pfSense Gold Subscription

Author Topic: squid 3.3.4 package for pfsense with ssl filtering  (Read 143090 times)

0 Members and 1 Guest are viewing this topic.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13319
  • Karma: +572/-6
    • View Profile
squid 3.3.4 package for pfsense with ssl filtering
« on: May 13, 2013, 12:55:39 pm »
Hi all,

first devel version of squid 3.3 for pfsense is out.

Main changes
  • Update squid to latest stable version 3.3.4
  • Per interface proxy mode
  • Per interface transparent proxy mode
  • Per interface ssl proxy mode
  • Antivirus integration via i-cap
  • Option to include squidguard denied logs on squid log too (requires this option and a small update on sgerror.php)

know bugs
  • Clamav integration via i-cap is not working(loops until crash)

att,
Marcello Coutinho


moderator edit:  removed links no longer necessary triggering malware alerts for some users.[/list]
« Last Edit: August 13, 2014, 08:03:35 pm by cmb »

Offline wheelz

  • Full Member
  • ***
  • Posts: 130
  • Karma: +4/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #1 on: May 13, 2013, 01:26:59 pm »
Awesome! I know many are looking forward to this.  I have a few questions:

Does the ssl proxy mode work in transparent, normal, or both?
Is this package something we can use with DG to try out the ssl filtering or is there more work needed on DG before that should work?
How are the certificates set up?  I know the pfsense box should act as a certificate authority and all the clients must trust it.  So is the CA cert automatically generated and how do you get it to the clients?  Or can you use an existing PKI to generate one for it?

Offline Cino

  • Hero Member
  • *****
  • Posts: 1515
  • Karma: +60/-2
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #2 on: May 13, 2013, 01:36:52 pm »
just tried to install it and it failed :-(
2.1-BETA1 (i386) built on Fri May 10 16:28:23 EDT 2013

Code: [Select]
Beginning package installation for squid3-dev .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading squid3-dev and its dependencies...
Checking for package installation...
 Downloading http://files.pfsense.org/packages/8/All/squid-3.3.4-i386.pbi ...  (extracting)
Loading package configuration... done.
Configuring package components...
Additional files... sqpmon.sh failed.
Backing up libraries...
Removing package...
Starting package deletion for squid-3.3.4-i386...

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13319
  • Karma: +572/-6
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #3 on: May 13, 2013, 01:40:10 pm »
Does the ssl proxy mode work in transparent, normal, or both?
both.

Is this package something we can use with DG to try out the ssl filtering or is there more work needed on DG before that should work?
with ssl, mybe not as squid need always direct directive.
if dansguardian pass it to squid and then ssl is filtered, then it works.

How are the certificates set up?  I know the pfsense box should act as a certificate authority and all the clients must trust it.  So is the CA cert automatically generated and how do
Default web configurator certificate can be used.

you get it to the clients?  Or can you use an existing PKI to generate one for it?
you may need to export crt to clients to avoid most of ssl client check erros

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13319
  • Karma: +572/-6
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #4 on: May 13, 2013, 01:45:50 pm »
Additional files... sqpmon.sh failed.

Fixed. retry in 15 minutes  :)

Offline wheelz

  • Full Member
  • ***
  • Posts: 130
  • Karma: +4/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #5 on: May 13, 2013, 01:57:07 pm »
with ssl, mybe not as squid need always direct directive.
if dansguardian pass it to squid and then ssl is filtered, then it works.

I'm not sure I understand what you mean.  Should I take that to mean, try it and see?  :)

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2888
  • Karma: +29/-1
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #6 on: May 13, 2013, 02:16:25 pm »
Hi Marcello,

this are really amazing features. Transparent SSL filtering and an up to date anti-virus feature ist great!

