OPNsense 24.1.1-amd64
no updates.. available.. squid migrated to package
# pkg info | grep squid
os-squid-1.0 Squid is a caching proxy for the web
squid-6.6 HTTP Caching Proxy
squid-langpack-7.0.0.20230225 Language-specific error documents for Squid web cache
machine up 6 days..
6 days 16:03:55
tried to enable logging to work through a problem with someone..
squid won't restart..
here's another machine with the same issue..
2024/02/07 13:12:46| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/07 13:12:46| Requiring client certificates.
Segmentation fault (core dumped)
root@OPNsense:~ # uptime
1:15PM up 6 days, 8:11, 1 user, load averages: 0.36, 0.54, 0.56
root@OPNsense:~ # ps auxwww | grep squid
squid 19995 1.9 11.9 2310112 1974192 - S Thu05 245:03.09 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid 18901 0.0 0.1 148980 18124 - Is Thu05 0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root 78055 0.0 0.0 12720 2388 0 S+ 13:15 0:00.00 grep squid
anyone else?
can you run a 'squid -k parse'?
Thanks in advance..
I pulled down gost from github.. there is no rust-shadowsocks freebsd port ..
./gost-freebsd-amd64-2.11.5 -L=10.20.245.10:3128
I changed squid to run on 3129 for the time being..
for anyone else interested..
netstat -an | grep 3128 | wc -l
12706
things are at least moving again..
root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid 56643 0.0 0.1 149112 19228 - Is 13:28 0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
squid 57516 0.0 0.3 292964 52924 - S 13:28 0:00.17 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
root 69827 0.0 0.0 12720 2392 1 S+ 13:35 0:00.00 grep squid
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.
squid.conf.documented squid.conf.sample
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.documented
# <pid>'.
# TAG: pid_filename
# Note: If you change this setting, you need to set squid_pidfile
# pid_filename /var/run/squid/squid.pid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
56643
root@OPNsense:/var/log/squid # kill -9 56643 57516
root@OPNsense:/var/log/squid # ps auxwww | grep squid
root 80421 0.0 0.0 12720 2388 1 S+ 13:36 0:00.00 grep squid
root@OPNsense:/var/log/squid # rm /var/run/squid/squid.pid
root@OPNsense:/var/log/squid # /usr/local/etc/rc.d/squid start
Segmentation fault
Starting squid.
Segmentation fault (core dumped)
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid 67739 1.4 0.3 292964 52868 - S 13:36 0:00.14 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid 66736 0.6 0.1 149112 19228 - Ss 13:36 0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root 93375 0.0 0.0 12720 2384 1 S+ 13:36 0:00.00 grep squid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
66736
root@OPNsense:/var/log/squid #
:o
I have the same problem. With 24.1.1
On 23.7.10 all works fine
root@firewall:/usr/local/etc/squid # squid -k parse
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/02/08 10:36:31| Processing: http_port 10.10.2.1:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.30.2.254:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.50.1:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.51.1:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB
2024/02/08 10:36:31| Processing: sslcrtd_children 5
2024/02/08 10:36:31| Processing: tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
2024/02/08 10:36:31| Processing: acl bump_step1 at_step SslBump1
2024/02/08 10:36:31| Processing: acl bump_step2 at_step SslBump2
2024/02/08 10:36:31| Processing: acl bump_step3 at_step SslBump3
2024/02/08 10:36:31| Processing: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step1 all
2024/02/08 10:36:31| Processing: ssl_bump splice all
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step2 all
2024/02/08 10:36:31| Processing: ssl_bump splice bump_step3 all
2024/02/08 10:36:31| Processing: ssl_bump bump
2024/02/08 10:36:31| Processing: sslproxy_cert_error deny all
2024/02/08 10:36:31| Processing: acl ftp proto FTP
2024/02/08 10:36:31| Processing: http_access allow ftp
