Linux how to articles and guides, PHP / MySQL / Python / Bash scripting, and music tips, tricks, and hacks

I really love pfSense (freebsd-based firewall distribution) for home and office routers. It takes whatever dusty old x86 box you have (pentium 3 or newer usually works fine [bonus points if you're using a nice Intel server NIC]) and turns it into a great router / gateway box.

We use pfSense at work, and I use it at home, as well as at my parents’ house. I run mine on a HP thin client with a PCI-E slot holding a nice two-port Intel Pro 1000MT card, and my dad gets an older thin client with just a PCI secondary NIC (which works great). These thin clients are available on eBay for usually less than $50. The HP I’m running was really a steal and I could upgrade it from a mobile chip to a real AMD Athlon if I wanted, but it’s fast enough as it is. (also, @sullrich , the lead developer for pfSense, is a great guy.)

Anyway, the hack I wanted to share today concerns automated backup lovers. I was originally planning on using the rubygem Watir to do this, but that’s totally overkill to just press a button on a page and save a file.
Without further ado, here is how to download the configuration from your pfsense box, assuming your pfsense box is at 10.0.0.1:

curl -d “Submit=Download%20configuration” –insecure https://admin:[email protected]/diag_backup.php > “my_awesome_pfSense_config_and_the_$(date)_probably.xml”

This is a pretty simple one and goes along with my last few posts about Squid. Sites like whatismyip.com will let you know if they detect a proxy, and other services might act strange if you’re behind a proxy — particularly music / movie streaming stuff. Since we’re not doing anything malicious here, we can just make Squid undetectable so those sites will just work “as they should”.

Throw this into your Squid config and restart squid to apply the changes (note that there are two blocks here depending on what version of squid you’re using — comment/uncomment accordingly):

# privacy stuff so squid is undetectable
via off
httpd_suppress_version_string    on
forwarded_for delete

# --- Squid 3.x section ---
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
## you just need the 'request_header_access' stuff for localhost squid setups,
## but the below might also come in handy for running a proxy on your local net
# reply_header_access Via deny all
# reply_header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

# --- Squid 2.x section ---
# header_access Via deny all
# header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

I haven’t tried this in a long time, but I used to run Squid3 at home on my pfSense router box (older Pentium 4 — worked great) and I just had the idea to use it on my laptop to speed up web browsing. It makes a HUGE difference and now pages look like they’re using AJAX for requests since the images and headers and stuff just stay put when moving between pages. RAM cache is monumentally faster than disk cache, and we’re just totally disabling disk caching / log files with this squid3 config.

To set this up, you’ll need to install squid3, set your web browser to use 127.0.0.1 (sometimes the POSIX standard of just ’0′ isn’t supported because some developers make crappy software that isn’t really POSIX) port 3128 as a proxy for HTTP (you could cache HTTPS too but IMO it’s not worth it for just general browsing), paste the stuff below at the bottom of your squid3 config file (/etc/squid3/squid.conf on Ubuntu 11.04 for me) and restart squid3 (/etc/init.d/squid3 restart).

I left most of the stuff default, but I disabled the log files and set the RAM cache down to 128 MB. You can adjust as necessary.

Update: Put some comments in to help with getting this working in Squid v2.x, disk cache, and making it work on your local network

## root@helios:/etc/squid3# egrep -v '^#' squid.conf |tr -s '\n'

## uncomment next line if using squid 2
#acl all src 0.0.0.0/0.0.0.0

## example of how to let your whole local 192.168.1.0/24 network use the cache
#acl localnet src 192.168.1.0/24
#http_access allow manager localnet
#http_access allow localnet

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap LFUDA
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

## disk cache stuff if you want
#cache_replacement_policy heap LFUDA
#cache_dir aufs /var/spool/squid 4096 16 256
#minimum_object_size 0 KB
#maximum_object_size 4096 KB
#cache_swap_low 90
#cache_swap_high 95

## disable all logging for better performance
access_log none
cache_store_log none
cache_log /dev/null