I am posting here, I hope is ok: my squid dies because of a domain added inside section Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC), Excluded URL s (one per line):
Any idea why I get an error when I try to add an entire domain ‘digicert.cn’ in there?
For some reason the Chinese phones contact digicert.cn for certificate validation process instead of digicert.com, and URL Filter is set to block anything in ccTLD .cn → so the proxy bypass seem the easiest way to avoid blocking CRL and OCSP validation for this certificate provider
Creating Squid swap directories... [ FAIL ]
Starting Squid Proxy Server...
2024/09/12 09:18:34| ERROR: aclIpParseIpData: Bad host/IP: 'digicert.cn' in 'digicert.cn', flags=0 : (-2) Name or service not known
2024/09/12 09:18:34| Not currently OK to rewrite swap log.
2024/09/12 09:18:34| storeDirWriteCleanLogs: Operation aborted.
2024/09/12 09:18:34| FATAL: Bungled /etc/squid/squid.conf line 87: acl DST_NOPROXY_URL src "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
2024/09/12 09:18:34| Squid Cache (Version 6.9): Terminated abnormally. [ OK ]
Late edit: this UI (Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC), Excluded URL s (one per line):) does nothing: the wpad.dat is not modified (last modified date is way back in time)
If the code is not doing that in your system then it must have got corrupted somehow.
Might be worth doing a hash comparison between the proxy.cgi code in your ipfire system and the same code in the git repo in CU187 (I am presuming you are on CU187).
The last official change to proxy.cgi code was done in January this year.
One problem Solved: problem was in ownership for /srv/web/ipfire/html/proxy.pac
I set ownership for above file to nobody:nobody and now the UI does write in it the content.
BUT!
Squid does not start if I add ‘digicert.cn’ in the Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC) , Excluded URL s (one per line):
Second problem detected and solved by editing squid.conf: when Save, Save and Reload or Save and Restart buttons are used from proxy.cgi the script incorrectly assumes that what is inside section Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC) , Excluded URL s (one per line): are SRC and tries to use them as SRC ACL.
Copied from squid.conf after using any of the Save buttons from proxy.cgi:
#Proxy bypass for some IP and some URL
acl DST_NOPROXY_IP src "/var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl"
acl DST_NOPROXY_URL src "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
always_direct allow DST_NOPROXY_IP DST_NOPROXY_URL
Those lines from squid.conf must be using destination (name of the files sugest that inside them are destinations and not sources): dst_noproxy_ip.acl and dst_noproxy_url.acl
So it makes sense to use acl dstdomain for dst_noproxy_url.acl and acl dst for dst_noproxy_ip.acl
Like this - and now the squid starts!
#Proxy bypass for some IP and some URL
acl DST_NOPROXY_IP dst "/var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl"
acl DST_NOPROXY_URL dstdomain "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
always_direct allow DST_NOPROXY_IP DST_NOPROXY_URL
The buttons are working fine for me as they were designed to work and squid starts fine.
If the Proxy WUI buttons are not working for you then there is still something wrong somewhere in your code or in permissions or in ownerships.
As you had these lines in your squid.conf then you must have entered them, either directly or you put them in /var/ipfire/proxy/advanced/acls/include.acl in which they are in squid.conf in the section that starts and ends with
#Start of custom includes
#End of custom includes
The proxy.cgi code takes the dst_noproxy_ip.acl and dst_noproxy_url.acl files and only places their content into the WPAD file. It does not enter those ACL’s into the squid.conf file.
Your modification to the squid.conf file is a risky one because if you ever press any of the buttons in the Web Proxy WUI then the file will be overwritten. As it mentions in the wiki and at the top of the squid.conf file you should place any additional ACL’s you desire to use in the include.acl file but for the No Proxy option you don’t need to do that because it is built in to the wpad & pac files. I have it working like that for my system with the proxy bypassed for a certain URL and I don’t have those dst_noproxy_url entries in my squid.conf at all.
The WPAD does solve machines that use WPAD…
But machines that are not using WPAD the problem still exists: the transparent proxy will capture their HTTP traffic.
So WPAD solves only a portion of the machines…
About those custom lines: why WUI changes them?
Those are in the section you mentioned: between #Start of custom includes
You are right: the lines inside squid.conf are inserted by WUI from that include.acl (which has last modified in 2022 - so comes from a backup-restore process I have used on this new HW after installing from scratch core 186)
Problem solved - editing the very old content of /var/ipfire/proxy/advanced/acls/include.acl and after that presing “Reload” in WUI does refresh the squid.conf section you mentioned.