Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

On 18 April 2016 at 20:14, Nick Rogers  wrote:

>
>
> On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington 
> wrote:
>
>> Hello Amos,
>>
>> All noted.
>>
>> Lemme consult with some FreeBSD guys on these .
>>
>
> As a FreeBSD user, here's my two cents.
>
> You should be using the www/squid port.
>
> If the port doesn't compile with the options you wish, open a problem
> report with FreeBSD and/or ask on the FreeBSD ports mailing list. The
> maintainer of the www/squid port is pretty responsive and helpful.
>
> I don't have any issues with www/squid on FreeBSD 10.1-RELEASE.
>
>
That much I know, and love, but this box was running squid-2.7.9 for years
and was in production servicing about 100 users. I wasn't going to do 'make
install' from the port and cause disruption. Plus I came to realize only
later that 3.2.16 was the www/squid.
For the record, I like playing with new software manually, compiling by
hand and testing before deploying. That's why I was struggling with this
'by hand'. Also note that my FreeBSD version was 8.4 (EoL).



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Nick Rogers]

On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington 
wrote:

> Hello Amos,
>
> All noted.
>
> Lemme consult with some FreeBSD guys on these .
>

As a FreeBSD user, here's my two cents.

You should be using the www/squid port.

If the port doesn't compile with the options you wish, open a problem
report with FreeBSD and/or ask on the FreeBSD ports mailing list. The
maintainer of the www/squid port is pretty responsive and helpful.

I don't have any issues with www/squid on FreeBSD 10.1-RELEASE.


>
> On 15 April 2016 at 18:13, Amos Jeffries  wrote:
>
>> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
>> >
>> > With luck, I have managed to get squid to compile successfully (after
>> > upgrading a few components here and there). I used:
>>
>> Yay!
>>
>> >
>> > I have it running now (redirecting using IPFilter/IPNAT), but once in a
>> > while I see this error about NAT:
>> >
>> 
>> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original
>> IPs
>> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
>>
>> These are the kernel NAT system telling Squid the connection being
>> looked up has not record there.
>>
>> It could be TCP connections being made straight to the intercept port.
>> If so you need to update the firewall config to prevent them, even from
>> localhost.
>>  In Linux we use a mangle table rule, since that is the filter pre-NAT
>> that can do it. I'm not sure how FreeBSD would do that. It has to be
>> done on packets first arrival pre-NAT. Any filter that is applied after
>> the NAT action will get it wrong due to the NAT changes.
>>
>>
>> It could be the NAT systems table of connections filling up and
>> overflowing. If so there should be a kernel sysctl somewhere to increase
>> that table size.
>>
>> >
>> > In any case, I am planning to rewrite the IPNAT rules into PF and use
>> PF.
>> > It's the inception stage so I haven't delved deep into ssl-bump
>> > configurations...
>> >
>>
>> HTH
>> Amos
>>
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Marko Cupa?]

On Wed, 13 Apr 2016 21:02:32 +0300
Odhiambo Washington  wrote:

> Hi Amos,
> 
> I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
> 
> I am struggling to compile squid-3.5.16. I just have to find a way to
> make it compile and run, by all means.

Why don't you compile it from ports?
https://www.freshports.org/www/squid/
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

Hello Amos,

All noted.

Lemme consult with some FreeBSD guys on these .

On 15 April 2016 at 18:13, Amos Jeffries  wrote:

> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
> >
> > With luck, I have managed to get squid to compile successfully (after
> > upgrading a few components here and there). I used:
>
> Yay!
>
> >
> > I have it running now (redirecting using IPFilter/IPNAT), but once in a
> > while I see this error about NAT:
> >
> 
> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
>
> These are the kernel NAT system telling Squid the connection being
> looked up has not record there.
>
> It could be TCP connections being made straight to the intercept port.
> If so you need to update the firewall config to prevent them, even from
> localhost.
>  In Linux we use a mangle table rule, since that is the filter pre-NAT
> that can do it. I'm not sure how FreeBSD would do that. It has to be
> done on packets first arrival pre-NAT. Any filter that is applied after
> the NAT action will get it wrong due to the NAT changes.
>
>
> It could be the NAT systems table of connections filling up and
> overflowing. If so there should be a kernel sysctl somewhere to increase
> that table size.
>
> >
> > In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
> > It's the inception stage so I haven't delved deep into ssl-bump
> > configurations...
> >
>
> HTH
> Amos
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Amos Jeffries]

On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
>
> With luck, I have managed to get squid to compile successfully (after
> upgrading a few components here and there). I used:

Yay!

> 
> I have it running now (redirecting using IPFilter/IPNAT), but once in a
> while I see this error about NAT:
> 

> 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original IPs
> on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33

These are the kernel NAT system telling Squid the connection being
looked up has not record there.

