OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: daudo on April 12, 2016, 04:23:17 pm
-
Hi,
after an upgrade from 16.1.6 to the latest production 16.1.9 release (that is from squid 3.5.15 to 3.5.16), our previously working transparent squid proxy refuses to work.
All transparent HTTP traffic is answered by an "Access denied" page from squid and the access.log shows this:
==> /var/log/squid/access.log <==
1460469079.970 0 127.0.0.1 TCP_DENIED/403 4946 GET http://www.example.com - HIER_NONE/- text/html
1460469079.971 2 172.25.1.1 TCP_MISS/403 5041 GET http://www.example.com - ORIGINAL_DST/127.0.0.1 text/html
When accessing squid explicitly by configuring a proxy, it works:
==> /var/log/squid/access.log <==
1460469599.113 126 172.25.1.1 TCP_MISS/304 249 GET http://www.example.com - HIER_DIRECT/93.184.216.34 -
If I try to access squid's intercept port directly from the firewall, the same is logged:
% telnet localhost 3128
root@theseus:/var/log # telnet localhost 3128
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET HTTP://www.example.com HTTP/1.0
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Tue, 12 Apr 2016 14:02:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3411
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from localhost
X-Cache-Lookup: NONE from localhost:3128
Via: 1.1 localhost (squid)
[...]
Even if I manually add "http_access allow all" to squid.conf, localhost is still denied access ...
Nothing fancy about the setup, it has worked for some months now.
squid says this about its configuration (obfuscated the IP addresses a bit :) )
% squid -k parse
2016/04/12 16:09:49| Startup: Initialized Authentication Scheme 'basic'
2016/04/12 16:09:49| Startup: Initialized Authentication Scheme 'digest'
2016/04/12 16:09:49| Startup: Initialized Authentication Scheme 'negotiate'
2016/04/12 16:09:49| Startup: Initialized Authentication Scheme 'ntlm'
2016/04/12 16:09:49| Startup: Initialized Authentication.
2016/04/12 16:09:49| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2016/04/12 16:09:49| Processing: http_port 127.0.0.1:3128 intercept
2016/04/12 16:09:49| Starting Authentication on port 127.0.0.1:3128
2016/04/12 16:09:49| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2016/04/12 16:09:49| Processing: http_port [::1]:3128 intercept
2016/04/12 16:09:49| Starting Authentication on port [::1]:3128
2016/04/12 16:09:49| Disabling Authentication on port [::1]:3128 (interception enabled)
2016/04/12 16:09:49| Processing: http_port 172.25.1.250:3128
2016/04/12 16:09:49| Processing: acl ftp proto FTP
2016/04/12 16:09:49| Processing: http_access allow ftp
2016/04/12 16:09:49| Processing: acl localnet src 172.25.1.0/24 # Possible internal network
2016/04/12 16:09:49| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2016/04/12 16:09:49| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2016/04/12 16:09:49| Processing: acl subnets src 172.25.1.0/24
2016/04/12 16:09:49| Processing: acl subnets src 127.0.0.0/24
2016/04/12 16:09:49| Processing: acl unrestricted src 172.25.1.0/24
2016/04/12 16:09:49| Processing: acl SSL_ports port 443 # https
2016/04/12 16:09:49| Processing: acl Safe_ports port 80 # http
2016/04/12 16:09:49| Processing: acl Safe_ports port 21 # ftp
2016/04/12 16:09:49| Processing: acl Safe_ports port 443 # https
2016/04/12 16:09:49| Processing: acl Safe_ports port 70 # gopher
2016/04/12 16:09:49| Processing: acl Safe_ports port 210 # wais
2016/04/12 16:09:49| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2016/04/12 16:09:49| Processing: acl Safe_ports port 280 # http-mgmt
2016/04/12 16:09:49| Processing: acl Safe_ports port 488 # gss-http
2016/04/12 16:09:49| Processing: acl Safe_ports port 591 # filemaker
2016/04/12 16:09:49| Processing: acl Safe_ports port 777 # multiling http
2016/04/12 16:09:49| Processing: acl CONNECT method CONNECT
2016/04/12 16:09:49| Processing: icap_enable off
2016/04/12 16:09:49| Processing: auth_param basic program /usr/local/etc/inc/squid.auth-user.php
2016/04/12 16:09:49| Processing: auth_param basic realm OPNsense proxy authentication
2016/04/12 16:09:49| Processing: auth_param basic credentialsttl 2 hours
2016/04/12 16:09:49| Processing: auth_param basic children 5
2016/04/12 16:09:49| Processing: acl local_auth proxy_auth REQUIRED
2016/04/12 16:09:49| Processing: http_access allow unrestricted
2016/04/12 16:09:49| Processing: http_access deny !Safe_ports !unrestricted
2016/04/12 16:09:49| Processing: http_access deny CONNECT !SSL_ports !unrestricted
2016/04/12 16:09:49| Processing: http_access allow localhost manager
2016/04/12 16:09:49| Processing: http_access deny manager
2016/04/12 16:09:49| Processing: http_access deny to_localhost
2016/04/12 16:09:49| Processing: http_access allow local_auth
2016/04/12 16:09:49| Processing: http_access allow localnet
2016/04/12 16:09:49| Processing: http_access allow localhost
2016/04/12 16:09:49| Processing: http_access allow subnets
2016/04/12 16:09:49| Processing: http_access deny all
2016/04/12 16:09:49| Processing: cache_mem 256 MB
2016/04/12 16:09:49| Processing: cache_dir ufs /var/squid/cache 1024 16 256
2016/04/12 16:09:49| Processing: coredump_dir /var/squid/cache
2016/04/12 16:09:49| Processing: refresh_pattern ^ftp: 1440 20% 10080
2016/04/12 16:09:49| Processing: refresh_pattern ^gopher: 1440 0% 1440
2016/04/12 16:09:49| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2016/04/12 16:09:49| Processing: refresh_pattern . 0 20% 4320
2016/04/12 16:09:49| Processing: cache_store_log /var/log/squid/store.log
2016/04/12 16:09:49| Processing: httpd_suppress_version_string on
2016/04/12 16:09:49| Processing: uri_whitespace strip
2016/04/12 16:09:49| Processing: forwarded_for transparent
2016/04/12 16:09:49| Processing: logfile_rotate 0
2016/04/12 16:09:49| Processing: visible_hostname localhost
2016/04/12 16:09:49| Processing: cache_mgr admin@localhost.local
2016/04/12 16:09:49| Initializing https proxy context
Not sure how to fix this now, the "best" I could find was this old thread about openbsd & squid http://comments.gmane.org/gmane.os.openbsd.misc/205257 (http://comments.gmane.org/gmane.os.openbsd.misc/205257) talking about using "divert-to" instead of "rdr-to", but that doesn't sound very probable ...
-
Hi daudo,
There has been a problem with the upstream package we're hoping to address for tomorrow's 16.1.10.
Workarounds include the installation of the 16.1.8 squid package. I can provide a link if you let me know which architecture/crypto combination you're using (e.g. amd64/OpenSSL).
Cheers,
Franco
-
ok, thanks, an updated package sounds good. My architecture is amd64/OpenSSL.
-
Running this command should bring it back after a full service reload cycle (stop+start to be sure):
# pkg add -f https://pkg.opnsense.org/snapshots/squid-3.5.16.txz
ATTENTION: amd64/OpenSSL only
Confirmation would be helpful. :)
-
I was beating my head over this one. The fix seems to have resolved my issue.
-
Ok thanks, back to normal with 16.1.10 then. Coming out later today.
-
confirming as well, the downgraded package solves the issue for us, too