Squid Web Proxy

English Forums > Web Proxy Filtering and Caching

Squid Web Proxy

(1/2) > >>

iskono:
Dear Team,
i am new here, i just installed opnsense and want to enable c-icap, but whenever i try to enable Squid Web Proxy services, i am getting the following error message:
proxy load error
template reload OPNsense/ProxySSO: OK
Starting squid.
CPU Usage: 0.025 seconds = 0.008 user + 0.017 sys
Maximum Resident Size: 56608 KB
Page faults with physical i/o: 0
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/03/11 22:30:43| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/03/11 22:30:43| ERROR: ACL not found: Safe_ports
2024/03/11 22:30:43| Not currently OK to rewrite swap log.
2024/03/11 22:30:43| storeDirWriteCleanLogs: Operation aborted.
2024/03/11 22:30:43| FATAL: Bungled /usr/local/etc/squid/squid.conf line 83: http_access deny !Safe_ports
2024/03/11 22:30:43| Squid Cache (Version 6.7): Terminated abnormally.
/usr/local/etc/rc.d/squid: WARNING: failed to start squid

meyergru:
And another one... sigh...

See https://forum.opnsense.org/index.php?topic=39116.0 with nearly the same error message.

rabo:
Thanks, I looked and it's all there. I did apply again and now it's gone. ... But I have something else, I get error HSTS on many websites now. I can't access them. Have I forgotten to configure something?

meyergru:
That depends on how you setup your transparent proxy and if you did that correctly, like install suitable certificates, made your clients accept that CA and many more.

HSTS is a hint sent by a website that it needs to be encrypted. If you setup up a HTTP proxy only, your browser sees an unencrypted connection and that won't work. So, you need to have a proxy that is "transparent", i.e. the URL is unchanged (this is called "SSL bump"). But to make that work, the traffic has to be diverted, but you have to present a certificate for the correct site that will be created on-the-fly. Since your CA for doing that is usually not trusted by your browsers, you will have to install it there, first.

Also, some sites (like banks) also have "certificate pinning" via DNS, i.e. that they must use certain CAs, such that your CA will not be trusted for these. You will have to have a whitelist in your transparent proxy for these to make them work, but you cannot inspect that traffic.

rabo:
https://www.amazon.deAh, seems to be more extensive than I thought.
I don't have a whitelist.
I should create one, so to speak.
Are there any detailed instructions?
I've only found a few so far. Thank you.

Navigation

[0] Message Index

[#] Next page

Go to full version