# Install Squid and config squid



## hongfxhp (Oct 21, 2021)

Dear All,

I just install freebsd 12.2 and squid on it. But when I config squid on freebsd, I have problem with it. This problem as below.
I config all computer's in Local net to access website _translate.google.com.vn_ with code below:

acl google dtsdomain _translate.google.com.vn
http_access allow google

It work but cannot to translate everything when I access website error as attached file.

Could everyone can help to fix this problem?



_


----------



## covacat (Oct 21, 2021)

it's possible the page uses multiple domains like gstatic.com play.google.com etc
look in the browser developer menu or squid logs for blocked url/queries


----------



## obsigna (Oct 21, 2021)

I wrote a tutorial about how to set up a transparent proxy for HTTP(S) connections with Squid on FreeBSD:





						Transparent HTTPS Proxy on a FreeBSD Server
					






					obsigna.com
				




This is running here and it fully works with https://translate.google.com.vn/ -- what is .vn for, though?


----------



## casianbsd (Oct 21, 2021)

pkg update
pkg install squid
You can find the configuration files for this package in the
       directory /usr/local/etc/squid
o The default configuration will deny everyone but the local host and local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and 4291 for IPv6 access to the proxy service. Edit the " http_access allow/deny" directives in /usr/local/etc/squid/squid.conf to suit your needs.
     o If AUTH_SQL option is set, please, don' t forget to install one of following perl modules depending on database you like:
         databases/p5-DBD-mysql
         databases/p5-DBD-Pg
         databases/p5-DBD-SQLite
To enable Squid, set squid_enable=yes in either/etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid Please see /usr/local/etc/rc.d/squid for further details.
*Note:If you just updated your Squid installation from an earlier version, make sure to check your Squid configuration against the 3.4 default configuration file /usr/local/etc/squid/squid.conf.sample.
/usr/local/etc/squid/squid.conf.documented is a fully annotated configuration file you can consult for further reference.
Additionally, you should check your configuration by calling' squid -f /path/to/squid.conf -k parse' before starting Squid.*


----------



## hongfxhp (Oct 22, 2021)

covacat said:


> it's possible the page uses multiple domains like gstatic.com play.google.com etc
> look in the browser developer menu or squid logs for blocked url/queries


If want to allow url/queries what should I will do? could you plse advasie?


----------



## hongfxhp (Oct 22, 2021)

obsigna said:


> I wrote a tutorial about how to set up a transparent proxy for HTTP(S) connections with Squid on FreeBSD:
> 
> 
> 
> ...


Thank you I will do as your manual, and let you know. thank for your advise.
and I also want to as you that if I want to everyone access translate.google.com.vn only other is deny your config cand do it?


----------



## hongfxhp (Oct 22, 2021)

obsigna I flow your advise but error heppen in :
/usr/local/libexec/squid/security_file_certgen -c -M 4MB \
                                                 -s /usr/local/etc/squid/dyn-certs
Error -M option requires an -s parameter be set first.  
Could you pls advise?


----------



## obsigna (Oct 22, 2021)

hongfxhp said:


> obsigna I flow your advise but error heppen in :
> /usr/local/libexec/squid/security_file_certgen -c -M 4MB \
> -s /usr/local/etc/squid/dyn-certs
> Error -M option requires an -s parameter be set first.
> Could you pls advise?


Thank you for reporting the issue. I corrected the respective BLog post already. Please do the following:

1. `# rm -r usr/local/etc/squid/dyn-certs`
2. `# /usr/local/libexec/squid/security_file_certgen -c -s /usr/local/etc/squid/dyn-certs -M 4MB`


----------



## hongfxhp (Oct 23, 2021)

> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
> ...


Above is config squid file and client can access translate.google.com.vn Ok
But when I remark my LAN and add acl google dstdomain translate.google.com.vn then user cannot use translate

# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged)
 machines
*#acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)*
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged)
 machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

*acl google dstdomain translate.google.com.vn
http_access allow google*

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all
http_port 8080

#cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


----------



## hongfxhp (Oct 23, 2021)

obsigna said:


> Thank you for reporting the issue. I corrected the respective BLog post already. Please do the following:
> 
> 1. `# rm -r usr/local/etc/squid/dyn-certs`
> 2. `# /usr/local/libexec/squid/security_file_certgen -c -s /usr/local/etc/squid/dyn-certs -M 4MB`


thank for your reply, I config same as you show but result same problem. I don't know what is wrong here.


----------



## obsigna (Oct 23, 2021)

hongfxhp said:


> thank for your reply, I config same as you show but result same problem. I don't know what is wrong here.


Me neither. My running instance conforms exactly to what is written in the BLog post. diff(1) shows zero differences between the squid.conf of my running instance and that one in the BLog post.

Do you use squid.conf from my BLog post?
In case not, please inform the output of `# diff obsigna-squid.conf /usr/local/etc/squid/squid.conf`?


Did you setup ipfw for port redirection?
Otherwise, the transparent proxy won’t work.


Did you configure the clients to trust your self-signed proxy.local CA?


On systems running in Brazil and Germany, `# host translate.google.com.vn` resolves to:

```
translate.google.com.vn has address 142.250.78.195
translate.google.com.vn has IPv6 address 2800:3f0:4004:802::2003
```

Is this the same on a system in Vietnam, or does this resolve to something hosted in China? Of course not, but what I wanted to say is, that perhaps Google’s server in Vietnam does something which it doesn’t in Brazil and Germany.


----------



## hongfxhp (Oct 25, 2021)

obsigna said:


> Me neither. My running instance conforms exactly to what is written in the BLog post. diff(1) shows zero differences between the squid.conf of my running instance and that one in the BLog post.
> 
> Do you use squid.conf from my BLog post?
> In case not, please inform the output of `# diff obsigna-squid.conf /usr/local/etc/squid/squid.conf`?
> ...


Thank for reply,
from 1 to 3 the same with your config and only change Ip address.
I think your config is correct but not my mean. 

In my case I don't know what is problem. But exactly if  I allow all network to access internt is nothing problem with translate of google. 
Problem only occur when I block all network and only all network client access _translate.google.com or translate.google.com.vn._
if everyone have any idear pls help me.


----------



## astyle (Oct 28, 2021)

Have you tried a *different browser* to access _translate.google.com.vn_ ? Many services and websites don't support IE any longer, and the browser itself will be discontinued in 2022. Try Edge, Firefox, or Chrome. I personally don't like Chrome, but Google's own stuff should work. So, leave Squid alone for now, and make sure your browser works.

obsigna : .vn is the TLD for Vietnam. Easy to guess.


----------



## hongfxhp (Oct 30, 2021)

astyle said:


> Have you tried a *different browser* to access _translate.google.com.vn_ ? Many services and websites don't support IE any longer, and the browser itself will be discontinued in 2022. Try Edge, Firefox, or Chrome. I personally don't like Chrome, but Google's own stuff should work. So, leave Squid alone for now, and make sure your browser works.
> 
> obsigna : .vn is the TLD for Vietnam. Easy to guess.


I trying with other browser but same problem. any idear??


----------



## covacat (Oct 30, 2021)

if i access translate.google.com.vn there are requests to ^(www|ssl|fonts)$.gstatic.com and play.google.com
the play.google.com does not seem to matter but I think you should permit *.gstatic.com too


----------



## hongfxhp (Nov 23, 2021)

covacat said:


> if i access translate.google.com.vn there are requests to ^(www|ssl|fonts)$.gstatic.com and play.google.com
> the play.google.com does not seem to matter but I think you should permit *.gstatic.com too


Thank you so much for your help. Now is ok already. one again thank you so much.


----------