It could be TCP connections being made straight to the intercept port.
If so you need to update the firewall config to prevent them, even from
localhost.
 In Linux we use a mangle table rule, since that is the filter pre-NAT
that can do it. I'm not sure how FreeBSD would do that. It has to be
done on packets first arrival pre-NAT. Any filter that is applied after
the NAT action will get it wrong due to the NAT changes.


It could be the NAT systems table of connections filling up and
overflowing. If so there should be a kernel sysctl somewhere to increase
that table size.

> 
> In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
> It's the inception stage so I haven't delved deep into ssl-bump
> configurations...
> 

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

On 14 April 2016 at 03:56, Amos Jeffries  wrote:

> On 14/04/2016 6:02 a.m., Odhiambo Washington wrote:
> > Hi Amos,
> >
> > I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
> >
> > I am struggling to compile squid-3.5.16. I just have to find a way to
> make
> > it compile and run, by all means.
> >
> > So now here is what happens:
> >
> >
> > #!/bin/sh
> > ./configure --prefix=/opt/squid-3.5 \
> > --enable-removal-policies="lru heap" \
> > --disable-epoll \
> > --with-pthreads \
> > --enable-storeio="ufs diskd rock aufs" \
> > --enable-delay-pools \
> > --enable-snmp  \
> > --with-openssl=/usr \
> > --enable-forw-via-db \
> > --enable-cache-digests \
> > --enable-wccpv2 \
> > --enable-follow-x-forwarded-for \
> > --with-large-files \
> > --enable-esi \
> > --enable-kqueue \
> > --enable-icap-client \
> > --enable-kill-parent-hack \
> > --enable-ssl \
> > --enable-ssl-crtd \
> > --enable-url-rewrite-helpers \
> > --enable-xmalloc-statistics \
> > --enable-stacktraces \
> > --enable-zph-qos \
> > --enable-eui \
> > --with-nat-devpf \
> > --enable-pf-transparent \
> > --enable-ipf-transparent \
> > --enable-auth \
> >
> > My config.log output is here: *http://goo.gl/LcV1yN <
> http://goo.gl/LcV1yN>*
> >
> > And this is how the compile fails:Making all in negotiate_auth
> > Making all in kerberos
> > depbase=`echo negotiate_kerberos_auth.o | sed
> > 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ -DHAVE_CONFIG_H-I../../..
> > -I../../../include  -I../../../lib -I../../../src  -I../../../include
> >  -I/usr/include  -I/usr/include  -I../../../libltdl -I. -I/usr/include
> > -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Wall
> > -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
> > -Werror -pipe -D_REENTRANT -I/usr/local/include  -g -O2 -march=native
> > -I/usr/local/include -MT negotiate_kerberos_auth.o -MD -MP -MF
> $depbase.Tpo
> > -c -o negotiate_kerberos_auth.o negotiate_kerberos_auth.cc && mv -f
> > $depbase.Tpo $depbase.Po
> > negotiate_kerberos_auth.cc: In function 'int main(int, char* const*)':
> > negotiate_kerberos_auth.cc:754: error:
> > 'gsskrb5_extract_authz_data_from_sec_context' was not declared in this
> scope
> > *** [negotiate_kerberos_auth.o] Error code 1
> >
>
> Strange. Check the Kerberos / krb5 libraries available are up to date.
> Or for now you may need to use one or more of these:
>  --without-mit-kerberos \
>  --without-heimdal-kerbers \
>  --without-gssapi-kerberos
>
>
With luck, I have managed to get squid to compile successfully (after
upgrading a few components here and there). I used:

#!/bin/sh
env LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include CC=clang
CXX=clang++ CPP=clang-cpp ./configure --prefix=/opt/squid-3.5 \
--enable-removal-policies="lru heap" \
--disable-epoll \
--with-pthreads \
--enable-storeio="ufs diskd rock aufs" \
--enable-delay-pools \
--enable-snmp  \
--with-openssl=/usr \
--enable-forw-via-db \
--enable-cache-digests \
--enable-wccpv2 \
--enable-follow-x-forwarded-for \
--with-large-files \
--enable-esi \
--enable-kqueue \
--enable-icap-client \
--enable-kill-parent-hack \
--enable-ssl \
--enable-ssl-crtd \
--enable-url-rewrite-helpers \
--enable-xmalloc-statistics \
--enable-stacktraces \
--enable-zph-qos \
--enable-eui \
--with-nat-devpf \
--enable-pf-transparent \
--enable-ipf-transparent \
--with-nat-devpf \
--without-mit-kerberos \
--without-heimdal-kerbers \
--without-gssapi-kerberos \
--enable-auth





