pfSense Gold Subscription

Author Topic: Squid not listening on port 80  (Read 19781 times)

0 Members and 1 Guest are viewing this topic.

Offline stanthewizard

  • Full Member
  • ***
  • Posts: 166
  • Karma: +3/-0
    • View Profile
Squid not listening on port 80
« on: January 24, 2015, 02:42:55 am »
I got this message   

 The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.first sysctl value(1024).
    To listen on low ports, change portrange.first sysctl value to 0 on system tunable options and restart squid daemon.
    The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.first sysctl value(1024).
    To listen on low ports, change portrange.first sysctl value to 0 on system tunable options and restart squid daemon.

Try to change the sysctl.conf with
net.inet.ip.portrange.first=0

no effect

Try to change tunable in advanced option

no effect

Any idea ?
« Last Edit: January 24, 2015, 02:58:19 am by stanthewizard »

Offline olivierfaber

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #1 on: January 24, 2015, 04:19:13 am »
I'm getting the same error after the upgrade to 2.2-RELEASE (amd64)

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13397
  • Karma: +589/-7
    • View Profile
Re: Squid not listening on port 80
« Reply #2 on: January 24, 2015, 06:15:14 am »
Try to set it via console  too and/or reboot  to get it working.

Offline stanthewizard

  • Full Member
  • ***
  • Posts: 166
  • Karma: +3/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #3 on: January 24, 2015, 09:20:35 am »
Reboot doesn't change anything

How to set it via consol

Thank you for your commitment  :D

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13397
  • Karma: +589/-7
    • View Profile
Re: Squid not listening on port 80
« Reply #4 on: January 24, 2015, 09:38:06 am »
first check what you get applied

Code: [Select]
sysctl net.inet.ip.portrange
then change if not applied during boot

Code: [Select]
sysctl net.inet.ip.portrange.first=0
EDIT
You can try this too
Code: [Select]
sysctl net.inet.ip.portrange.reservedhigh=79Reference: http://segfault.in/2010/10/freebsd-net-inet-ip-sysctls-explained/

net.inet.ip.portrange.reservedlow, net.inet.ip.portrange.reservedhigh

The range of privileged ports which only may be opened by root-owned processes may be modified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl settings. The values default to the traditional range, 0 through IPPORT_RESERVED – 1 (0 through 1023), respectively. Note that these settings do not affect and are not accounted for in the use or calculation of the other net.inet.ip.portrange values above. Changing these values departs from UNIX tradition and has security consequences that the administrator should carefully evaluate before modifying these settings.
« Last Edit: January 24, 2015, 09:46:44 am by marcelloc »

Offline stanthewizard

  • Full Member
  • ***
  • Posts: 166
  • Karma: +3/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #5 on: January 24, 2015, 10:17:18 am »
Either way doesn't work
$ sysctl net.inet.ip.portrange.first=0
net.inet.ip.portrange.first: 1024 -> 1024

$ sysctl net.inet.ip.portrange.reservedhigh=79
net.inet.ip.portrange.reservedhigh: 1023 -> 79

net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.reservedhigh: 79
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomtime: 45



Then I restart Squid and same issue
If I restard pFsense the setting reverses to 1024 ..

 ???

Offline stanthewizard

  • Full Member
  • ***
  • Posts: 166
  • Karma: +3/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #6 on: January 24, 2015, 10:47:15 am »
I installed a new pfsense in a VM directly from CD

Impossible to change
net.inet.ip.portrange.first=0

Out of the box ...

The previous version 2.1 is impossible to change too BUT the old squid package doesn't care for it.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13397
  • Karma: +589/-7
    • View Profile
Re: Squid not listening on port 80
« Reply #7 on: January 24, 2015, 10:57:37 am »
The previous version 2.1 is impossible to change too BUT the old squid package doesn't care for it.

pfsense, not squid...

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13397
  • Karma: +589/-7
    • View Profile
Re: Squid not listening on port 80
« Reply #8 on: January 24, 2015, 10:59:00 am »
While fixing the package to 2.2, it was working.

Use old workaround instead until we find a way to fix it again.

Listen squid on a high port and nat it from 80/443 to configured port.

If you preffer, you can (re)open a redmine ticket for it.

Offline stanthewizard

  • Full Member
  • ***
  • Posts: 166
  • Karma: +3/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #9 on: January 24, 2015, 11:12:21 am »
Thats the workaround I had in mind  ;D

Many thanks for your help

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: Squid not listening on port 80
« Reply #10 on: January 24, 2015, 07:03:15 pm »
I've officially upgraded my box to 2.2 today and if you use a higher port with a nat redirect; it works with not issues from what I can tell.

Offline rody

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #11 on: February 02, 2015, 10:47:08 pm »
Cino,

Can you elaborate about how to configure the NAT redirect as a work around?

I am configuring a reverse proxy to use with Lync and need to use port 443.

Thanks,

Rody.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: Squid not listening on port 80
« Reply #12 on: February 03, 2015, 03:39:38 am »
Have squid reverse proxy listen to lets say port 8443, using loopback for its interface. Then create a WAN NAT to redirect all incoming traffic from port 443 to 8443.

e.g here is my NAT for port 80

WAN    TCP    *    *    WAN address    80 (HTTP)    127.0.0.1    9080    HTTP squid-reverse redirect

squid is setup for loopback listen on port 9080

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13397
  • Karma: +589/-7
    • View Profile
Re: Squid not listening on port 80
« Reply #13 on: February 03, 2015, 04:48:34 am »
Have squid reverse proxy listen to lets say port 8443, using loopback for its interface.

Until we find a another way to workaround non root users listening on low ports security rule.

Offline rody

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Squid not listening on port 80
« Reply #14 on: February 05, 2015, 08:42:26 pm »
Thanks Cino,

I created the WAN NAT to redirect incoming traffic from port 443 to the port 1443:

WAN     TCP    *    *    WAN address    443 (HTTPS)    127.0.0.1    1443

Then have Squid Reverse Proxy listen on 1443 on "reverse HTTPS port" under "Squid Reverse HTTPS Settings" but that does not work.

I don't get the part where you said "squid is setup for loopback listen on port 9080" Is this port 9080 something that I have to configure some place else for the loopback address? Then change 1443 for 9080?

I don't think this is a default port, so where in Squid Reverse Proxy is this lookback port configured?

Thanks,

Rody.