Install Squid and config squid

[hongfxhp]

Dear All,

I just install freebsd 12.2 and squid on it. But when I config squid on freebsd, I have problem with it. This problem as below.
I config all computer's in Local net to access website translate.google.com.vn with code below:

acl google dtsdomain translate.google.com.vn
http_access allow google

It work but cannot to translate everything when I access website error as attached file.

Could everyone can help to fix this problem?

 

[covacat]

it's possible the page uses multiple domains like gstatic.com play.google.com etc
look in the browser developer menu or squid logs for blocked url/queries

 

[obsigna]

I wrote a tutorial about how to set up a transparent proxy for HTTP(S) connections with Squid on FreeBSD:

Transparent HTTPS Proxy on a FreeBSD Server

obsigna.com

This is running here and it fully works with https://translate.google.com.vn/ -- what is .vn for, though?

 

[casianbsd]

pkg update
pkg install squid
You can find the configuration files for this package in the
directory /usr/local/etc/squid
o The default configuration will deny everyone but the local host and local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and 4291 for IPv6 access to the proxy service. Edit the " http_access allow/deny" directives in /usr/local/etc/squid/squid.conf to suit your needs.
o If AUTH_SQL option is set, please, don' t forget to install one of following perl modules depending on database you like:
databases/p5-DBD-mysql
databases/p5-DBD-Pg
databases/p5-DBD-SQLite
To enable Squid, set squid_enable=yes in either/etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid Please see /usr/local/etc/rc.d/squid for further details.
Note:If you just updated your Squid installation from an earlier version, make sure to check your Squid configuration against the 3.4 default configuration file /usr/local/etc/squid/squid.conf.sample.
/usr/local/etc/squid/squid.conf.documented is a fully annotated configuration file you can consult for further reference.
Additionally, you should check your configuration by calling' squid -f /path/to/squid.conf -k parse' before starting Squid.

 

[hongfxhp]

it's possible the page uses multiple domains like gstatic.com play.google.com etc
look in the browser developer menu or squid logs for blocked url/queries

If want to allow url/queries what should I will do? could you plse advasie?

 

[hongfxhp]

I wrote a tutorial about how to set up a transparent proxy for HTTP(S) connections with Squid on FreeBSD:

Transparent HTTPS Proxy on a FreeBSD Server

obsigna.com

This is running here and it fully works with https://translate.google.com.vn/ -- what is .vn for, though?
View attachment 11783
View attachment 11784

Thank you I will do as your manual, and let you know. thank for your advise.
and I also want to as you that if I want to everyone access translate.google.com.vn only other is deny your config cand do it?

 

[hongfxhp]

obsigna I flow your advise but error heppen in :
/usr/local/libexec/squid/security_file_certgen -c -M 4MB \
-s /usr/local/etc/squid/dyn-certs
Error -M option requires an -s parameter be set first.
Could you pls advise?

 

[obsigna]

obsigna I flow your advise but error heppen in :
/usr/local/libexec/squid/security_file_certgen -c -M 4MB \
-s /usr/local/etc/squid/dyn-certs
Error -M option requires an -s parameter be set first.
Could you pls advise?

Thank you for reporting the issue. I corrected the respective BLog post already. Please do the following:

1. # rm -r usr/local/etc/squid/dyn-certs
2. # /usr/local/libexec/squid/security_file_certgen -c -s /usr/local/etc/squid/dyn-certs -M 4MB

 

[hongfxhp]

# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all
http_port 8080

#cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Above is config squid file and client can access translate.google.com.vn Ok
But when I remark my LAN and add acl google dstdomain translate.google.com.vn then user cannot use translate

# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
machines
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl google dstdomain translate.google.com.vn
http_access allow google

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all
http_port 8080

#cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

 

[hongfxhp]

Thank you for reporting the issue. I corrected the respective BLog post already. Please do the following:

1. # rm -r usr/local/etc/squid/dyn-certs
2. # /usr/local/libexec/squid/security_file_certgen -c -s /usr/local/etc/squid/dyn-certs -M 4MB

thank for your reply, I config same as you show but result same problem. I don't know what is wrong here.

