Solved

PfSense Box - Squid3 Proxy ... will not work.

Posted on 2014-09-19
1
1,271 Views
Last Modified: 2014-10-03
Hi Guys,

I'm hoping someone's came across this problem.

Got a Pfsense box which is happily handling OpenVPN with SSL.  However, got a problem while trying to configure a BASIC proxy on it ... yes it won't work.  I have built a replica on a VM platform which works well, and have examined the conf, to see if there is anything different (which there isn;t), so still no joy.  I am not gettting any Squid errors when trying to connect through the proxy by broswer, it is indicating "Internet explorer cannot display the web page".

Here is my conf.

$ tail -300 /usr/pbi/squid-i386/etc/squid/squid.conf
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.28:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr groupit@XXXXXXX.co.uk
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
      
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Here is my cache log

2014/09/19 09:25:49 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 09:25:49 kid1| sendto FD 32: (1) Operation not permitted
2014/09/19 09:25:49 kid1| ipcCreate: CHILD: hello write test failed
2014/09/19 10:35:14 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/09/19 10:35:14 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/09/19 10:35:14 kid1| Unable to load default error language files. Reset to backups.
2014/09/19 10:35:14 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/09/19 10:35:14 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 10:35:14 kid1| sendto FD 19: (1) Operation not permitted
2014/09/19 10:35:14 kid1| ipcCreate: CHILD: hello write test failed
2014/09/19 10:43:42 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/09/19 10:43:43 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/09/19 10:43:43 kid1| Unable to load default error language files. Reset to backups.
2014/09/19 10:43:43 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/09/19 10:43:43 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 10:43:43 kid1| sendto FD 22: (1) Operation not permitted
2014/09/19 10:43:43 kid1| ipcCreate: CHILD: hello write test failed


and here are the two TXT files mentioned in this log.


In Templates folder:


$ tail -3000 /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
name: SQUID_ERR_SSL_HANDSHAKE
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Handshake with SSL server failed"

name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate does not match domainname"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get issuer certificate"

name: X509_V_ERR_UNABLE_TO_GET_CRL
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to get certificate CRL"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt certificate's signature"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt CRL's signature"

name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
descr: "Unable to decode issuer public key"

name: X509_V_ERR_CERT_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate signature failure"

name: X509_V_ERR_CRL_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL signature failure"

name: X509_V_ERR_CERT_NOT_YET_VALID
detail: "SSL Certficate is not valid before: %ssl_notbefore"
descr: "Certificate is not yet valid"

name: X509_V_ERR_CERT_HAS_EXPIRED
detail: "SSL Certificate expired on: %ssl_notafter"
descr: "Certificate has expired"

name: X509_V_ERR_CRL_NOT_YET_VALID
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL is not yet valid"

name: X509_V_ERR_CRL_HAS_EXPIRED
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL has expired"

name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
descr: "Format error in certificate's notBefore field"

name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
descr: "Format error in certificate's notAfter field"

name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's lastUpdate field"

name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's nextUpdate field"

name: X509_V_ERR_OUT_OF_MEM
detail: "%ssl_error_descr"
descr: "Out of memory"

name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
detail: "Self-signed SSL Certificate: %ssl_subject"
descr: "Self signed certificate"

name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
detail: "Self-signed SSL Certificate in chain: %ssl_subject"
descr: "Self signed certificate in certificate chain"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get local issuer certificate"

name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to verify the first certificate"

name: X509_V_ERR_CERT_CHAIN_TOO_LONG
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate chain too long"

name: X509_V_ERR_CERT_REVOKED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate revoked"

name: X509_V_ERR_INVALID_CA
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Invalid CA certificate"

name: X509_V_ERR_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Path length constraint exceeded"

name: X509_V_ERR_INVALID_PURPOSE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported certificate purpose"

name: X509_V_ERR_CERT_UNTRUSTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate not trusted"

name: X509_V_ERR_CERT_REJECTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate rejected"

name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Subject issuer mismatch"

name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Authority and subject key identifier mismatch"

name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Authority and issuer serial number mismatch"

name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "Key usage does not include certificate signing"

name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
detail: "%ssl_error_descr: %ssl_subject"
descr: "unable to get CRL issuer certificate"

name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical extension"

name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include CRL signing"

name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical CRL extension"

name: X509_V_ERR_INVALID_NON_CA
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid non-CA certificate (has CA markings)"

name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy path length constraint exceeded"

name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include digital signature"

name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy certificates not allowed, please set the appropriate flag"

name: X509_V_ERR_INVALID_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate extension"

name: X509_V_ERR_INVALID_POLICY_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate policy extension"

