Closed marvinwankersteen closed 6 months ago
Additional context
/usr/local/etc/squid/squid.conf
# Setup regular listeners configuration
http_port 192.168.0.1:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB sslcrtd_children 5
tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
acl bump_step1 at_step SslBump1 acl bump_step2 at_step SslBump2 acl bump_step3 at_step SslBump3 acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
ssl_bump peek bump_step1 all ssl_bump splice all ssl_bump peek bump_step2 all ssl_bump splice bump_step3 all ssl_bump bump
sslproxy_cert_error deny all
acl ftp proto FTP http_access allow ftp
acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443 # https
acl Safe_ports port 443 # https acl CONNECT method CONNECT
icap_enable off
include /usr/local/etc/squid/pre-auth/*.conf
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o auth_param basic realm proxy authentication auth_param basic credentialsttl 1 hours auth_param basic children 50
acl local_auth proxy_auth REQUIRED
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager http_access deny manager
http_access deny to_localhost
include /usr/local/etc/squid/auth/*.conf
#
#
http_access allow local_auth
#
http_access allow localnet
http_access allow localhost
http_access deny all
include /usr/local/etc/squid/post-auth/*.conf
cache_mem 256 MB
coredump_dir /var/squid/cache
#
#
refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
pinger_enable off logformat opnsense %>a %[ui %>eui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log stdio:/var/log/squid/access.log opnsense cache_store_log stdio:/var/log/squid/store.log
via off
httpd_suppress_version_string on
uri_whitespace strip
forwarded_for delete
logfile_rotate 0
cache_mgr info@domain.local
error_directory /usr/local/etc/squid/errors/local
- `/usr/local/etc/squid/proxy_policies.conf`
[policy_1f6355a8-58ff-4aa2-af37-e7d49c30c1d6] policy_type=custom description=Allow .heise.de content=.heise.de applies_on=u:root,u:activedirectoryuser source_net=192.168.0.0/24 action=allow
[policy_8d1b92d9-7222-4ad3-b1e3-2c2a18176d93] policy_type=custom description=Deny .com content=* applies_on=g:all_ad_users,u:root source_net=0.0.0.0/0 action=deny
[source]
blacklist=/usr/local/opnsense/data/proxy/blacklists.tar.gz
blacklist_download_uri=https://opnsense-update.deciso.com/
- `/usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf`
external_acl_type ext_opnproxy_helper_net ttl=30 negative_ttl=5 %ACL %IDENT %SRC %METHOD %URI /usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py --sslurlonly acl opnproxy_ext_acl_net external ext_opnproxy_helper_net http_access allow opnproxy_ext_acl_net
external_acl_type ext_opnproxy_helper_usr ttl=30 negative_ttl=5 %ACL %LOGIN %SRC %METHOD %URI /usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py --sslurlonly acl opnproxy_ext_acl_usr external ext_opnproxy_helper_usr http_access allow opnproxy_ext_acl_usr
http_access deny local_auth all
**Environment**
- OPNsense 23.10.2-amd64
- Intel(R) Xeon(R) Gold 6444Y (4 cores, 4 threads)
- FreeBSD 13.2-RELEASE-p7
- OpenSSL 1.1.1w
- Licensed until 2025-01-20
- VMware Virtual Platform
- os-OPNProxy 1.0.3
- os-squid 1.0.d
- os-redis 1.1_2
- squid 6.6
- redis-server 7.2.3
**Conclusion**
The problem seems to be squid and/or the `%IDENT` variable.
I don't quite understand the meaning behind this variable, because according to the documentation you need an IDENT server for this, but as far as I know this is not available on the OPNsense and we don't have such a server running either.
I hope that someone can help us here, as we only bought the Business Edition for this plugin.
We have also tested all possible variants of the configuration, but none of this changes anything.
Does anyone else have the problem or does anyone have an idea what the problem could be? We need the plugin we bought and it does not work.
Maybe @AdSchellevis?
@marvinwankersteen IDENT
is supported in combination with stunnel (https://docs.opnsense.org/manual/how-tos/stunnel.html#enable-identd). When there is no ident server, squid
shouldn't mind (never did in the past), but the overal stability of squid
seemed to have declined over the years unfortunately.
Can you try to replace the %IDENT
phrase to '-'
and test again? Maybe we can think of a work-around and ship an updated plugin.
@AdSchellevis: Thanks for your reply!
Yes, if we replace %IDENT
with -
it works. But as soon as we make changes in the GUI, the file /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf
is overwritten again.
To get the plugin to work, however, it would be sufficient to comment out lines 2
, 3
and 4
in /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf
.
