Bug #4114
closed
Squid 3.4.9 transparent proxy broken.
Added by Arthur Undisclosed almost 10 years ago.
Updated almost 10 years ago.
Affected Architecture:
amd64
Description
The latest Squid packages all had issues, but none of them as serious as transparent proxy not working.
Squid has to be compiled with options (--enable-pf-transparent) to allow transparent proxy to work (tproxy), besides that the port for intercepted traffic has to change from
3128 to 3129.
I wouldn't report this issue if Squid was still alpha, apparently it is beta so it should be feature-complete.
Squid is for many pfsense users an essential tool for filtering and monitoring web traffic, please fix this.
- Assignee set to Renato Botelho
package build options are updated and pbi rebuild.
- Status changed from New to Feedback
Please try pkg version 0.2.2
Just tested the new package, still transparent proxy does not work. In the logs I get "TAG_NONE/400" and the client gets "invalid URL".
Tested with both transparent checked on the web interface and with a manual redirect rule in the NAT section.
May have something to do with PfSense build, I'm on Fri Dec 12 12:10:38 CST 2014 build.
Cheers.
Pfsense: 2.2-RC (amd64) built on Sat Jan 10 03:54:06 CST 2015
Squid: 3.4.10_2 pkg 0.2.2
Issue with transparent proxy still persist for me too, client gets invalid url.
(cpu load of .pbirun process is also really high even after disabling transparent proxy)
If I can provide any additional logging information that may help, please just contact me.
- % Done changed from 0 to 100
I'm sorry, it seems there are still numerous issues with this package:
- Transparent proxy still doesn't work. "TAG_NONE/400" and "invalid URL".
- FATAL: pinger: Unable to open any ICMP sockets.
- kid1| commBind: Cannot bind socket FD 29 to 127.0.0.1:3128: (48) Address already in use
Sadly it has gone from bad to worse, we're nearly three months without Squid now.
Any pointers on how to troubleshoot this will be appreciated.
Cheers.
Arthur Undisclosed wrote:
I'm sorry, it seems there are still numerous issues with this package:
- Transparent proxy still doesn't work. "TAG_NONE/400" and "invalid URL".
- FATAL: pinger: Unable to open any ICMP sockets.
- kid1| commBind: Cannot bind socket FD 29 to 127.0.0.1:3128: (48) Address already in use
Sadly it has gone from bad to worse, we're nearly three months without Squid now.
Any pointers on how to troubleshoot this will be appreciated.
Cheers.
This problem can be present at the wrong setting squid
If you in Proxy interface(s) selected loopback interface this problem may appears
Confirmed working now. (phew!)
Latest package 0.2.4 transparent proxy is OK.
ICMP pinger disabled in GUI to avoid errors.
I've removed Squid from the loopback interface.
As for manual redirect rules:
I couldn't find any information why we need actually TWO nat rules?
The first one states "NO RDR to localnets" and the second rule does the actual redirect to port 3128.
I found it by accident in the rules.debug when I locked myself out of the GUI...
Let's close this one, a huge thankyou for all your work.
Cheers.
Please do not close.
I know the original bug was opened on amd64 but I have been following this avidly as it also effects i386.
Coming from a working config on 2.1.5 and upgrading the Squid package when upgrading to 2.2 does not work. There has been improvements: it now lets you access websites when the Transparent Proxy is enabled (and the Service does appear to run without error), but it is not caching anything nor is Squid logging any attempts.
Process:
working config from 2.1.5 > Upgrade to 2.2 latest.
Update to latest Squid Package.
Resave all configs (even though previous working setup is shown in GUI, inc no loopback interface selected)
restart Router (and therefore service also).
File downloads continue to come from WAN interface where previously would show as coming from SSD Cache (proven via interface status graph as squid log not showing any activity)
PfSense: 2.2-RC (amd64) built on Thu Jan 15 12:12:32 CST 2015
Squid: 3.4.10_2 pkg 0.2.4
Confirmed, Package is working now for me too, but interestingly only after a reboot of the router after the package installation. (invalid url error appeared again directly after package installation.)
Loopback interface was never selected on my side.
- Status changed from Feedback to Resolved
issue covered here is fixed
Issue definitely not "fixed" if you are upgrading from a working config - maybe if you install fresh or use some workarounds(?)
No point opening a bug for i386 as obviously closed so they can a rush 2.2RELEASE
the issue covered by this ticket is fixed, there might be other issues but those are separate and have no relation to 2.2. Please post info on whatever issue you have to the forum.
Also available in: Atom
PDF