2024/02/08 10:36:31| Processing: acl localnet src 10.10.2.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.30.2.254/32 # Possible internal network (aliases)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.50.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.51.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2024/02/08 10:36:31| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2024/02/08 10:36:31| Processing: acl whiteList url_regex windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl remoteblacklist_UT1 dstdomain "/usr/local/etc/squid/acl/UT1"
2024/02/08 10:36:31| Processing: acl SSL_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 80 # http
2024/02/08 10:36:31| Processing: acl Safe_ports port 21 # ftp
2024/02/08 10:36:31| Processing: acl Safe_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 70 # gopher
2024/02/08 10:36:31| Processing: acl Safe_ports port 210 # wais
2024/02/08 10:36:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2024/02/08 10:36:31| Processing: acl Safe_ports port 280 # http-mgmt
2024/02/08 10:36:31| Processing: acl Safe_ports port 488 # gss-http
2024/02/08 10:36:31| Processing: acl Safe_ports port 591 # filemaker
2024/02/08 10:36:31| Processing: acl Safe_ports port 777 # multiling http
2024/02/08 10:36:31| Processing: acl CONNECT method CONNECT
2024/02/08 10:36:31| Processing: icap_enable off
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_peer 10.10.253.10 parent 3128 0 no-query default
2024/02/08 10:36:31| Processing: acl ExcludePPDomains dstdomain .lan .wlan .purner.eu
2024/02/08 10:36:31| Processing: acl ExcludePPIPs dst 10.10.2.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.31.0/24 10.10.40.0/24 10.10.50.0/24 10.10.51.0/24 10.10.60.0/24 10.10.61.0/24 10.10.70.0/24 10.10.71.0/24 10.10.200.0/24 10.10.201.0/24 10.10.254.0/24 172.30.30.0/24 10.2.0.1 10.96.0.1 10.98.0.1 172.30.100.0/24 10.10.253.0/24
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPDomains
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPIPs
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 allow all
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPDomains
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPIPs
2024/02/08 10:36:31| Processing: never_direct allow all
2024/02/08 10:36:31| Processing: http_access allow whiteList
2024/02/08 10:36:31| Processing: http_access deny remoteblacklist_UT1
2024/02/08 10:36:31| Processing: http_access deny !Safe_ports
2024/02/08 10:36:31| Processing: http_access deny CONNECT !SSL_ports
2024/02/08 10:36:31| Processing: http_access allow localhost manager
2024/02/08 10:36:31| Processing: http_access deny manager
2024/02/08 10:36:31| Processing: http_access deny to_localhost
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: http_access allow localnet
2024/02/08 10:36:31| Processing: http_access allow localhost
2024/02/08 10:36:31| Processing: http_access deny all
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/post-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_mem 256 MB
2024/02/08 10:36:31| Processing: coredump_dir /var/squid/cache
2024/02/08 10:36:31| Processing: refresh_pattern ^ftp: 1440 20% 10080
2024/02/08 10:36:31| Processing: refresh_pattern ^gopher: 1440 0% 1440
2024/02/08 10:36:31| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2024/02/08 10:36:31| Processing: refresh_pattern . 0 20% 4320
2024/02/08 10:36:31| Processing: access_log stdio:/var/log/squid/access.log squid
2024/02/08 10:36:31| Processing: cache_store_log none
2024/02/08 10:36:31| Processing: httpd_suppress_version_string on
2024/02/08 10:36:31| Processing: uri_whitespace strip
2024/02/08 10:36:31| Processing: forwarded_for on
2024/02/08 10:36:31| Processing: logfile_rotate 0
2024/02/08 10:36:31| Processing: cache_mgr proxy@purner.eu
2024/02/08 10:36:31| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/08 10:36:31| Requiring client certificates.
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
Segmentation fault (core dumped)
root@firewall:/usr/local/etc/squid # netstat -an | grep 3128 | wc -l
4
root@firewall:/usr/local/etc/squid # pkg info | grep squid
os-squid-1.0 Squid is a caching proxy for the web
squid-6.6 HTTP Caching Proxy
squid-langpack-7.0.0.20230225 Language-specific error documents for Squid web cache
Thank you.. greatly appreciate the acknowledgement.
fwiw, I'm not doing ssl-bump
configs for https://meta.wikimedia.org/wiki/Cunningham%27s_Law (https://meta.wikimedia.org/wiki/Cunningham%27s_Law)..
