[squid-users] Squid versions and FreeBSD-10.1 headache

Fri Jan 23 13:53:13 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 16:40, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
>>> On 23 January 2015 at 16:07, Amos Jeffries
>>> <squid3 at treenet.co.nz> wrote:
>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>>>>> 
>>>>> Once more. You CANNOT have neither web-server nor other 
>>>>> service with listening port 80 on the same host as
>>>>> transparent Squid proxy. This is one and only reason you
>>>>> have looping.
>>>>> 
>>>> 
>>>> That is not correct. It can be done, but depends on how the 
>>>> firewall operates and what ruleset is used.
>>>> 
>>>> One has to intercept traffic transiting the machine, but
>>>> ignore traffic destined *to* or *from* the local machines
>>>> running processes.
>>>> 
>>>>> Look. On my transparent 3.4.11 (which was early 2.7)
>>>>> IPFilter redirects 80 port to proxy. My web server on the
>>>>> same host listens only 8080, 8088 and 8888 ports. No one
>>>>> service except NAT is using 80 port.
>>>>> 
>>>>> And finally I have no looping 4 years.
>>>>> 
>>>>> Obvious, is it?
>>>>> 
>>>> 
>>>> Maybe there was, maybe there wasn't.
>>>> 
>>>> Squid-2.7 ignored a lot of NAT related errors and even
>>>> silently did some Very Bad Things(tm) - none of which
>>>> Squid-3.2+ will allow to happen anymore.
>>>> 
>>>> 
>>>> Odhiambo: I suspect it might be related to your use of "rdr" 
>>>> firewall rules. In OpenBSD PF at least rdr rules do not work 
>>>> properly and divert-to rules needs to be used instead
>>>> (divert-to can be used for either TPROXY or NAT Squid
>>>> listening ports on BSD).
>>>> 
>>> 
>>> 
>>> I am thinking Squid-3.2+ is evil :-)
>>> 
>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And
>>> my IPFilter rules are here: http://pastebin.com/JQ77X01H
>>> 
>>> I need to figure out why squid is DENYing all access ..
>>> 
>> 
>> Can you update me on what the squid -v output is from the Squid
>> build you are having issues with pleae?
>> 
>> Amos
>> 
> 
> root at mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
> Version 3.5.1-20150120-r13736 Service Name: squid configure
> options:  '--prefix=/opt/squid35' '--enable-removal-policies=lru 
> heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB
> NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session
> unix_group file_userip' '--enable-auth-negotiate=kerberos'
> '--with-pthreads' '--enable-storeio=ufs diskd rock aufs'
> '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr'
> '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2' 
> '--enable-follow-x-forwarded-for' '--with-large-files' 
> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' 
> '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl' 
> '--enable-leakfinder' '--enable-ssl-crtd'
> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' 
> --enable-ltdl-convenience
> 

Okay. Can you explicitly add --disable-ipf-transparent
- --disable-ipfw-transparent and see if that helps.

Also in squid.conf adding debugs_options ALL,1 89,9  will show just
the NAT lookup results where things are going wrong.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwlJHAAoJELJo5wb/XPRjpDYIAN2BdWscIrwu+eq0I/JuQP1k
XkXWeKm+yDMIbEZCxf6KALBUiVKsvzEyvDJGoKYR7gPDIoYUD1vvviwYWoL5qo5V
yTP/Te8QyXiwgOzR4+ol9aisS4RvxgALvX75UlVV521qUl97fMcD/VUNqvRYSbaN
6p/RA3GEcTwxeP8HeXNz5mvai9Ja2Pr6cJzUJa2fkEQkIptfYW7GNoMPBNuQDbGl
4cJe8GkqNdyb782BByp/k8AOBKHHZPIJm7PV8VN2PJfMXTgwkmrtKouenWetkh1+
BUlqr8IgZF6kYDk23/T9C6vWE68qO0nJvf0rrnADx4Fw28nDEXbu/oQK2qx/cdY=
=o2Sg
-----END PGP SIGNATURE-----