STDIN));
$check_ip = preg_replace('/[^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}]/', '', fgets(STDIN));
Not sure if it will work in all cases but it seams to work for me.

#4 Updated by Viktor Gurov 3 days ago

Fixes/improvements in this PR:
- Regexp for STDIN
- Checks all enabled CP DBs
- Checks if client's IP is in 'Allowed IP Addresses' list

#5 Updated by Jim Pingle 3 days ago

  • Status changed from New to Pull Request Review

#6 Updated by Renato Botelho 2 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR merged. Thanks!

#8 Updated by Viktor Gurov 2 days ago

  • Status changed from Resolved to New

small improvement - Use IP as username for allowedip hosts:

Also available in: Atom PDF