Squid Web Proxy

Started by iskono, March 11, 2024, 11:31:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 11, 2024, 11:31:02 PM
Dear Team,
i am new here, i just installed opnsense and want to enable c-icap, but whenever i try to enable  Squid Web Proxy services, i am getting the following error message:
proxy load error
template reload OPNsense/ProxySSO: OK
Starting squid.
CPU Usage: 0.025 seconds = 0.008 user + 0.017 sys
Maximum Resident Size: 56608 KB
Page faults with physical i/o: 0
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/03/11 22:30:43| ERROR: ACL not found: Safe_ports
2024/03/11 22:30:43| Not currently OK to rewrite swap log.
2024/03/11 22:30:43| storeDirWriteCleanLogs: Operation aborted.
2024/03/11 22:30:43| FATAL: Bungled /usr/local/etc/squid/squid.conf line 83: http_access deny !Safe_ports
2024/03/11 22:30:43| Squid Cache (Version 6.7): Terminated abnormally.
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
March 12, 2024, 12:36:19 AM #1
And another one... sigh...

See https://forum.opnsense.org/index.php?topic=39116.0 with nearly the same error message.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 14, 2024, 08:53:19 AM #2
Thanks, I looked and it's all there. I did apply again and now it's gone.  ...  But I have something else, I get error HSTS on many websites now. I can't access them.  Have I forgotten to configure something?
March 14, 2024, 09:17:04 AM #3
That depends on how you setup your transparent proxy and if you did that correctly, like install suitable certificates, made your clients accept that CA and many more.

HSTS is a hint sent by a website that it needs to be encrypted. If you setup up a HTTP proxy only, your browser sees an unencrypted connection and that won't work. So, you need to have a proxy that is "transparent", i.e. the URL is unchanged (this is called "SSL bump"). But to make that work, the traffic has to be diverted, but you have to present a certificate for the correct site that will be created on-the-fly. Since your CA for doing that is usually not trusted by your browsers, you will have to install it there, first.

Also, some sites (like banks) also have "certificate pinning" via DNS, i.e. that they must use certain CAs, such that your CA will not be trusted for these. You will have to have a whitelist in your transparent proxy for these to make them work, but you cannot inspect that traffic.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 15, 2024, 11:58:59 AM #4
https://www.amazon.deAh, seems to be more extensive than I thought.
I don't have a whitelist.
I should create one, so to speak.
Are there any detailed instructions?
I've only found a few so far.  Thank you.
March 15, 2024, 06:29:04 PM #5 Last Edit: March 15, 2024, 06:35:27 PM by rabo
@meyergru
I have almost everything on default.
I have an internal ca certificate
and rolled this out to the clients and registered it.

This is the error message: 

Code Select

venomlinux.org usually protects your data through encryption.
This time, when Brave tried to connect to venomlinux.org, the site returned unusual and incorrect credentials.
Either an attacker is trying to impersonate venomlinux.org, or the connection was interrupted by a Wi-Fi login page.
Since Brave interrupted the connection before exchanging any data, your information is still safe.

You cannot currently access venomlinux.org because the website uses HSTS.
Network errors and attacks are usually temporary, so the site will likely be back up and running later.
March 15, 2024, 06:44:35 PM #6
venomlinux.org has no DNS CAA record, so I guess that whitelisting is not the problem with that website. I also doubt that they use certificate pinning (since they use short-lived certificates by LetEncrypt).

The error message you get simply states that your browser tries to access the website without HTTPS, despite the website requesting only to be accessed via HTTPS. That must be because you either specified to use a non-encrypting HTTP proxy or you configured SSL bump incorrectly.

Thus, your proxy setup is wrong somehow. Just follow the instructions I linked in my first answer. Be sure that whatever you have set up incorrectly is removed first and does not interfere with the instructions.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 15, 2024, 07:09:03 PM #7
Thank you, I will do that. thanks
Print
Go Up Pages1
User actions