Squid proxy/cache not working on pfsense

tt2468 · July 31, 2016, 7:45pm

So I have a PFSense VM running with 2 bridged ports. The only function of the machine is to serve as a transparent proxy/cache. I am having issues with it caching, as I get TCP_MISS a ton, and no TCP_HIT. Here is my config file:
`# This file is automatically generated by pfSense

Do not edit manually !

http_port 10.123.0.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds

Allow local network(s) on interface(s)

acl localnet src 10.123.0.0/24
forwarded_for transparent
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 12288 MB
maximum_object_size_in_memory 8192 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 1024 MB
cache_dir aufs /var/squid/cache 76800 64 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
acl sslports port 443 563

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

Custom options before auth

Setup allowed ACLs

Allow local network(s) on interface(s)

http_access allow localnet

Default block all to be sure

http_access deny allsrc
Here is my log file:1469993630.148 172 10.123.0.2 TCP_MISS/304 334 GET http://wiki.squid-cache.org/wiki/squidtheme/img/icon-info.png - ORIGINAL_DST/77.93.254.178 -
1469993630.152 175 10.123.0.2 TCP_REFRESH_MODIFIED/200 764 GET http://wiki.squid-cache.org/wiki/squidtheme/css/projection.css - ORIGINAL_DST/77.93.254.178 text/css
1469993630.152 178 10.123.0.2 TCP_MISS/304 334 GET http://wiki.squid-cache.org/wiki/squidtheme/img/attention.png - ORIGINAL_DST/77.93.254.178 -
1469993630.153 177 10.123.0.2 TCP_REFRESH_MODIFIED/200 974 GET http://wiki.squid-cache.org/wiki/squidtheme/css/print.css - ORIGINAL_DST/77.93.254.178 text/css
1469993630.273 197 10.123.0.2 TCP_MISS/200 372 GET http://wiki.squid-cache.org/action/content/rotate%3DN? - ORIGINAL_DST/77.93.254.178 text/html
1469993630.506 171 10.123.0.2 TCP_CLIENT_REFRESH_MISS/200 1860 GET http://wiki.squid-cache.org/wiki/squid-favicon.ico - ORIGINAL_DST/77.93.254.178 image/vnd.microsoft.icon
1469993692.617 2681 10.123.0.2 TCP_MISS/200 19194 GET http://wiki.squid-cache.org/SquidFaq/SquidLogs - ORIGINAL_DST/77.93.254.178 text/html
1469993692.806 186 10.123.0.2 TCP_REFRESH_MODIFIED/200 2069 GET http://wiki.squid-cache.org/wiki/squidtheme/css/screen.css - ORIGINAL_DST/77.93.254.178 text/css
1469993692.919 342 10.123.0.2 TCP_REFRESH_MODIFIED/200 629 GET http://wiki.squid-cache.org/wiki/squidtheme/js/kutils.js - ORIGINAL_DST/77.93.254.178 application/javascript
1469993692.921 344 10.123.0.2 TCP_REFRESH_MODIFIED/200 2096 GET http://wiki.squid-cache.org/wiki/squidtheme/css/common.css - ORIGINAL_DST/77.93.254.178 text/css
1469993692.923 345 10.123.0.2 TCP_REFRESH_MODIFIED/200 4236 GET http://wiki.squid-cache.org/wiki/common/js/common.js - ORIGINAL_DST/77.93.254.178 application/javascript
1469993692.939 366 10.123.0.2 TCP_REFRESH_MODIFIED/200 916 GET http://wiki.squid-cache.org/wiki/squidtheme/js/niftyCorners.css - ORIGINAL_DST/77.93.254.178 text/css
1469993692.944 369 10.123.0.2 TCP_REFRESH_MODIFIED/200 3343 GET http://wiki.squid-cache.org/wiki/squidtheme/js/niftycube.js - ORIGINAL_DST/77.93.254.178 application/javascript
1469993692.994 185 10.123.0.2 TCP_REFRESH_UNMODIFIED/304 342 GET http://wiki.squid-cache.org/wiki/squidtheme/img/squid-bubbles.png - ORIGINAL_DST/77.93.254.178 -
1469993693.128 172 10.123.0.2 TCP_MISS/304 334 GET http://wiki.squid-cache.org/wiki/squidtheme/img/icon-info.png - ORIGINAL_DST/77.93.254.178 -
1469993693.131 174 10.123.0.2 TCP_REFRESH_MODIFIED/200 974 GET http://wiki.squid-cache.org/wiki/squidtheme/css/print.css - ORIGINAL_DST/77.93.254.178 text/css
1469993693.131 173 10.123.0.2 TCP_REFRESH_MODIFIED/200 764 GET http://wiki.squid-cache.org/wiki/squidtheme/css/projection.css - ORIGINAL_DST/77.93.254.178 text/css
1469993693.132 184 10.123.0.2 TCP_MISS/304 334 GET http://wiki.squid-cache.org/wiki/squidtheme/img/alert.png - ORIGINAL_DST/77.93.254.178 -
1469993693.139 183 10.123.0.2 TCP_MISS/304 334 GET http://wiki.squid-cache.org/wiki/squidtheme/img/attention.png - ORIGINAL_DST/77.93.254.178 -
1469993693.280 216 10.123.0.2 TCP_MISS/200 372 GET http://wiki.squid-cache.org/action/content/rotate%3DN? - ORIGINAL_DST/77.93.254.178 text/html
1469993750.733 133 10.123.0.2 TCP_MISS/200 517 GET http://www.google-analytics.com/__utm.gif? - ORIGINAL_DST/216.58.217.206 image/gif
1469994045.581 10 10.123.0.2 TCP_MISS/200 517 GET http://www.google-analytics.com/__utm.gif? - ORIGINAL_DST/216.58.217.206 image/gif`

Dexter_Kane · August 1, 2016, 12:22am

Make sure you're testing by looking at the same stuff on different devices as each browser and device will have its own cache.

tt2468 · August 1, 2016, 6:44am

My setup is WAN->ERLite-3->Switch/network.
I dont think I quite understand how I would est with other devices.

Dexter_Kane · August 1, 2016, 7:08am

I mean the devices you're browsing with. So go to a website on one device then try the same website on another. Because each device will have its own cache so if something is already in the local cache you won't see a hit on your proxy.

tt2468 · August 1, 2016, 7:38am

Ahh, well my LAN event was today and we had at least 30 users on and 15 mbps bandwidth average, so I'l recheck the logs to see if there were any hits.