# squid question (jail)



## wonslung (Nov 18, 2009)

I was going to set up squid as a transparent proxy.  When i was checking the config i noticed the option 

```
â”‚ â”‚[ ] SQUID_PF             Enable transparent proxying with PF    â”‚ â”‚
```


Now my question is:  do i have to set this for it to work? i thought i could just use redirect rules.

Also, i planned on running squid in it's own jail on lo1 with 10.0.0.1 as the ip.  Doing it like this wouldn't require me setting SQUID_PF would it?


----------



## DutchDaemon (Nov 18, 2009)

I think you still need it, because Squid needs to query /dev/pf to find where the original (now redirected) http request was going (< HTTP/1.1, I believe). The squid_pf option instructs Squid to query /dev/pf (not ipf or ipfw devices). I don't know how this plays out in a jail. All of this is hackish and rfc-violating enough as it is  You will probably need to remount /dev/pf in the jail too.


----------



## wonslung (Nov 18, 2009)

hrm...i've never had to mess with jail devices before...

does this line have somethign to do with it?

```
export jail_squidjail_devfs_ruleset="devfsrules_jail"
```


----------



## wonslung (Nov 18, 2009)

ok, i figured out the devfs part

```
cp /usr/defaults/devfs.rules /etc/
```

then either edit the entry for jails or make a new one.  I made a new one and added this:

```
[devfsrules_squidjail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'pf' unhide
```

now i just gotta see if redirect is going to work


----------



## wonslung (Nov 18, 2009)

this worked beautifully

Like i said in the previous post, you have to add /dev/pf, also, you have to change it's group to squid

```
chgrp squid /dev/pf
chmod g+rw /dev/pf
```

set up squid like you normally would, except add "transparent" after the http port like so

```
http_port 3128 transparent
```

i couldn't get it to work with a diskd cache type but ufs cache type works fine.


----------



## DutchDaemon (Nov 18, 2009)

For diskd you need several additions to the kernel to set the proper level of SHMMAX, MSGMNB, and others. Not worth it unless you do dozens of URLs every second, really; ufs and aufs are fine. BTW, squid only needs read access to /dev/pf, so take off the write bit. If you want it to be permanent, add it to /etc/devfs.conf.


----------



## wonslung (Nov 18, 2009)

thanks man, you're a huge help.

I'm just glad it worked.  I like using jails to try things.

If i mess up a config in a jail, it's much easier to fix than if i do it on the base system.

thanks again for the help.

so i put something like 

```
own    pf root:100
perm    pf   0640
```


----------



## DutchDaemon (Nov 18, 2009)

And


```
perm    pf      0640
```

(the default is 0600 for pf)


----------



## wonslung (Nov 18, 2009)

DutchDaemon said:
			
		

> And
> 
> 
> ```
> ...





and i put this in the jail right? because when i check the permissions outside the jail they are still 0600 and owned by root:wheel


----------



## DutchDaemon (Nov 18, 2009)

I have to assume that's where you put it, yes. Don't know enough about the jail - /dev/pf combination.


----------



## wonslung (Nov 18, 2009)

i'm going to test a reboot just to be sure
thanks again


----------



## wonslung (Nov 18, 2009)

well that's weird.

It didnt' work.  as far as setting it in the jail /etc/devfs.conf

but....squid is still working.

logs are showing hits to the cache and what, last thing on the log is youtube and fedex and those are the 2 sites i just hit up

weird


----------



## DutchDaemon (Nov 18, 2009)

I think /dev/pf doesn't need to be consulted for each and every URL. It depends on the protocol (I believe HTTP 1.1 has the Host: header for Squid to use, so it doesn't need /dev/pf, or something to that effect). You can check /usr/local/squid/logs/cache.log. I think it prints a warning about /dev/pf not being available (permission denied), but it's usually not a problem in any way.

Edit: found a better-worded explanation 

http://www.benzedrine.cx/transquid.html



> Since the destination address is translated for such connections, the squid proxy needs some way to find the originally intended destination address of the web server to fetch the document from. If the client sends a HTTP 1.1 compliant Host: header in its HTTP request, squid uses the specified host. Older clients don't provide a Host: header, in which case squid can query the packet filter about the original destination address of the redirected connection. The latter approach requires the proxy to run on the firewall itself, otherwise the proxy can run on a separate host.