Thank you very much for the very very hard work on that! I hope I will find some time to test all the festures in the near future  ;D

Offline quetzalcoatl

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #7 on: May 13, 2013, 03:12:55 pm »
On pfsense2.1 snapshot from first week of may 2013 I uninstalled squid 3.1 and installed squid 3.3.4

I noticed that the squid service was not starting anymore and there were 2 new services not starting as well.

the other 2 services are:
Icap inteface for squid and clamav integration
Clamav Antivirus

Also i noticed that after installing squid 3.3.4 my old config was still there......handy but not sure if was a very clean installation.

so i installed in a new machine the latest 2.1 snapshot from today may 13th and installed the latest squid 3.3.4
and the very same issue is still there, squid service is still not starting even in an absolutely clean install.

what should i do to make it work?
« Last Edit: May 13, 2013, 03:26:19 pm by quetzalcoatl »

Offline wheelz

  • Full Member
  • ***
  • Posts: 130
  • Karma: +4/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #8 on: May 13, 2013, 03:17:04 pm »
quetzalcoatl,

know bugs
  • Clamav integration via i-cap is not working(loops until crash)

It is a known bug that I'm sure he is working on.

Offline quetzalcoatl

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #9 on: May 13, 2013, 03:25:03 pm »
thanks, and i supposed that those new 2 services still need to be fixed.
I don't even need the antivirus and stuff anyways.
I just need the squid3.3 service to start but it does not.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13319
  • Karma: +572/-6
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #10 on: May 13, 2013, 03:28:11 pm »
I just need the squid3.3 service to start but it does not.

What you get on squid logs? I've did a clean install and service is up with antivirus disabled.

squid -NsXY is a good way to find what is not working.

Did you saved config after package installing 3.3?

Offline Cino

  • Hero Member
  • *****
  • Posts: 1515
  • Karma: +60/-2
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #11 on: May 13, 2013, 03:42:24 pm »
it installs now but its missing a shared object.. I haven't had a chance to to see if its on the box and just needs to be linked.


Code: [Select]
php: : The command '/usr/pbi/squid-i386/sbin/squid -f /usr/pbi/squid-i386/etc/squid/squid.conf' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'

Offline quetzalcoatl

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #12 on: May 13, 2013, 03:48:40 pm »
I just need the squid3.3 service to start but it does not.

What you get on squid logs? I've did a clean install and service is up with antivirus disabled.

squid -NsXY is a good way to find what is not working.

Did you saved config after package installing 3.3?

i don't even know where to look for squid logs.
also as soon as i install squid 3.3 the icap and clamd services get installed by themselves and i don't know how to remove them (if i have to).

if i go to the pfsense console and hit 8 to get into the shell, then i write "squid -NsXY"
it says "/libexec/lds-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid".

I did not save my squid config before installing 3.3 but the old config was still there.

Right now i have 2 virtual machines, 1 with pfsense 2.1 with reinstalled squid 3.3 from 3.1, and another one with the today's pfsense snapshot and clean install of squid 3.3.

I see "/libexec/lds-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid" in both virtual machines.
« Last Edit: May 13, 2013, 03:55:15 pm by quetzalcoatl »

Offline quetzalcoatl

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #13 on: May 13, 2013, 05:45:55 pm »
I hope the file libgssapi.so.10 will be added to the next pfsense snapshots or within the next release of squid3.3

I have been trying all evening to get this file into that /usr/local/lib folder
but i did not succeed.

How do i copy or move a file from the internet to a certain folder inside pfsense?
Using the GUI i can upload a file but i don't know how to place it in /usr/local/lib
« Last Edit: May 14, 2013, 07:15:29 am by quetzalcoatl »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13319
  • Karma: +572/-6
    • View Profile
Re: squid 3.3.4 package for pfsense with ssl filtering
« Reply #14 on: May 13, 2013, 06:36:57 pm »
How do i copy or move a file from the internet to a certain folder?

using console/ssh

  • cd /usr/local/lib
  • fetch url_for_libs

Download all libs from my ldd folder.