I think I'm way over my head. I installed Privoxy, and read the documentation... but I just don't understand its purpose. I finally figured out that with all these config files and whatever, I am dealing with Perl (which I know nothing about). So I was having trouble figuring out what to edit in order to make the logfile work (I think I want that working in Privoxy? It logs the same things as Squid? I don't know...). I don't even know whether I am supposed to use a forward slash or backslash. I think forward slash because of the example that it gives for the Unix directory.
Still a blank logfile.
I'm just ready to cry. I just want to log where a teenager is going (for a friend) what he is searching for (whether in Google or in Instagram), and what images he is looking at. My friend wants to gather information so he can decide what to do. He has 8 kids, so of course things can get really busy. But he needs to know what a particular teenager is doing online so he can deal with it.
I'll have to drive over there again and flash ANOTHER firmware on it. My friend is already computer illiterate, so it will be difficult to explain what I am doing.
Not sure what router you got. For all models I support you can easily set this up with the integrated privoxy. Just turn on the adblocking feature, enable custom config, copy and paste the contents of the pre generated /tmp/privoxy.conf and change a few lines, in order to make it log to a file on an attached usb device. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Posted: Thu Jul 10, 2014 0:21 Post subject: Privoxy + Squid disk cache on high power router
Reading through this thread, there seems to be some disagreement over whether running squid on DD-WRT is advisable.
I have a Netgear R7000 with DD-WRT, dual core processor overclocked to 1.2 GHz so plenty of horsepower. It has a 1 TB USB3 spinning drive formatted EXT3 currently for NAS, but there's plenty of free space on the drive.
I'm currently running privoxy and love the ad blocking but would also like to put a large (10 Gig +) common browser cache for all my clients to share on the USB drive. I run some clients with their local browser disk cache disabled due to them running on flash sticks, SD cards & such or non-persistent live-DVDs. So having a common disk cache that could be shared by all of the clients seems like it would be useful.
Is it advisable to add squid to my DD-WRT Privoxy setup to provide caching? Or would that likely slow things down rather than speed them up?
If advisable, what's the right way to chain squid to privoxy so I don't lose privoxy's ad blocking?
Or is there a better way to accomplish this? Sure wish privoxy just had a "cache" option that could be turned on if caching is desired.
Joined: 21 Jul 2006 Posts: 1936 Location: Fortaleza Ce Brazil
Posted: Thu Nov 20, 2014 21:54 Post subject:
<Kong> wrote:
threehappypenguins wrote:
I think I'm way over my head. I installed Privoxy, and read the documentation... but I just don't understand its purpose. I finally figured out that with all these config files and whatever, I am dealing with Perl (which I know nothing about). So I was having trouble figuring out what to edit in order to make the logfile work (I think I want that working in Privoxy? It logs the same things as Squid? I don't know...). I don't even know whether I am supposed to use a forward slash or backslash. I think forward slash because of the example that it gives for the Unix directory.
Still a blank logfile.
I'm just ready to cry. I just want to log where a teenager is going (for a friend) what he is searching for (whether in Google or in Instagram), and what images he is looking at. My friend wants to gather information so he can decide what to do. He has 8 kids, so of course things can get really busy. But he needs to know what a particular teenager is doing online so he can deal with it.
I'll have to drive over there again and flash ANOTHER firmware on it. My friend is already computer illiterate, so it will be difficult to explain what I am doing.
Not sure what router you got. For all models I support you can easily set this up with the integrated privoxy. Just turn on the adblocking feature, enable custom config, copy and paste the contents of the pre generated /tmp/privoxy.conf and change a few lines, in order to make it log to a file on an attached usb device.
@ <Kong>
could you post the config to privoxy works in a HD usb that was already mounted by dd ?
Posted: Sun Jan 06, 2019 2:37 Post subject: Squid hosted on DD-WRT
I realize that this is a very old thread but, it is the second result on Google and pretty much the only result anywhere that I could find which asks how to setup Squid on DD-WRT itself -- not remotely. So, I created a guide on my blog and thought I'd copy it to here as well just in case people are still looking for this sort of thing.
-------------
This guide will show you how to setup a transparent Squid proxy with HTTPS support directly on DD-WRT. Let's dive right in!