So I guess running a modern client (a recent browser, or recent implementations of fetch/wget/curl/p5-libwww, etc,) is enough not to be worried about /dev/pf being accessible.

BTW, that last line in the quote seems to suggest that Squid needs direct access to 'the original' /dev/pf (in the host, not the jail), but that's a mere guess. Anyway, almost everything is HTTP/1.1 nowadays (except Squid itself ), so I think you need not worry.


----------



## wonslung (Nov 18, 2009)

DutchDaemon said:
			
		

> I think /dev/pf doesn't need to be consulted for each and every URL. It depends on the protocol (I believe HTTP 1.1 has the Host: header for Squid to use, so it doesn't need /dev/pf, or something to that effect). You can check /usr/local/squid/logs/cache.log. I think it prints a warning about /dev/pf not being available (permission denied), but it's usually not a problem in any way.



ok, well since this didn't work, what about setting a simple script to do it on crontab @reboot?

also, i remember reading awhile back that squid should have 
	
	



```
kern.ipc.nmbclusters="32768"
kern.maxfiles="65536"
kern.maxfilesperproc="32768"
```
in /boot/loader.conf

thoughtS?

edit:
hrm, the script didn't work in /etc/crontab but it works if i run it manually as root
weird
going to try roots crontab -e

edit2:
ok that worked

```
#!/bin/sh
chgrp squid /dev/pf|chmod 640 /dev/pf
```

saved as /root/squid-perms
and 

```
@reboot                         /root/squid-perms       >/dev/null 2>&1
```
in crontab as root works

```
crw-r-----  1 root  squid    0,  96 Nov 18 21:14 pf
```


----------



## DutchDaemon (Nov 18, 2009)

A script to do _what_ exactly?

And no, you don't need those values. Maybe in FreeBSD 5/6 and with a _lot_ of simultaneous users, but FreeBSD can scale to its own needs very well nowadays.

BTW, added quite a lot to the post you responded to, so read that as well. I think you don't need to alter anything once it works.


----------



## DutchDaemon (Nov 18, 2009)

I guess because devices in a jail are clones/mounts of the host's devices that devfs doesn't work inside a jail, or doesn't touch the jail's devices. Not too familiar with that subject, I'm afraid


----------



## wonslung (Nov 18, 2009)

well, who knows...no far no errors.  I've tried about 100 sites using both safari and firefox on my hackintosh.

It seems to work. Not sure if /dev/pf makes a difference or not, but oh well, i'm just glad i got it working.

I will say this, when i FIRST set up the proxy it woudlnt' work.  i had to change 
	
	



```
http_port 3128
```
to

```
http_port 3128 transparent
```

perhaps THAT is enough. anyways, i'm sure i'm not the first person to do this and i'm sure others will want to know how, i've been wondering if i could do it for awhile but it took me awhile to get up the courage to try and replace pfsense with plain pf

so back to the /boot/loader.conf commands:

you're saying freebsd alters these settings on it's own now?


oh, and the script i was talking about was simply the 2 commands to change /dev/pf's group and permissions.

When i tried to set it on /etc/crontab, it didn't work

I never should have bothered with /etc/crontab anyways, as i think it's not for the likes of me to mess with

setting the same commands in roots personal crontab worked fine.


next thing i think i'll try to tackle is understanding ALTQ


----------



## DutchDaemon (Nov 18, 2009)

FreeBSD sets values for a lot of internal settings based on hardware, RAM, CPU, etc. You will hardly ever need to change them, unless you're running a major service for thousands of users. You can override most of them in sysctl.conf and/or loader.conf, but you're very unlikely to hit any system limits unless you're serving up a lot of stuff to a lot of people. I haven't even needed to touch these settings on a proxy with close to 1,000 _concurrent_ users.


----------



## wonslung (Nov 19, 2009)

cool, nah, i have maybe 10 concurrent tops.


----------