>
> >
> > I am getting closer I think.
> >
> > The initial compile that I had before the upgrade from 8.4 to 9.3 cannot
> > run. Gives a different error:
> >
> > 2016/04/13 14:12:13| Accepting NAT intercepted SSL bumped HTTPS Socket
> > connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
> > 2016/04/13 14:12:13| Accepting ICP messages on [::]:3130
> > 2016/04/13 14:12:13| Sending ICP messages from [::]:3130
> > 2016/04/13 14:12:13| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> > on local=192.168.55.254:13128 remote=192.168.55.83:50648 FD 14 flags=33
>
>
> 
>
> I dont think IPFilter (--enable-ipf-transparent) works on FreeBSD.
>
> paketFilte (PF, --enable-pf-transparent --with-nat-devpf) and IFPW
> (--enable-ipfw-transparent) should do.
>
> Be careful of the 'f' and 'w' characters there, it can be a bit
> confusing with them all those different names.
>
>
> NP: the same error message can occur if you have simply configured DNAT
> / REDIRECT 

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Amos Jeffries]

On 14/04/2016 6:02 a.m., Odhiambo Washington wrote:
> Hi Amos,
> 
> I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
> 
> I am struggling to compile squid-3.5.16. I just have to find a way to make
> it compile and run, by all means.
> 
> So now here is what happens:
> 
> 
> #!/bin/sh
> ./configure --prefix=/opt/squid-3.5 \
> --enable-removal-policies="lru heap" \
> --disable-epoll \
> --with-pthreads \
> --enable-storeio="ufs diskd rock aufs" \
> --enable-delay-pools \
> --enable-snmp  \
> --with-openssl=/usr \
> --enable-forw-via-db \
> --enable-cache-digests \
> --enable-wccpv2 \
> --enable-follow-x-forwarded-for \
> --with-large-files \
> --enable-esi \
> --enable-kqueue \
> --enable-icap-client \
> --enable-kill-parent-hack \
> --enable-ssl \
> --enable-ssl-crtd \
> --enable-url-rewrite-helpers \
> --enable-xmalloc-statistics \
> --enable-stacktraces \
> --enable-zph-qos \
> --enable-eui \
> --with-nat-devpf \
> --enable-pf-transparent \
> --enable-ipf-transparent \
> --enable-auth \
> 
> My config.log output is here: *http://goo.gl/LcV1yN *
> 
> And this is how the compile fails:Making all in negotiate_auth
> Making all in kerberos
> depbase=`echo negotiate_kerberos_auth.o | sed
> 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ -DHAVE_CONFIG_H-I../../..
> -I../../../include  -I../../../lib -I../../../src  -I../../../include
>  -I/usr/include  -I/usr/include  -I../../../libltdl -I. -I/usr/include
> -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Wall
> -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
> -Werror -pipe -D_REENTRANT -I/usr/local/include  -g -O2 -march=native
> -I/usr/local/include -MT negotiate_kerberos_auth.o -MD -MP -MF $depbase.Tpo
> -c -o negotiate_kerberos_auth.o negotiate_kerberos_auth.cc && mv -f
> $depbase.Tpo $depbase.Po
> negotiate_kerberos_auth.cc: In function 'int main(int, char* const*)':
> negotiate_kerberos_auth.cc:754: error:
> 'gsskrb5_extract_authz_data_from_sec_context' was not declared in this scope
> *** [negotiate_kerberos_auth.o] Error code 1
> 

Strange. Check the Kerberos / krb5 libraries available are up to date.
Or for now you may need to use one or more of these:
 --without-mit-kerberos \
 --without-heimdal-kerbers \
 --without-gssapi-kerberos


> 
> I am getting closer I think.
> 
> The initial compile that I had before the upgrade from 8.4 to 9.3 cannot
> run. Gives a different error:
> 
> 2016/04/13 14:12:13| Accepting NAT intercepted SSL bumped HTTPS Socket
> connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
> 2016/04/13 14:12:13| Accepting ICP messages on [::]:3130
> 2016/04/13 14:12:13| Sending ICP messages from [::]:3130
> 2016/04/13 14:12:13| ERROR: NAT/TPROXY lookup failed to locate original IPs
> on local=192.168.55.254:13128 remote=192.168.55.83:50648 FD 14 flags=33




I dont think IPFilter (--enable-ipf-transparent) works on FreeBSD.

paketFilte (PF, --enable-pf-transparent --with-nat-devpf) and IFPW
(--enable-ipfw-transparent) should do.

Be careful of the 'f' and 'w' characters there, it can be a bit
confusing with them all those different names.


NP: the same error message can occur if you have simply configured DNAT
/ REDIRECT external to the Squid machine.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users