Prerequisites
The only requirements are that you have a SSH connection and a working Optware installation. Visit the DD-WRT Optware page for additional information on installing Optware. In short, you need to mount /opt and run the bootstrap command. (Bootstrap may only be available in Kong builds.) How you mount /opt does not matter as long as the user nobody has read and write access. I won't go into too much detail but, I have used a CIFS mount for mine:
Once you have an SSH connection and Optware is properly functioning, install Squid. You may also want to install nano if you prefer nano over vi like I do:
Code:
opkg install squid
opkg install nano
Create Missing Directories
Now that we have Squid installed, we need to create a few directories before Squid will run. The default installation is a bit broken and needs the following directories to be created:
<span style="color: #ff0000;">IMPORTANT:</span> As previously mentioned, make sure the user nobody has read and write access to all directories in /opt. If you are mounting via CIFS, ensure you use uid=nobody in your mount options. This will save you a lot of headaches.
My device does not create the /dev/shm/ directory so I create it and change the owner to nobody. You should check your device to see if the directory exists before doing this.
Certificates, Certificates and more Certificates
Now that we have our directories created, we need to initialize the certificate cache:
Next you will need to generate a self-signed root certificate and copy the certificate and key to /opt/etc/squid/ssl/. There are plenty of guides on how to generate your own certificate so, I will not be going into detail on this. However, if you need a place to start, you may visit the Squid Dynamic SSL Certificate Generation page where you can find a few clues as to the correct commands to use. Just be sure to have the certificate and key separated or change the Squid configuration file to point to a combined certificate and key file.
Squid doesn't come with any Global Root Certificates by default so you'll need to copy our own into /opt/etc/squid/ssl/cacerts/. There are several ways you can obtain Root Certificates. The easiest method is to copy them from /etc/ssl/certs/ on a Debian based system. You may also download them from Curl's CA Extract page.
Once you have your Root Certificate generated, create a DER certificate and import it into your web browser. Visit the Squid Dynamic SSL Certificate Generation page for additional information on creating the DER certificate.
Modern Ciphers
It's a good idea to generate a DH/EDH cipher and copy it to /opt/etc/squid/ssl/. This will help to harden your Squid connections. If you have a version of Squid less than 3.5.27, you may need to use a different directive in the Squid configuration file. Visit the link above to obtain the relevant directive.
If you don't want to use a modern cipher then you can skip this section but, be sure to change the Squid configuration file accordingly.
Squid Configuration File
Add the following configuration directives to the end of /opt/etc/squid/squid.conf:
Code:
# If you have 64 MB device RAM you can use 16 MB cache_mem, default is 8 MB
cache_mem 8 MB
maximum_object_size_in_memory 100 KB
maximum_object_size 32 MB
# Leave coredumps in the first cache dir
coredump_dir /opt/var/cache/squid
# Set the cache directory location and size
cache_dir aufs /opt/var/cache/squid 500 16 256
# Listen on port 3130 for https
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/etc/squid/ssl/cert.pem key=/opt/etc/squid/ssl/key.pem tls-dh=prime256v1:/opt/etc/squid/ssl/tls-dh.pem
# Listen on port 3129 for http
http_port 3129 intercept
# Squid normally listens to port 3128 for direct browser connections
# Squid refuses to run if port 3128 is missing - giving a "no forwarding proxy configured" error
http_port 3128
# Visit https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Troubleshooting for additional information on the following version differences
# For Squid 3.5.x only
sslcrtd_program /opt/lib/squid/ssl_crtd -s /opt/etc/squid/ssl/ssl_db -M 4MB
sslcrtd_children 5
# For Squid 4 and newer
#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
# Replace this section with your own ssl_bump and acl rules
# Visit https://wiki.squid-cache.org/Features/SslPeekAndSplice for additional information
# NOTE: You should splice banking websites
acl step1 at_step SslBump1
acl excludeServerFromProxy ssl::server_name .example.org
ssl_bump peek step1
ssl_bump splice excludeServerFromProxy
ssl_bump stare all
The important parts here are the cache size, ports, rules and file paths. Ensure they are what you expect them to be before continuing. As there are so many possible configuration directives, I will not be going into further detail about the configuration directives and what they do. Visit the Squid Configuration Directives Documentation page for additional information.
Cache Building
Next, build the cache that Squid will use:
Code:
squid -z
You should receive similar output to the following:
Code:
2019/01/05 15:43:09 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:43:09 kid1| Creating missing swap directories
2019/01/05 15:43:09 kid1| /opt/var/cache/squid exists
2019/01/05 15:43:09 kid1| Making directories in /opt/var/cache/squid/00
2019/01/05 15:43:09 kid1| Making directories in /opt/var/cache/squid/01
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/02
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/03
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/04
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/05
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/06
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/07
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/08
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/09
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/0A
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0B
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0C
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0D
2019/01/05 15:43:14 kid1| Making directories in /opt/var/cache/squid/0E
2019/01/05 15:43:14 kid1| Making directories in /opt/var/cache/squid/0F
If you do not get the above output, ensure that file permissions are correct and that /opt/var/cache/squid/ exists. REMEMBER: The user nobody must have read and write access.
