# Squid in jail



## bbzz (Apr 20, 2012)

After setting up DNS in jail, I'm having harder time with *squid31*.

What I get in 
`# tail -f /var/log/squid/access.log`
is

```
2012/04/20 16:14:14| IpIntercept.cc(316) PfInterception: PF open failed: (13) Permission denied
2012/04/20 16:14:28| IpIntercept.cc(316) PfInterception: PF open failed: (13) Permission denied
```

Can someone point me in direction of what needs to be done after:

1. Squid is installed and configured to run correctly in jail
2. Host *pf* is redirecting www traffic to jailed port 3128

I couldn't find resource online how to deal with pf and squid in jail just random individual problems.

Thanks.


----------



## DutchDaemon (Apr 20, 2012)

Put this in /etc/devfs.conf:

```
# Allow Squid read access to /dev/pf
own	pf	root:squid
perm    pf      0640
```
and run [cmd=]service devfs restart[/cmd]

This works in a non-jailed environment, so ymmv.


----------



## bbzz (Apr 20, 2012)

I played around with this a bit. Above suggestion doesn't work - squid is not running on host so above won't even parse. In jail it doesn't make difference.

I'm not sure there is need for transparent *pf* service since I am already redirecting traffic to jail. It seems to work, but there is just huge amount of "TCP_MISS" logs. Occasionally there is a hit, etc, but, shouldn't things like youtube videos get cached?

Also, following script I use for checking gmail doesn't work:

```
#!/usr/local/bin/python

import sys
import urllib             
import feedparser         
from textwrap import wrap

_URL = "https://mail.google.com/gmail/feed/atom"

uname = sys.argv[1]
password = sys.argv[2]

urllib.FancyURLopener.prompt_user_passwd = lambda self, host, realm: (uname, password)

def auth():
    '''The method to do HTTPBasicAuthentication'''
    opener = urllib.FancyURLopener()
    f = opener.open(_URL)
    feed = f.read()
    return feed

def readmail(feed):
    '''Parse the Atom feed and print a summary'''
    atom = feedparser.parse(feed)
    print '%s new' % len(atom.entries)

if __name__ == "__main__":
    f = auth()  
    readmail(f)
```

Basically, what I get is this:

```
Traceback (most recent call last):
  File "/home/bbzz/.scripts/check_gmail", line 43, in <module>
    f = auth()  # Do auth and then get the feed
  File "/home/bbzz/.scripts/check_gmail", line 33, in auth
    f = opener.open(_URL)
  File "/usr/local/lib/python2.7/urllib.py", line 205, in open
    return getattr(self, name)(url)
  File "/usr/local/lib/python2.7/urllib.py", line 435, in open_https
    h.endheaders(data)
  File "/usr/local/lib/python2.7/httplib.py", line 951, in endheaders
    self._send_output(message_body)
  File "/usr/local/lib/python2.7/httplib.py", line 811, in _send_output
    self.send(msg)
  File "/usr/local/lib/python2.7/httplib.py", line 773, in send
    self.connect()
  File "/usr/local/lib/python2.7/httplib.py", line 1158, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/local/lib/python2.7/ssl.py", line 372, in wrap_socket
    ciphers=ciphers)
  File "/usr/local/lib/python2.7/ssl.py", line 134, in __init__
    self.do_handshake()
  File "/usr/local/lib/python2.7/ssl.py", line 296, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] [Errno 1] _ssl.c:503: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
```

Log on squid shows:

```
1334954618.636      0 192.168.0.2 NONE/400 3646 NONE error:invalid-request - NONE/- text/html
1334954713.752      0 192.168.0.2 NONE/400 3646 NONE error:invalid-request - NONE/- text/html
```
Is there an option to make this work?

Other than that, this has been an exercise in hell. I'm not sure if it works since there is just huge number of misses. I remember setting up this before with easy, but it wasn't jailed.


----------



## bbzz (Apr 20, 2012)

Looks like I can't access gmail at all through squid with browser, which is why above script won't work, I guess.


----------



## bbzz (Apr 22, 2012)

Update; I managed to get transparent *pf* working in jail, but I don't think it matters. Like I said, traffic is already getting redirected on host *pf*. I don't see difference when compiling with or without 'transparent pf' option.

The problem I have remains, I can't access certain pages, such as gmail, t*h*rough cache server.
Can this be fixed?


----------



## DutchDaemon (Apr 22, 2012)

You're probably referring to https traffic. This cannot be redirected, as it would break the end-to-end encryption (a.k.a. man-in-the-middle attack). You need to let traffic to destination port 443 through.


----------



## bbzz (Apr 22, 2012)

I figured it is something like that. However not all https pages are 'broken'.
So, only request on port 80 should be technically redirected to jail?

Thank again.


----------



## DutchDaemon (Apr 22, 2012)

Yes, only straight http traffic, which is mostly on port 80.


----------