root@OPNsense:/usr/local/etc/squid # cat squid.conf
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#
# Setup regular listeners configuration
http_port 10.20.245.10:3129
acl ftp proto FTP
http_access allow ftp
# Setup ftp proxy
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# ACL - Allow localhost for PURGE cache if enabled
# ACL lists
# ACL - Allow Subnets - User defined (subnets)
acl subnets src 10.120.56.0/22
acl subnets src 10.120.60.0/22
acl subnets src 10.20.48.0/20
acl subnets src 10.120.49.0/24
acl subnets src 10.120.50.0/24
acl subnets src 10.120.51.0/24
acl subnets src 10.120.52.0/24
acl subnets src 10.121.48.0/22
acl subnets src 10.20.245.8/29
acl subnets src 10.20.112.200/32
acl subnets src 10.120.48.0/24
# ACL - Remote fetched Blacklist (remoteblacklist)
# ACL - Block browser/user-agent - User defined (browser)
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 82 # unknown
acl SSL_ports port 8080 # unknown
acl SSL_ports port 443 # https
acl SSL_ports port 5228-5230 # unknown
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 82 # unknown
acl Safe_ports port 8080 # unknown
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 5228-5230 # unknown
acl CONNECT method CONNECT
# ICAP SETTINGS
# disable icap
icap_enable off
# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf
# Authentication Settings
# Google Suite Filter
# YouTube Filter
request_header_add YouTube-Restrict moderate
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# Auth plugins
include /usr/local/etc/squid/auth/*.conf
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet
# ACL - localhost
http_access allow localhost
# ACL list (Allow) subnets
http_access allow subnets
# Deny all other access to this proxy
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf
# Caching settings
cache_mem 4096 MB
maximum_object_size 32 MB
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 2048 KB
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid Options
pinger_enable off
access_log stdio:/var/log/squid/access.log squid
# Disable cache store log
cache_store_log none
dns_nameservers 172.16.48.247
# Suppress http version string (default=off)
httpd_suppress_version_string on
# URI handling with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible hostname
visible_hostname proxy.at.bldg.name
# Set error directory language
error_directory /usr/local/etc/squid/errors/local
# cat auth/local.conf
shutdown_lifetime 0 seconds
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
http_access deny to_ipv6
http_access deny from_ipv6
positive_dns_ttl 5 minutes
client_db off
memory_pools off
pinger_enable off
read_timeout 5 minute # default 15
write_timeout 5 minutes # default 15
max_filedescriptors 204800
digest_generation off
ipcache_size 4096
workers 1
accept_filter httpready
accept_filter dataready
collapsed_forwarding on
half_closed_clients off
pipeline_prefetch 6 # default 0
## timeouts
forward_timeout 1 minute # default 4
connect_timeout 1 minute # default 1
request_timeout 1 minute # default 5
client_lifetime 2 hours # default 24
# quick_abort_min 0 KB
# quick_abort_max 0 KB
# we recommend first tuning the read_timeout,
# request_timeout, persistent_request_timeout and quick_abort values.
happy_eyeballs_connect_timeout 30 # default 250
pconn_lifetime 60 seconds # default 0
# kldstat | grep 'http\|data'
4 1 0xffffffff823ea000 2828 accf_data.ko
6 1 0xffffffff823f2000 2e38 accf_http.ko
cat /boot/loader.conf.local
cc_htcp_load="YES"
accf_http_load="YES"
accf_data_load="YES"
accf_dns_load="YES"
machdep.hyperthreading_intr_allowed=1
# net.inet.tcp.tso=0
kern.ipc.nmbclusters=2048000
kern.ipc.nmbjumbop=524288
it seems to say it core'd but then something does start..
find / -name \*.core | xargs ls -al
-rw------- 1 root squid 16470016 Feb 7 13:26 /usr/local/etc/squid/squid.core
-rw------- 1 root wheel 704512 Nov 9 23:04 /usr/local/opnsense/service/php.core
-rw------- 1 root wheel 176029696 Nov 29 09:01 /usr/local/opnsense/service/python3.9.core
-rw------- 1 root wheel 11051008 Oct 25 23:12 /usr/local/www/pfctl.core
-rw------- 1 root wheel 33144832 Jul 31 2023 /var/db/syslog-ng.core
-rwxr-x--- 1 squid squid 639852544 Feb 7 13:25 /var/squid/cache/squid.core
-rwxr-x--- 1 squid squid 16470016 Feb 7 13:36 /var/squid/squid.core
I also have segmentation fault error messages with squid, after upgrade to 24.1.
When i restart or stop and start squid it get "Segmentation fault (core dumped)" messages similar to @DOM_EUWest errors , without any change from 23.7.
I have opened an issue on github
https://github.com/opnsense/plugins/issues/3827#top