The Virgin Voyage
Now it is finally time to try to start Squid. Let's start Squid in a special debugging mode so that we can see what is happening in case something goes wrong.
Code:
squid -d 1
You should receive output similar to the following:
Code:
2019/01/05 15:44:30 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:44:30 kid1| Starting Squid Cache version 3.5.27 for arm-openwrt-linux-gnu...
2019/01/05 15:44:30 kid1| Service Name: squid
2019/01/05 15:44:30 kid1| Process ID 23227
2019/01/05 15:44:30 kid1| Process Roles: worker
2019/01/05 15:44:30 kid1| With 1024 file descriptors available
2019/01/05 15:44:30 kid1| Initializing IP Cache...
2019/01/05 15:44:30 kid1| DNS Socket created at 0.0.0.0, FD 6
2019/01/05 15:44:30 kid1| Adding nameserver 192.168.x.x from /etc/resolv.conf
2019/01/05 15:44:30 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2019/01/05 15:44:30 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/01/05 15:44:30 kid1| Logfile: opening log stdio:/dev/null
2019/01/05 15:44:30 kid1| Swap maxSize 51200000 + 262144 KB, estimated 3958626 objects
2019/01/05 15:44:30 kid1| Target number of buckets: 197931
2019/01/05 15:44:30 kid1| Using 262144 Store buckets
2019/01/05 15:44:30 kid1| Max Mem size: 262144 KB
2019/01/05 15:44:30 kid1| Max Swap size: 51200000 KB
2019/01/05 15:44:30 kid1| Rebuilding storage in /opt/var/cache/squid (no log)
2019/01/05 15:44:30 kid1| Using Least Load store dir selection
2019/01/05 15:44:30 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:44:30 kid1| Finished loading MIME types and icons.
2019/01/05 15:44:30 kid1| HTCP Disabled.
2019/01/05 15:44:30 kid1| Pinger socket opened on FD 25
2019/01/05 15:44:30 kid1| Squid plugin modules loaded: 0
2019/01/05 15:44:30 kid1| Adaptation support is off.
2019/01/05 15:44:30 kid1| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 21 flags=41
2019/01/05 15:44:30 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 22 flags=9
2019/01/05 15:44:30 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3130 remote=[::] FD 23 flags=41
2019/01/05 15:44:34 kid1| Done scanning /opt/var/cache/squid dir (0 entries)
2019/01/05 15:44:34 kid1| Finished rebuilding storage from disk.
2019/01/05 15:44:34 kid1| 0 Entries scanned
2019/01/05 15:44:34 kid1| 0 Invalid entries.
2019/01/05 15:44:34 kid1| 0 With invalid flags.
2019/01/05 15:44:34 kid1| 0 Objects loaded.
2019/01/05 15:44:34 kid1| 0 Objects expired.
2019/01/05 15:44:34 kid1| 0 Objects cancelled.
2019/01/05 15:44:34 kid1| 0 Duplicate URLs purged.
2019/01/05 15:44:34 kid1| 0 Swapfile clashes avoided.
2019/01/05 15:44:34 kid1| Took 4.61 seconds ( 0.00 objects/sec).
2019/01/05 15:44:34 kid1| Beginning Validation Procedure
2019/01/05 15:44:34 kid1| Completed Validation Procedure
2019/01/05 15:44:34 kid1| Validated 0 Entries
2019/01/05 15:44:34 kid1| store_swap_size = 0.00 KB
2019/01/05 15:44:35 kid1| storeLateRelease: released 0 objects
Issue the following command to check if Squid has successfully started:
Code:
ps | grep -i squid
This will give you output similar to:
Code:
23225 root 11236 S squid -d 1
23227 nobody 16680 S {squid} (squid-1) -d 1
23229 nobody 3452 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23230 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23231 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23232 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23233 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23277 root 1196 S grep squid
If you do not get any output other than the grep line, then something is wrong with Squid. You should check the output from the previous squid -d 1 command for clues as to what went wrong.
iptables (Yay!)
NOTE: If you don't want to setup Squid to be a transparent proxy, then skip this step and configure your web browser's proxy settings to send traffic to port 3128. (You still need to open the port with the first iptables line from below.) You may also want to remove the relevant http_port/https_port lines from your configuration file for the other ports. Be aware that you'll lose the HTTPS proxy function as browsers do not yet have good support for direct communication to an HTTPS proxy. Hence why you should only be using one port with this type of configuration.
