squid question (jail)

W

wonslung

I was going to set up squid as a transparent proxy. When i was checking the config i noticed the option
Code: 
  │ │[ ] SQUID_PF             Enable transparent proxying with PF    │ │


Now my question is: do i have to set this for it to work? i thought i could just use redirect rules.

Also, i planned on running squid in it's own jail on lo1 with 10.0.0.1 as the ip. Doing it like this wouldn't require me setting SQUID_PF would it?
 
I think you still need it, because Squid needs to query /dev/pf to find where the original (now redirected) http request was going (< HTTP/1.1, I believe). The squid_pf option instructs Squid to query /dev/pf (not ipf or ipfw devices). I don't know how this plays out in a jail. All of this is hackish and rfc-violating enough as it is ;) You will probably need to remount /dev/pf in the jail too.
 
hrm...i've never had to mess with jail devices before...

does this line have somethign to do with it?
Code: 
export jail_squidjail_devfs_ruleset="devfsrules_jail"
 
ok, i figured out the devfs part
Code: 
cp /usr/defaults/devfs.rules /etc/

then either edit the entry for jails or make a new one. I made a new one and added this:
Code: 
[devfsrules_squidjail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'pf' unhide

now i just gotta see if redirect is going to work
 
this worked beautifully

Like i said in the previous post, you have to add /dev/pf, also, you have to change it's group to squid
Code: 
chgrp squid /dev/pf
chmod g+rw /dev/pf

set up squid like you normally would, except add "transparent" after the http port like so
Code: 
http_port 3128 transparent

i couldn't get it to work with a diskd cache type but ufs cache type works fine.
 
For diskd you need several additions to the kernel to set the proper level of SHMMAX, MSGMNB, and others. Not worth it unless you do dozens of URLs every second, really; ufs and aufs are fine. BTW, squid only needs read access to /dev/pf, so take off the write bit. If you want it to be permanent, add it to /etc/devfs.conf.
 
thanks man, you're a huge help.

I'm just glad it worked. I like using jails to try things.

If i mess up a config in a jail, it's much easier to fix than if i do it on the base system.

thanks again for the help.

so i put something like
Code: 
own    pf root:100
perm    pf   0640
 
DutchDaemon said:
And

Code: 
perm    pf      0640

(the default is 0600 for pf)
Click to expand...



and i put this in the jail right? because when i check the permissions outside the jail they are still 0600 and owned by root:wheel
 
I have to assume that's where you put it, yes. Don't know enough about the jail - /dev/pf combination.
 
well that's weird.

It didnt' work. as far as setting it in the jail /etc/devfs.conf

but....squid is still working.

logs are showing hits to the cache and what, last thing on the log is youtube and fedex and those are the 2 sites i just hit up

weird
 
I think /dev/pf doesn't need to be consulted for each and every URL. It depends on the protocol (I believe HTTP 1.1 has the Host: header for Squid to use, so it doesn't need /dev/pf, or something to that effect). You can check /usr/local/squid/logs/cache.log. I think it prints a warning about /dev/pf not being available (permission denied), but it's usually not a problem in any way.

Edit: found a better-worded explanation ;)

http://www.benzedrine.cx/transquid.html

Since the destination address is translated for such connections, the squid proxy needs some way to find the originally intended destination address of the web server to fetch the document from. If the client sends a HTTP 1.1 compliant Host: header in its HTTP request, squid uses the specified host. Older clients don't provide a Host: header, in which case squid can query the packet filter about the original destination address of the redirected connection. The latter approach requires the proxy to run on the firewall itself, otherwise the proxy can run on a separate host.
Click to expand...

So I guess running a modern client (a recent browser, or recent implementations of fetch/wget/curl/p5-libwww, etc,) is enough not to be worried about /dev/pf being accessible.

BTW, that last line in the quote seems to suggest that Squid needs direct access to 'the original' /dev/pf (in the host, not the jail), but that's a mere guess. Anyway, almost everything is HTTP/1.1 nowadays (except Squid itself ;)), so I think you need not worry.
 
DutchDaemon said:
I think /dev/pf doesn't need to be consulted for each and every URL. It depends on the protocol (I believe HTTP 1.1 has the Host: header for Squid to use, so it doesn't need /dev/pf, or something to that effect). You can check /usr/local/squid/logs/cache.log. I think it prints a warning about /dev/pf not being available (permission denied), but it's usually not a problem in any way.
Click to expand...

ok, well since this didn't work, what about setting a simple script to do it on crontab @reboot?

also, i remember reading awhile back that squid should have
Code: 
kern.ipc.nmbclusters="32768"
kern.maxfiles="65536"
kern.maxfilesperproc="32768"
in /boot/loader.conf

thoughtS?

edit:
hrm, the script didn't work in /etc/crontab but it works if i run it manually as root
weird
going to try roots crontab -e

edit2:
ok that worked
Code: 
#!/bin/sh
chgrp squid /dev/pf|chmod 640 /dev/pf

saved as /root/squid-perms
and
Code: 
@reboot                         /root/squid-perms       >/dev/null 2>&1
in crontab as root works
Code: 
crw-r-----  1 root  squid    0,  96 Nov 18 21:14 pf
 
A script to do what exactly?

And no, you don't need those values. Maybe in FreeBSD 5/6 and with a lot of simultaneous users, but FreeBSD can scale to its own needs very well nowadays.

BTW, added quite a lot to the post you responded to, so read that as well. I think you don't need to alter anything once it works.
 
I guess because devices in a jail are clones/mounts of the host's devices that devfs doesn't work inside a jail, or doesn't touch the jail's devices. Not too familiar with that subject, I'm afraid ;)
 
well, who knows...no far no errors. I've tried about 100 sites using both safari and firefox on my hackintosh.

It seems to work. Not sure if /dev/pf makes a difference or not, but oh well, i'm just glad i got it working.

I will say this, when i FIRST set up the proxy it woudlnt' work. i had to change
Code: 
http_port 3128
to
Code: 
http_port 3128 transparent

perhaps THAT is enough. anyways, i'm sure i'm not the first person to do this and i'm sure others will want to know how, i've been wondering if i could do it for awhile but it took me awhile to get up the courage to try and replace pfsense with plain pf

so back to the /boot/loader.conf commands:

you're saying freebsd alters these settings on it's own now?


oh, and the script i was talking about was simply the 2 commands to change /dev/pf's group and permissions.

When i tried to set it on /etc/crontab, it didn't work

I never should have bothered with /etc/crontab anyways, as i think it's not for the likes of me to mess with

setting the same commands in roots personal crontab worked fine.


next thing i think i'll try to tackle is understanding ALTQ
 
FreeBSD sets values for a lot of internal settings based on hardware, RAM, CPU, etc. You will hardly ever need to change them, unless you're running a major service for thousands of users. You can override most of them in sysctl.conf and/or loader.conf, but you're very unlikely to hit any system limits unless you're serving up a lot of stuff to a lot of people. I haven't even needed to touch these settings on a proxy with close to 1,000 concurrent users.
 
You must log in or register to reply here.
Back
Top