 

[obsigna]

thank for your reply, I config same as you show but result same problem. I don't know what is wrong here.

Me neither. My running instance conforms exactly to what is written in the BLog post. diff(1) shows zero differences between the squid.conf of my running instance and that one in the BLog post.

1. Do you use squid.conf from my BLog post?
   In case not, please inform the output of # diff obsigna-squid.conf /usr/local/etc/squid/squid.conf?
   
   
2. Did you setup ipfw for port redirection?
   Otherwise, the transparent proxy won’t work.
   
   
3. Did you configure the clients to trust your self-signed proxy.local CA?
   
   
4. On systems running in Brazil and Germany, # host translate.google.com.vn resolves to:
   

   translate.google.com.vn has address 142.250.78.195
   translate.google.com.vn has IPv6 address 2800:3f0:4004:802::2003

   
   Is this the same on a system in Vietnam, or does this resolve to something hosted in China? Of course not, but what I wanted to say is, that perhaps Google’s server in Vietnam does something which it doesn’t in Brazil and Germany.

 

[hongfxhp]

Me neither. My running instance conforms exactly to what is written in the BLog post. diff(1) shows zero differences between the squid.conf of my running instance and that one in the BLog post.

1. Do you use squid.conf from my BLog post?
   In case not, please inform the output of # diff obsigna-squid.conf /usr/local/etc/squid/squid.conf?
   
   
2. Did you setup ipfw for port redirection?
   Otherwise, the transparent proxy won’t work.
   
   
3. Did you configure the clients to trust your self-signed proxy.local CA?
   
   
4. On systems running in Brazil and Germany, # host translate.google.com.vn resolves to:
   

   translate.google.com.vn has address 142.250.78.195
   translate.google.com.vn has IPv6 address 2800:3f0:4004:802::2003

   
   Is this the same on a system in Vietnam, or does this resolve to something hosted in China? Of course not, but what I wanted to say is, that perhaps Google’s server in Vietnam does something which it doesn’t in Brazil and Germany.

Thank for reply,
from 1 to 3 the same with your config and only change Ip address.
I think your config is correct but not my mean.

In my case I don't know what is problem. But exactly if I allow all network to access internt is nothing problem with translate of google.
Problem only occur when I block all network and only all network client access translate.google.com or translate.google.com.vn.
if everyone have any idear pls help me.

 

[astyle]

Have you tried a different browser to access translate.google.com.vn ? Many services and websites don't support IE any longer, and the browser itself will be discontinued in 2022. Try Edge, Firefox, or Chrome. I personally don't like Chrome, but Google's own stuff should work. So, leave Squid alone for now, and make sure your browser works.

obsigna : .vn is the TLD for Vietnam. Easy to guess.

 

[hongfxhp]

Have you tried a different browser to access translate.google.com.vn ? Many services and websites don't support IE any longer, and the browser itself will be discontinued in 2022. Try Edge, Firefox, or Chrome. I personally don't like Chrome, but Google's own stuff should work. So, leave Squid alone for now, and make sure your browser works.

obsigna : .vn is the TLD for Vietnam. Easy to guess.

I trying with other browser but same problem. any idear??

 

[covacat]

if i access translate.google.com.vn there are requests to ^(www|ssl|fonts)$.gstatic.com and play.google.com
the play.google.com does not seem to matter but I think you should permit *.gstatic.com too

 

[hongfxhp]

if i access translate.google.com.vn there are requests to ^(www|ssl|fonts)$.gstatic.com and play.google.com
the play.google.com does not seem to matter but I think you should permit *.gstatic.com too

Thank you so much for your help. Now is ok already. one again thank you so much.