name: X509_V_ERR_NO_EXPLICIT_POLICY
detail: "%ssl_error_descr: %ssl_subject"
descr: "no explicit policy"

name: X509_V_ERR_DIFFERENT_CRL_SCOPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Different CRL scope"

name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported extension feature"

name: X509_V_ERR_UNNESTED_RESOURCE
detail: "%ssl_error_descr: %ssl_subject"
descr: "RFC 3779 resource not subset of parent's resources"

name: X509_V_ERR_PERMITTED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "permitted subtree violation"

name: X509_V_ERR_EXCLUDED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "excluded subtree violation"

name: X509_V_ERR_SUBTREE_MINMAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "name constraints minimum and maximum not supported"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported name constraint type"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name constraint syntax"

name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name syntax"

name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL path validation error"

name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"


In EN folder


$ tail -3000 /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
name: SQUID_ERR_SSL_HANDSHAKE
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Handshake with SSL server failed"

name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate does not match domainname"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get issuer certificate"

name: X509_V_ERR_UNABLE_TO_GET_CRL
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to get certificate CRL"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt certificate's signature"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt CRL's signature"

name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
descr: "Unable to decode issuer public key"

name: X509_V_ERR_CERT_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate signature failure"

name: X509_V_ERR_CRL_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL signature failure"

name: X509_V_ERR_CERT_NOT_YET_VALID
detail: "SSL Certficate is not valid before: %ssl_notbefore"
descr: "Certificate is not yet valid"

name: X509_V_ERR_CERT_HAS_EXPIRED
detail: "SSL Certificate expired on: %ssl_notafter"
descr: "Certificate has expired"

name: X509_V_ERR_CRL_NOT_YET_VALID
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL is not yet valid"

name: X509_V_ERR_CRL_HAS_EXPIRED
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL has expired"

name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
descr: "Format error in certificate's notBefore field"

name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
descr: "Format error in certificate's notAfter field"

name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's lastUpdate field"

name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's nextUpdate field"

name: X509_V_ERR_OUT_OF_MEM
detail: "%ssl_error_descr"
descr: "Out of memory"

name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
detail: "Self-signed SSL Certificate: %ssl_subject"
descr: "Self signed certificate"

name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
detail: "Self-signed SSL Certificate in chain: %ssl_subject"
descr: "Self signed certificate in certificate chain"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get local issuer certificate"

name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to verify the first certificate"

name: X509_V_ERR_CERT_CHAIN_TOO_LONG
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate chain too long"

name: X509_V_ERR_CERT_REVOKED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate revoked"

name: X509_V_ERR_INVALID_CA
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Invalid CA certificate"

name: X509_V_ERR_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Path length constraint exceeded"

name: X509_V_ERR_INVALID_PURPOSE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported certificate purpose"

name: X509_V_ERR_CERT_UNTRUSTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate not trusted"

name: X509_V_ERR_CERT_REJECTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate rejected"

name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Subject issuer mismatch"

name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Authority and subject key identifier mismatch"

name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Authority and issuer serial number mismatch"

name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "Key usage does not include certificate signing"

name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
detail: "%ssl_error_descr: %ssl_subject"
descr: "unable to get CRL issuer certificate"

name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical extension"

name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include CRL signing"

name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical CRL extension"

name: X509_V_ERR_INVALID_NON_CA
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid non-CA certificate (has CA markings)"

name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy path length constraint exceeded"

name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include digital signature"

name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy certificates not allowed, please set the appropriate flag"

name: X509_V_ERR_INVALID_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate extension"

name: X509_V_ERR_INVALID_POLICY_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate policy extension"

name: X509_V_ERR_NO_EXPLICIT_POLICY
detail: "%ssl_error_descr: %ssl_subject"
descr: "no explicit policy"

name: X509_V_ERR_DIFFERENT_CRL_SCOPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Different CRL scope"

name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported extension feature"

name: X509_V_ERR_UNNESTED_RESOURCE
detail: "%ssl_error_descr: %ssl_subject"
descr: "RFC 3779 resource not subset of parent's resources"

name: X509_V_ERR_PERMITTED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "permitted subtree violation"

name: X509_V_ERR_EXCLUDED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "excluded subtree violation"

name: X509_V_ERR_SUBTREE_MINMAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "name constraints minimum and maximum not supported"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported name constraint type"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name constraint syntax"

name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name syntax"

name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL path validation error"

name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"



Any suggests as to what the problem might be?

Any help appreciated.

IM
0
Comment
Question by:ianmclachlan
1 Comment
 

Accepted Solution

by:
ianmclachlan earned 0 total points
Comment Utility
I have fixed this by dropping squid 3 - Dev and going with Squid 3.

IM
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now