Now that we have Squid up and running, we can redirect our traffic to the correct port so that Squid can receive it. Be sure your configured ports match the redirection rule's ports. If you forward non-https traffic to Squid's https port, it will be refused. Also, make sure that you are using the correct interface -- in this case br0.
Issue the following commands to add the redirect rules using iptables:
You made it! Congratulations, you should now be able to happily browse the Internet at decent first-page-load speeds and blazing fast subsequent-page-load speeds. If you are unable to pleasantly browse the worldwide inter-webs, scroll to the Notes and Comments section at the end of this article for some useful hints.
Making it Permanent
At this point, you should have a fully functioning Squid installation. The only problem is, it is temporary. When you restart your router, Squid will not be started automatically and special directories will once again be missing.
To fix this, add the following to your startup script by opening your router's DD-WRT configuration page (usually at http://192.168.0.1) and navigating to the Administration Tab -> Commands Tab.
Input the following into the Command Shell field:
Code:
/bin/mkdir /dev/shm
/bin/chown nobody /dev/shm
/opt/sbin/squid &
Click on Save <span style="color: #ff0000;">Startup</span> to save your changes.
NOTE: If you are using a CIFS mount, you should add the relevant commands from the top of this article to your startup script as well.
After you have saved the startup script, input the following into the Command Shell field to add the iptables commands to the firewall script:
Click on Save <span style="color: #ff0000;">Firewall</span> to save your changes.
Finish Line!
Now it is time reboot and marvel at your work. If all is good, you should be able to browse the Internet without problems but, we still need to verify the proxy is actually working.
To do this, visit https://example.com in your web browser. Open the properties for the certificate of the website and look for your Root Certificate's information to be populated under the Issued by field. If your Root Certificate's information is not present, then your traffic is not being proxied correctly.
Some fine tuning needs to be done after you have a working installation. You'll probably want to change the acl directives at the end of your Squid configuration file to be what you want.
Specifically, you need to change .example.org in the acl line to a banking website or a website that you do not want to be included in the proxy. You may add additional acl lines to exclude multiple sites.
You may also want to enable logging. To do this, edit the configuration file and remove the following lines:
Next, add a cronjob to rotate the logs by visiting your router's DD-WRT configuration page (usually at http://192.168.0.1) and navigating to Administration Tab -> Management Tab.
Input the following into the Cron section:
Code:
0 0 * * * /usr/local/squid/bin/squid -k rotate
Click on Save to save your changes. Reboot the router or run squid -k reconfigure to make your changes immediate.
Notes and Comments
The following commands are very useful when troubleshooting:
Delete an iptables entry by first viewing the list:
Code:
iptables -t nat --list --line-numbers
Then issue the following (you must replace # with the number of the rule you want to delete):
Code:
iptables -t nat -D PREROUTING #
Some errors Squid spits out are a little vague. If you receive a segmentation fault of any kind, it is most likely due to missing directories or incorrect permissions. Here is a list of errors I have ran across while installing Squid and the solutions to each:
Code:
FATAL: Failed to verify one of the swap directories, Check cache.log
for details. Run 'squid -z' to create swap directories
if needed, or if running Squid for the first time.
Check that the /var/cache/squid/ directory exists and that the user nobody has read and write access to it. Run squid -z if the directory is empty.
Code:
FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (2) No such file or directory
Check that the /dev/shm/ directory exists and that the user nobody has read and write access to it.
Code:
FATAL: Unable to open HTTPS Socket
For any errors similar to this one, check that Squid is not already running and that no other process is using any of Squid's ports (3128, 3129, 3130).
Code:
pinger: Initialising ICMP pinger ...
icmp_sock: (1) Operation not permitted
pinger: Unable to start ICMP pinger.
icmp_sock: (97) Address family not supported by protocol
pinger: Unable to start ICMPv6 pinger.
FATAL: pinger: Unable to open any ICMP sockets.
These error messages regard the ping utility. They can be safely ignored.
Code:
FATAL: Received Segment Violation...dying.
I'm not sure what this was about. It happened once when I issued the squid -k restart command. Regardless, the restart never works so, I just don't use it. I use squid -k shutdown instead and bring Squid back up with squid after about 30 seconds. (Squid waits 30 seconds before shutting down during a clean shutdown.)
Code:
BUG: Unexpected state while connecting to a cache_peer or origin server
I'm not sure of the cause of this error either. I received it when posting to the DD-WRT forums along with messages about the queue being overloaded and to increase the number of ssl_crtd processes in the configuration file. I did so to no avail and the Squid process finally died one of the times I attempted to issue the squid -k reconfigure command. For now, I deleted and rebuilt the ssl_db directory, then rebooted. The error seems to be gone.