@marvinwankersteen we will first try to build the latest squid version to see of that fixes any issues, in the mean time you can disable the ident/network match in /usr/local/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf
, which should be persistent.
We tested it again today. The replacement of %IDENT
with -
did not work after all. In the /var/log/squid/cache.log
the following lines appear again and again:
..
..
2024/03/04 12:04:09 kid1| Too few external_acl_type processes are running (need 1/5)
current master transaction: master56
2024/03/04 12:04:09 kid1| Starting new helpers
current master transaction: master56
2024/03/04 12:04:09 kid1| helperOpenServers: Starting 1/5 '-' processes
current master transaction: master56
2024/03/04 12:04:09 kid1| ipcCreate: -: (2) No such file or directory
current master transaction: master56
2024/03/04 12:04:09 kid1| WARNING: external_acl_type #Hlpr28293 exited
current master transaction: master56
2024/03/04 12:04:09 kid1| Too few external_acl_type processes are running (need 1/5)
current master transaction: master56
2024/03/04 12:04:09 kid1| Starting new helpers
current master transaction: master56
2024/03/04 12:04:09 kid1| helperOpenServers: Starting 1/5 '-' processes
current master transaction: master56
2024/03/04 12:04:09 kid1| ipcCreate: -: (2) No such file or directory
current master transaction: master56
2024/03/04 12:04:09 kid1| WARNING: external_acl_type #Hlpr28294 exited
current master transaction: master56
2024/03/04 12:04:09 kid1| Too few external_acl_type processes are running (need 1/5)
current master transaction: master56
2024/03/04 12:04:09 kid1| Starting new helpers
current master transaction: master56
2024/03/04 12:04:09 kid1| helperOpenServers: Starting 1/5 '-' processes
current master transaction: master56
2024/03/04 12:04:09 kid1| ipcCreate: -: (2) No such file or directory
current master transaction: master56
2024/03/04 12:04:09 kid1| WARNING: external_acl_type #Hlpr28295 exited
current master transaction: master56
2024/03/04 12:04:09 kid1| Too few external_acl_type processes are running (need 1/5)
current master transaction: master56
2024/03/04 12:04:09 kid1| Starting new helpers
current master transaction: master56
2024/03/04 12:04:09 kid1| helperOpenServers: Starting 1/5 '-' processes
current master transaction: master56
..
..
We then commented out lines 2
, 3
and 4
in /usr/local/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf
, as you suggested, and that made it work.
Thank you.
A fix is stashed on our end which removes ident support. I expect this to be released in 24.4
Iam currently migrating a legacy project from squid 3.5 to 6 may i ask which version of squid you are running ?
Thats easy, you can check the versions of all ports in their makefiles.
Here: https://github.com/opnsense/ports/blob/master/www/squid/Makefile
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug Hello,
we have purchased a subscription for the Business Edition so that we can use the
os-OPNProxy
plugin to give Active Directory users/groups access to certain pages. Unfortunately, there are major difficulties with Squid when setting it up. After much debugging, here is a bug report in the hope that the problem can be solved.To Reproduce Steps to reproduce the behavior:
os-OPNProxy
,os-squid
andos-redis
Authentication method
to the previous added AD-ServerEnable SSL inspection
Log SNI information only
http://192.168.0.1:3128
Expected behavior Browser should ask for the (basic) authentication. After successfully authentication, the website should be allowed or denied.
Relevant log files Stop squid/proxy in the GUI. Then start squid in debugmode on CLI and try with
curl
to open some websites. I will add some linebreaks in this code block after whichcurl
is executed.curl -vI --proxy-header "Proxy-Authorization: Basic <BASE64>" --proxy "http://192.168.0.1:3128" https://www.heise.de
Trying 192.168.0.1:3128...
Connected to 192.168.0.1 (192.168.0.1) port 3128
CONNECT tunnel: HTTP/1.1 negotiated
allocate connect buffer
Establish HTTP proxy tunnel to www.heise.de:443
Proxy CONNECT aborted
Closing connection curl: (56) Proxy CONNECT aborted
/var/log/system/latest.log
If we comment out line 2, 3 and 4 in
/usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf
, the connection is possible and no errors logged. Also works if we replace in line 2%IDENT
with%LOGIN
.curl
again:In the
/var/log/system/latest.log
you can see that squid starts (two) subprocesses with the Python script/usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py
.The first apparently with the first
external_acl_type
to the%IDENT
variable, which is probably set with-
. The second call calls the secondexternal_acl_type
, which probably has no content (NULL byte) in$IDENT
and the child process of squid dies. The relevant code in Squid (src/acl/FilledChecklist.cc
is:See
stderr
from squid: