Project

General

Profile

Actions

Bug #4114

closed

Squid 3.4.9 transparent proxy broken.

Added by Arthur Undisclosed about 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Category:
Squid
Target version:
Start date:
12/14/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.2
Affected Plus Version:
Affected Architecture:
amd64

Description

The latest Squid packages all had issues, but none of them as serious as transparent proxy not working.
Squid has to be compiled with options (--enable-pf-transparent) to allow transparent proxy to work (tproxy), besides that the port for intercepted traffic has to change from
3128 to 3129.
I wouldn't report this issue if Squid was still alpha, apparently it is beta so it should be feature-complete.
Squid is for many pfsense users an essential tool for filtering and monitoring web traffic, please fix this.

Actions #1

Updated by Chris Buechler almost 10 years ago

  • Assignee set to Renato Botelho
Actions #2

Updated by Marcello Silva Coutinho almost 10 years ago

package build options are updated and pbi rebuild.

Actions #3

Updated by Renato Botelho almost 10 years ago

  • Status changed from New to Feedback

Please try pkg version 0.2.2

Actions #4

Updated by Arthur Undisclosed almost 10 years ago

Just tested the new package, still transparent proxy does not work. In the logs I get "TAG_NONE/400" and the client gets "invalid URL".
Tested with both transparent checked on the web interface and with a manual redirect rule in the NAT section.
May have something to do with PfSense build, I'm on Fri Dec 12 12:10:38 CST 2014 build.

Cheers.

Actions #5

Updated by Gerald Drausinger almost 10 years ago

Pfsense: 2.2-RC (amd64) built on Sat Jan 10 03:54:06 CST 2015
Squid: 3.4.10_2 pkg 0.2.2

Issue with transparent proxy still persist for me too, client gets invalid url.

(cpu load of .pbirun process is also really high even after disabling transparent proxy)

If I can provide any additional logging information that may help, please just contact me.

Actions #6

Updated by Renato Botelho almost 10 years ago

  • % Done changed from 0 to 100

Should be fine on 0.2.4

Actions #7

Updated by Arthur Undisclosed almost 10 years ago

I'm sorry, it seems there are still numerous issues with this package:

- Transparent proxy still doesn't work. "TAG_NONE/400" and "invalid URL".
- FATAL: pinger: Unable to open any ICMP sockets.
- kid1| commBind: Cannot bind socket FD 29 to 127.0.0.1:3128: (48) Address already in use

Sadly it has gone from bad to worse, we're nearly three months without Squid now.
Any pointers on how to troubleshoot this will be appreciated.

Cheers.

Actions #8

Updated by Albert H almost 10 years ago

Arthur Undisclosed wrote:

I'm sorry, it seems there are still numerous issues with this package:

- Transparent proxy still doesn't work. "TAG_NONE/400" and "invalid URL".
- FATAL: pinger: Unable to open any ICMP sockets.
- kid1| commBind: Cannot bind socket FD 29 to 127.0.0.1:3128: (48) Address already in use

Sadly it has gone from bad to worse, we're nearly three months without Squid now.
Any pointers on how to troubleshoot this will be appreciated.

Cheers.

This problem can be present at the wrong setting squid
If you in Proxy interface(s) selected loopback interface this problem may appears

Actions #9

Updated by Arthur Undisclosed almost 10 years ago

Confirmed working now. (phew!)
Latest package 0.2.4 transparent proxy is OK.
ICMP pinger disabled in GUI to avoid errors.
I've removed Squid from the loopback interface.

As for manual redirect rules:
I couldn't find any information why we need actually TWO nat rules?
The first one states "NO RDR to localnets" and the second rule does the actual redirect to port 3128.
I found it by accident in the rules.debug when I locked myself out of the GUI...

Let's close this one, a huge thankyou for all your work.
Cheers.

Actions #10

Updated by Luke Stracey almost 10 years ago

Please do not close.
I know the original bug was opened on amd64 but I have been following this avidly as it also effects i386.
Coming from a working config on 2.1.5 and upgrading the Squid package when upgrading to 2.2 does not work. There has been improvements: it now lets you access websites when the Transparent Proxy is enabled (and the Service does appear to run without error), but it is not caching anything nor is Squid logging any attempts.

Process:
working config from 2.1.5 > Upgrade to 2.2 latest.
Update to latest Squid Package.
Resave all configs (even though previous working setup is shown in GUI, inc no loopback interface selected)
restart Router (and therefore service also).
File downloads continue to come from WAN interface where previously would show as coming from SSD Cache (proven via interface status graph as squid log not showing any activity)

Actions #11

Updated by Gerald Drausinger almost 10 years ago

PfSense: 2.2-RC (amd64) built on Thu Jan 15 12:12:32 CST 2015
Squid: 3.4.10_2 pkg 0.2.4

Confirmed, Package is working now for me too, but interestingly only after a reboot of the router after the package installation. (invalid url error appeared again directly after package installation.)

Loopback interface was never selected on my side.

Actions #12

Updated by Chris Buechler almost 10 years ago

  • Status changed from Feedback to Resolved

issue covered here is fixed

Actions #13

Updated by Luke Stracey almost 10 years ago

Issue definitely not "fixed" if you are upgrading from a working config - maybe if you install fresh or use some workarounds(?)

No point opening a bug for i386 as obviously closed so they can a rush 2.2RELEASE

Actions #14

Updated by Chris Buechler almost 10 years ago

the issue covered by this ticket is fixed, there might be other issues but those are separate and have no relation to 2.2. Please post info on whatever issue you have to the forum.

Actions

Also available in: Atom PDF