OPNsense Forum

English Forums => General Discussion => Topic started by: Trurl on October 24, 2020, 08:27:13 pm

Title: I seem to have broken squid
Post by: Trurl on October 24, 2020, 08:27:13 pm
I have been setting up an opnsense firewall for the last couple of days, and it's generally gone well. Maybe too well, I got overconfident and tried a couple of experiments that seem to have b0rked squid and my attempts to recover have failed. I had squid working fine with the Toulouse blacklist, but I'm not sure which changes b0rked it because I wasn't re-testing every single thing all the time (probably stupid). Also, I had squid disabled a lot while I tested other things. It doesn't help that I've never run a BSD so my Linux-based assumptions inevitably lead me astray fairly often.

This will probably end up too long, but I'll try to be complete about the story so far....

Perhaps most likely is trying the WIP squidguard plugin here: https://forum.opnsense.org/index.php?topic=19084.0. It was very foolish to try something that early in development, but I will need some specialized filtering (e.g. setting up time-based rules so that there is a very small list of opt-in websites for certain users during school hours, with nothing else available) so I need a lot more than just blacklisting and squidguard seems to offer the right kind of capability for that. It looked promising, but I never got it actually working. I'd probably be better off installing squidguard from ports and writing the rules by hand at least for now, as I suspect the plugin won't expose enough knobs and buttons anyway. If that can be done in a way that co-exists with the GUI squid interface....

Maybe next most likely is related to trying the Sensei plugin. It was buggy for me (after the first time or two going to the Sensei dashboard would lock up the GUI completely), but the main issue was an error of mine. We were streaming a movie and at the very end Roku started having connection problems, and when I looked at the FW dashboard I was up to 50% memory usage (elastic search, I think) and I blamed Sensei for getting itself b0rked. I eventually determined that it was not on my end at all, Roku was simply b0rked (and as proof, this morning it is fixed without me doing anything).

The other thing I did was create a non-root user because I was going to disable root login over ssh. That shouldn't cause issues, but as opnsense wants some certs created I suppose it's possible that I created auth problems somehow (though I don't see anything that points that way AFAIK).

Anyway, not knowing what had borked squid when I re-enabled it I decided to try going back to a known-working configuration. I removed the no-root user and the various squidguard and sensei plugins and rebooted just to be sure, but squid still wasn't filtering anything. I figured that removing GUI plugins doesn't remove the OS packages they installed, so I learned enough about pkg and ports to remove elasticsearch and squidguard (I decided not to do autoremove afterwards until I verify that's safe). That seems to leave config files laying around and that could be a problem, but I don't know enough about what should be there to want to fiddle with them blindly. Still no go, so I re-installed squid hoping that would get be back to a pristine install. Still no go. pgrep says squid is running, so that isn't it. I finally got smart and created the simplest test case: I bypassed the blacklists and blacklisted one particular site by hand on the Services->Web Proxy->Administration->Forward Proxy->Access Control List screen, and verified that the corresponding rule gets put into /usr/local/etc/squid/squid.conf but doesn't get blocked (yes, I've rebooted to guarantee that the server picks up the config change if it's ever going to).

So I've tried about everything I can think of and I'm clearly beyond my knowledge at this point, especially of anything BSD-specific. Suggestions for fixing squid? Pointers? Bread crumbs? And while we're at it, is there any reason I should not do a pkg autoremove and clean up the rest of the leftovers from this little adventure?

Dustin
Title: Re: I seem to have broken squid
Post by: Trurl on October 24, 2020, 11:05:08 pm
I manged to get squid working again, though I'm not sure what it was that did it. Great that it works, but makes me worry I don't know enough about what is going on.

I did find one other piece of breakage: it's no longer listing the firewall in DNS, so I have to go there by IP. Not sure what would change.