Bug #5869
closedSquid non-functional in transparent mode in 2.3
100%
Description
Squid in transparent mode in 2.3 is non-functional. Squid config seems sane, the rdr to 127.0.0.1:3128 is correct and works. Squid answers enough that the GET request is passed, but no reply is ever received. Squid doesn't log anything. Client browser ends up with "connection was reset" in Firefox or ERR_EMPTY_RESPONSE in Chrome.
Discussed in multiple threads.
https://forum.pfsense.org/index.php?topic=106402.0
https://forum.pfsense.org/index.php?topic=105606.0
https://forum.pfsense.org/index.php?topic=105399.0
Updated by Chris Buechler over 8 years ago
- Project changed from pfSense to pfSense Packages
- Category set to Squid
- Status changed from New to Not a Bug
- Priority changed from Very High to Normal
no idea what this is referencing
Updated by Brian Caouette over 8 years ago
How can you say this isn't a bug if you don't know what it's referencing? There is most definitely a problem with this package. Many have reported it on the forums, myself included.
Updated by Chris Buechler over 8 years ago
- Subject changed from Squid transparent mode no internet access to Squid non-functional in transparent mode in 2.3
- Description updated (diff)
- Status changed from Not a Bug to Confirmed
- Target version set to 2.3
- Affected Version set to 2.3
If this was in reference to squid on 2.3 having issues with transparent mode (who could have a clue from the original description), then yes that is an issue and seems to be easily replicable. If it wasn't in reference to that, well, I'm making it into that anyway.
Updated by Jim Pingle over 8 years ago
Finally was able to replicate it here. Found the cause, best solution is yet to be determined.
truss shows it trying to open /dev/pf and failing (permission denied), squid runs as "squid" now, /dev/pf is root:proxy
"chgrp squid /dev/pf" and it works but that's not a good fix.
At some point on 2.3 squid was changed to use the squid user, which seems more appropriate, but won't work as-is there. Looks like either the squid package needs to go back to using the proxy group at least, or add the squid user to the proxy group so we don't have to alter the permissions or ownership of /dev/pf
Updated by Jim Pingle over 8 years ago
- Status changed from Confirmed to Feedback
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
A bit of a tangled web of permissions here. I pushed a fix that worked here locally but it will definitely need more widespread feedback. Anyone that made the temporary workaround suggested above will need to reboot or fix the permissions (chgrp proxy /dev/pf) before updating the squid package.
Adding the squid user to the proxy group did not work, however changing the squid user's group to 'proxy' and then adding the squid user to the squid group seems to make it happy. That might also help smooth the transition with upgraded users anyhow, since the old cache would be owned by proxy:proxy.
Updated by Jim Pingle over 8 years ago
- Status changed from Feedback to Resolved
Looks good now, others on the forum and here have also confirmed it is working now. Closing.
Updated by Amin Z over 8 years ago
I installed new pfsense 2.3 and installed squid.
I did this command: chgrp squid /dev/pf
problem is same exist: Squid non-functional in transparent mode in 2.3
Updated by Amin Z over 8 years ago
Jim Pingle wrote:
Looks good now, others on the forum and here have also confirmed it is working now. Closing.
I installed new pfsense 2.3 and installed squid.
I did this command: chgrp squid /dev/pf
problem is same exist: Squid non-functional in transparent mode in 2.3
Updated by Jim Pingle over 8 years ago
If that didn't work, this is not your issue. Please start a forum thread to discuss and troubleshoot.
Updated by Amin Z over 8 years ago
Please come to https://forum.pfsense.org/index.php?topic=110731.0
Updated by john Smith almost 8 years ago
Here’s the mail I got recently for my problem
I was not able to get to these sites at the time of my first post but now for the last day I have been able to access them. Also, there were times during the prior 2-3 weeks that I was able to get to "problem" sites but it definitely was infrequently.
The error message, in addition to the ERROR 324 said the "server did not send any data." I'm sorry I didn't "snip" the exact error message. I will when I see it again.
I will now proceed until the "problem" resurfaces. Then I will go through Methods 1-3 and see what I find. I have my fingers crossed but since I was only able to go back to a restore point from one week ago, it was still in the middle of the "problem" time period, so I believe there still is potential for the issue to resurface.
Or otherwise try this: http://www.deskdecode.com/err_empty_response/