Squid Web Proxy Error (1)

Started by lf.fsilva, December 01, 2025, 02:42:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 01, 2025, 02:42:21 AM

OpenSense updated as of 30/11/2025. When a rule is created in Squid in Access control,
it returns Error configuring policies - Error (1)
Does anyone have a suggestion?
December 05, 2025, 12:57:43 PM #1
I´ve got the same issue. The ACLs did work for about three days and then quit working without any notice.
But the clients could access every page.
Increasing the RAM worked for about two days.
Today at 05:59:31 AM #2
The Error 1 you see while applying policies in OPNsense with os-opnproxy is not caused by Redis or your policy logic. The issue happens because the os-opnproxy package triggers a Squid reload at the wrong time.

Here's what happens: policy entries are first written into the Redis database, and immediately after that the service script runs squid reload. When this happens together with OPNsense GUI activity, Squid can panic. At some point, the Squid binary cannot handle Redis writes, GUI operations, and a reload all at the same time, resulting in Error 1.

The fix I use is to modify the service script. Edit this file:

/usr/local/opnsense/service/conf/actions.d/actions_opnproxy.conf

Inside you'll see a line like:

/usr/local/opnsense/scripts/OPNProxy/policies_to_redis_proto.py | redis-cli --pipe && squid reload

Delete the "&& squid reload" part, save the file, then apply the policies again. If Error 1 still persists, restart OPNsense once.

If you use network-based user authentication only, the default Squid helper can only block non-SSL traffic. HTTPS traffic will still pass unless you use SSL inspection, which we typically don't want. The helper script is here:

/usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py

I have a modified version that can block SSL traffic when no allow policy exists. It's available here: 
https://pastebin.com/cnecSZ7y

I am also working on a PySide6 GUI that connects to Redis and lets you manipulate policies and rules. It is still a prototype, works for small datasets, and entries may disappear after an OPNsense reboot. The GUI script is here: 
https://pastebin.com/Nwr8A8Uq

If you plan to use the GUI, you must uncheck Redis protected mode in OPNsense. I tested this from Windows 11 connecting to Redis on OPNsense. You can use WinSCP to edit or replace files easily.

One experimental solution: you can remove os-opnproxy, keep Squid, place the modified helper manually, and create Redis entries using the correct JSON structure and order. In theory, Redis may not reset after reboot without os-opnproxy, but this is not fully tested.

Please note again that the GUI is still in prototype stage and cannot handle very large Redis datasets.
Print
Go Up Pages1
User actions