Squid Web Proxy services error - 25.4.1 Business Edition - chaos for our company

[Wuensch-AG-Adm]

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

[Patrick M. Hausen]

Best contact Deciso directly. This is the community forum, not the support channel.

[Wuensch-AG-Adm]

Thank you for your reply, Patrick.
I will continue to try to use all communication channels. I don't consider this forum to be a support platform. Perhaps someone else has already had this problem.
We purchase business appliances in order to have stable versions and fewer or no problems with troubleshooting. The support channel would be intended for us if we needed to set something up and it wasn't working, but that wasn't the case this time.
Regards.

[elenagilbert]

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen Retro Bowl College

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

Hi Joel, did you happen to check whether there's a core dump or crash log generated from the Squid process after the segmentation fault?

[TomS2]

Hi,

I just wanted to confirm the problem.

Today I installed the os-squid Plugin (1.2) on our OPNsense 25.4.1-amd64 and I get the same segmentation fault as Joel.

I had the plugin installed and configured a long time ago, but didn't use it for some time so I suspected problems with a old squid config. Sadly resetting the cache and plugin-config and removing and re-installing the plugin didn't resolve the problem.

The proxy service is still usable for http-requests and
service squid status shows:
squid is running as pid  xxxxx

But every squid-command results in a segmentation fault.
HTTPS-Requests don't seem work (maybe related to the segmentation faults)

Code Select Expand

root@OPNsense:~ # squid -k parse
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/11 08:16:30| Processing: http_port 10.1.1.254:3128
2025/06/11 08:16:30| Processing: acl ftp proto FTP
2025/06/11 08:16:30| Processing: http_access allow ftp
2025/06/11 08:16:30| Processing: acl localnet src 10.1.1.0/24 # Possible internal network (interfaces v4)
2025/06/11 08:16:30| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2025/06/11 08:16:30| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2025/06/11 08:16:30| Processing: acl SSL_ports port 443 # https
2025/06/11 08:16:30| Processing: acl Safe_ports port 80 # http
2025/06/11 08:16:30| Processing: acl Safe_ports port 21 # ftp
2025/06/11 08:16:30| Processing: acl Safe_ports port 443 # https
2025/06/11 08:16:30| Processing: acl Safe_ports port 70 # gopher
2025/06/11 08:16:30| Processing: acl Safe_ports port 210 # wais
2025/06/11 08:16:30| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2025/06/11 08:16:30| Processing: acl Safe_ports port 280 # http-mgmt
2025/06/11 08:16:30| Processing: acl Safe_ports port 488 # gss-http
2025/06/11 08:16:30| Processing: acl Safe_ports port 591 # filemaker
2025/06/11 08:16:30| Processing: acl Safe_ports port 777 # multiling http
2025/06/11 08:16:30| Processing: acl CONNECT method CONNECT
2025/06/11 08:16:30| Processing: icap_enable off
2025/06/11 08:16:30| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/11 08:16:30| Processing: http_access deny !Safe_ports
2025/06/11 08:16:30| Processing: http_access deny CONNECT !SSL_ports
2025/06/11 08:16:30| Processing: http_access allow localhost manager
2025/06/11 08:16:30| Processing: http_access deny manager
2025/06/11 08:16:30| Processing: http_access deny to_localhost
2025/06/11 08:16:30| Processing: include /usr/local/etc/squid/auth/*.conf
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/11 08:16:30| Processing: http_access allow localnet
2025/06/11 08:16:30| Processing: http_access allow localhost
2025/06/11 08:16:30| Processing: http_access deny all
2025/06/11 08:16:30| Processing: include /usr/local/etc/squid/post-auth/*.conf
2025/06/11 08:16:30| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/11 08:16:30| Processing: cache_mem 256 MB
2025/06/11 08:16:30| Processing: coredump_dir /var/squid/cache
2025/06/11 08:16:30| Processing: refresh_pattern ^ftp:          1440    20%     10080
2025/06/11 08:16:30| Processing: refresh_pattern ^gopher:       1440    0%      1440
2025/06/11 08:16:30| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2025/06/11 08:16:30| Processing: refresh_pattern .              0       20%     4320
2025/06/11 08:16:30| Processing: access_log stdio:/var/log/squid/access.log squid
2025/06/11 08:16:30| Processing: cache_store_log stdio:/var/log/squid/store.log
2025/06/11 08:16:30| Processing: via off
2025/06/11 08:16:30| Processing: logfile_rotate 0
2025/06/11 08:16:30| Processing: error_directory /usr/local/share/squid-langpack/en
2025/06/11 08:16:30| WARNING: HTTP requires the use of Via
2025/06/11 08:16:30| Requiring client certificates.
Segmentation fault
root@OPNsense:~ # service squid status
squid is running as pid 52104.

This forum has a lot of postings about this squid segmentation fault problem, but no solution other than resetting the config.
This seems not to work.

Any help is much appreciated.

Best regards,
Tom

[pheriko]

For me, since I start using squid on opnsense, I always get segment fault, but doesn't mean squid won't work, is working.

Even if I just run on shell squid -k parse, I always get that error at the end.

Them, I start living with this.

On pfsense for example, is very strange to get that message with squid.

But you can go and disable the NAT and fw rules if you need to.

Currently, what is your status?

Regards.

[TomS2]

Thanks for sharing your experience with squid and seg faults Pheriko.

I just tried squid on a third opnsense (Firmware 25.1.8_1-amd64) hand I get the same segmentation faults from squid when restarting squid from the webgui or using the squid command from shell like "squid -k parse".

So it is normal for opnsense (community and business) to have crashing processes with segmentation fault with squid.

On my systems the squid process still replies to http requests despite of the segmentation fault messages.

Maybe not a security problem, but feels strange to just ignore it.

Thanks,
Tom