Folks, I know this topic has come up with previous versions of Squid, and I've seen various answers in the archives but I was wondering what the official stance was for 2.6 (and maybe what the plan would be for 3.0). I'm working on setting up a pair of Linux servers (running RHEL 4 and Squid 2.6STABLE3) which will sit in our DMZ and serve as reverse proxy servers/HTTP accelerators for our external web sites. One of the steps I wanted to take to secure these systems was run Squid chroot'ed. Thus I configured a new directory, /cache, which would serve as the base of the chroot which I implemented using the chroot directive in my squid.conf (see below). I was somewhat surprised at the number of files required...seems that more is required now than simply the cache directories, /dev/null, and directory for logs, as I was expecting. Please see below for an output of find /cache -ls on my test box -- I sniped out the lower-level directories in errors, icons, and my two cache directories for brevity. Is this the correct list of files needed in the chroot, or do I have something misconfigured? I should note that though I can connect to my test suite via this Squid cache using Firefox, I do still get startup errors when the child processes start: ... Sep 22 16:20:20 trailmap squid[14800]: Squid Parent: child process 14931 exited due to signal 6 Sep 22 16:20:20 trailmap squid[14800]: Exiting due to repeated, frequent failures The only other error I see is in /cache/logs/cache.log: 2006/09/22 23:21:12| ipcCreate: /usr/lib/squid/unlinkd: (2) No such file or directory I'd appreciate any pointers or suggestions on troubleshooting either of these. Thanks, Jeff Tharp System Administrator ESRI - Redlands, CA http://www.esri.com PS: Thanks so much for releasing 2.6, it really is a huge improvement for those of us using Squid for a reverse proxy! :-) ~~~squid.conf~~~~ # # Squid 2.6 Configuration # # Version 2.0 Jeff Tharp 9/21/2006 # # ----------------------------------------------- # GENERAL/NETWORK SETTINGS # Ports http_port 80 vhost # https_ports defined in virtualhosts section icp_port 0 # Connection Timeouts forward_timeout 4 minutes connect_timeout 1 minute peer_connect_timeout 30 seconds request_timeout 5 minutes # User/Group to run as cache_effective_user squid cache_effective_group squid # Email of cache manager cache_mgr basis@xxxxxxxx # General SSL configuration ssl_unclean_shutdown off sslproxy_version 1 # Maximum file descriptors (set at compile) max_filedesc 16384 # ----------------------------------------------- # CACHE SETTINGS # Adjust based on physical RAM of system cache_mem 332 MB # Increase cache_swap_low if cache_mem is high cache_swap_low 93 cache_swap_high 95 # Maximum size for objects to be saved to disk # Objects larger than this will not be cached maximum_object_size 10240 KB # Mimimum size for objects to be saved to disk minimum_object_size 0 KB # Maximum size for objects to be stored in memory maximum_object_size_in_memory 128 KB # Replacement policy for disk cache # Options are: # lru Original LRU policy (default) # heap GDSF GDSF, higher object hit rate, lower byte hit rate # heap LFUDA LFUDA, higher byte hit rate, lower obj hit rate # heap LRU LRU policy impmented with a heap # # For LFUDA, increase maximum_object_size # For GDSF, decrease maximum_object_size # cache_replacement_policy heap GDSF # Replacement policy for memory cache # Same options as disk cache policy # memory_replacement_policy heap GDSF # Disk cache location # Usage: # cache_dir Type Path Size (in MB) L1 L2 # Note if Path is a filesystem, Size should be no larger # than 80% of the size of the filesystem, in MB cache_dir aufs /data/data1 8192 64 512 cache_dir aufs /data/data2 8192 64 512 # Refresh pattern # Determines how objects are expired from cache # Usage: # refresh_pattern regex min percent max # regex is a regular expression to match against request URI # min is the time in minutes to consider an object fresh # unless otherwise specified # percent is the percentage of the objects age that an object # will be considered fresh # max is the upper limit on how long an object will be considered # fresh # # Objects are considered: # FRESH if expires < now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min # else STALE # (these are checked in the order listed) refresh_pattern -i \.js$ 0 0% 1 refresh_pattern -i \.css$ 0 10% 30 refresh_pattern . 