plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-squid / configuration broken when using it as a transparent proxy

Open virus2500 opened this issue 7 months ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug I use squid as a transparent proxy on port 3128 (http) and 3129 (https) Now for some time i experienced problems with apt using http repos.

Today i found the following root cause: /usr/local/etc/squid/squid.conf

# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

# Setup regular listeners configuration
http_port 127.0.0.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

As you can see 127.0.0.1:3128 and [::1]:3128 is configured twice which leads to "Address already in use" messages:

root@OPNsense:/usr/local/etc/squid # squid -N -d10
<snip>
2025/05/28 09:52:33| ERROR: commBind Cannot bind socket FD 39 to 127.0.0.1:3128: (48) Address already in use
    listening port: 127.0.0.1:3128
2025/05/28 09:52:33| ERROR: commBind Cannot bind socket FD 40 to [::1]:3128: (48) Address already in use
    listening port: [::1]:3128
<snip>
2025/05/28 09:52:33| Accepting NAT intercepted SSL bumped HTTP Socket connections at conn13 local=127.0.0.1:3128 remote=[::] FD 34 flags=41
    listening port: 127.0.0.1:3128
2025/05/28 09:52:33| Accepting NAT intercepted SSL bumped HTTP Socket connections at conn15 local=[::1]:3128 remote=[::] FD 35 flags=41
    listening port: [::1]:3128
2025/05/28 09:52:33| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn17 local=127.0.0.1:3129 remote=[::] FD 36 flags=41
    listening port: 127.0.0.1:3129
2025/05/28 09:52:33| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn19 local=[::1]:3129 remote=[::] FD 37 flags=41
    listening port: [::1]:3129
2025/05/28 09:52:33| Accepting SSL bumped HTTP Socket connections at conn21 local=192.168.0.1:3128 remote=[::] FD 38 flags=9
    listening port: 192.168.0.1:3128

so i changed the regular listeners, while leaving the transparent mode listeners as is, to

# Setup regular listeners configuration
# http_port 127.0.0.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# http_port [::1]:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

started the proxy via configctl proxy start and now everything is working fine. However when i click apply in the configuration it will uncomment these lines again and therefore break it again.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'ui/proxy#subtab_proxy-forward-general.'
  2. Configure loopback as the proxy interface
  3. Check "Enable Transparent HTTP proxy"
  4. Start the proxy
  5. verify configuration and check errors during squid -N -d10

Expected behavior I guess "not configure the general listeners in transparent mode"

Screenshots

Image

Relevant log files I think everything needed is already posted above.

Additional context Now an workaround would be to set the interface to the LAN interface. But thats kinda backwards if i only want to enable traffic from localhost via NAT Rule. Selecting "Nothing" as interface didn't work in my tests.

Environment OPNsense 25.1.7_4-amd64 FreeBSD 14.2-RELEASE-p3 OpenSSL 3.0.16

virus2500 avatar May 28 '25 08:05 virus2500

Looked into this again to today. I think #4502 and #4744 might be related

virus2500 avatar Jun 16 '25 21:06 virus2500

Edit: sorry, followed other tickets but I don't see a segfault reference here so reopen.

fichtner avatar Aug 29 '25 12:08 fichtner