0 20% 4320 # Quick Abort # These options control how Squid handles downloading # aborted requests quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 # Negative TTL for failed requests # Controls how long Squid remembers failed requests negative_ttl 1 minutes # Correct broken vary encoding for Apache:mod_deflate acl apache rep_header Server ^ArcWS broken_vary_encoding allow apache # Minimum caching time based on expiry minimum_expiry_time 0 seconds # ----------------------------------------------- # LOG SETTINGS # Log Format logformat combined %Ss:%Sh %la %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" # Access Log (main request log) cache_access_log /cache/logs/access.log combined # Cache Log (cache handling log) cache_log /cache/logs/cache.log # Store Log (storage manager log, can be disabled) cache_store_log none # Emulate HTTPD Log # Causes access log to match format of Apache web log emulate_httpd_log off # PID file location pid_filename /var/run/squid.pid # number of log file rotations to keep # set to 0 if using separate logrotation program logfile_rotate 0 # Client DB (database of per-client statistics) client_db off # Strip query terms before logging strip_query_terms off # ----------------------------------------------- # SECURITY SETTINGS # Access Controls # ACLs (see docs for details of syntax) acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl safe_ports port 80 443 acl CONNECT method CONNECT #acl DYNAMIC urlpath_regex \.jsp \.cfm \.do \? # Allow cache purge acl PURGE method purge http_access allow purge localhost http_access deny purge # http_access # Allows or denys access based on ACL (first match) # Deny access to unknown ports http_access deny !safe_ports # Default deny rule #http_access deny all # http_reply_access # Allow replies to requests, compliment of http_access http_reply_access allow all # icp_access icp_access deny all # turn off caching for dynamic content #no_cache deny DYNAMIC # Security checks on replies and requests # Maximum request header size request_header_max_size 10 KB # Maximum request body size (0 to disable) request_body_max_size 0 KB # Maximum reply header size reply_header_max_size 20 KB # Maximum reply body size (0 to disable) reply_body_max_size 0 allow all # Turn off X-Forwarded-For header forwarded_for on # Disable cache manager passwords cachemgr_passwd none all # Chroot location chroot /cache # Supress version httpd_suppress_version_string on # ----------------------------------------------- # VIRTUALHOSTS SETTINGS # xoriat.esri.com:8100 cache_peer xoriat.esri.com parent 8100 0 no-query originserver name=test1 cache_peer_domain test1 trailmap.esri.com ~~~Output of find /cache -ls ~~~~~ 2 4 drwxr-xr-x 10 root root 4096 Sep 22 16:05 /cache 12 0 lrwxrwxrwx 1 root root 1 Sep 22 16:05 /cache/cache -> . 1077121 4 drwxr-xr-x 3 root root 4096 Sep 22 16:19 /cache/etc 1078493 4 -rw-r--r-- 1 root root 59 Sep 22 16:19 /cache/etc/resolv.conf 1077122 4 drwxr-xr-x 2 root root 4096 Sep 22 16:18 /cache/etc/squid 1078491 8 -rw-r----- 1 root squid 5549 Sep 22 16:18 /cache/etc/squid/squid.conf 1078482 0 lrwxrwxrwx 1 root root 31 Sep 22 16:18 /cache/etc/squid/errors -> /usr/share/squid/errors/English 1078484 4 -rw-r--r-- 1 root root 421 Sep 22 16:18 /cache/etc/squid/msntauth.conf 1078488 28 -rw-r--r-- 1 root root 26969 Sep 22 16:18 /cache/etc/squid/mib.txt 1078486 0 lrwxrwxrwx 1 root root 22 Sep 22 16:18 /cache/etc/squid/icons -> /usr/share/squid/icons 1078492 4 -rw-r--r-- 1 root root 421 Sep 22 16:18 /cache/etc/squid/msntauth.conf.default 1078483 12 -rw-r--r-- 1 root root 11651 Sep 22 16:18 /cache/etc/squid/mime.conf.default 1078490 152 -rw-r----- 1 root squid 147632 Sep 22 16:18 /cache/etc/squid/squid.conf.old 1078489 12 -rw-r--r-- 1 root root 11651 Sep 22 16:18 /cache/etc/squid/mime.conf 1078485 4 -rw-r----- 1 root squid 419 Sep 22 16:18 /cache/etc/squid/cachemgr.conf 1078487 152 -rw-r--r-- 1 root root 147632 Sep 22 16:18 /cache/etc/squid/squid.conf.default 2350081 4 drwxr-x--- 2 squid squid 4096 Sep 24 04:02 /cache/logs 2350084 0 -rw------- 1 squid squid 0 Sep 23 04:02 /cache/logs/access.log 2350083 4 -rw------- 1 squid squid 88 Sep 24 11:17 /cache/logs/cache.log 2350082 4 -rw------- 1 root root 1878 Sep 22 16:21 /cache/logs/squid.out 456961 4 drwxr-xr-x 3 root root 4096 Sep 22 16:02 /cache/var 456962 4 drwxrwxrwx 2 root root 4096 Sep 22 16:21 /cache/var/run 456963 4 -rw-r--r-- 1 squid squid 6 Sep 22 16:21 /cache/var/run/squid.pid 1778881 4 drwxr-xr-x 2 root root 4096 Sep 22 16:01 /cache/dev 1778882 0 crw-rw-rw- 1 root root Sep 22 16:01 /cache/dev/null 1942081 4 drwxr-xr-x 4 root root 4096 Sep 22 14:11 /cache/usr 1942082 4 drwxr-xr-x 3 root root 4096 Sep 22 16:06 /cache/usr/lib 1942084 4 drwxr-xr-x 2 root root 4096 Sep 22 16:06 /cache/usr/lib/squid 1943063 4 -rwxr-xr-x 1 root root 2280 Sep 22 16:06 /cache/usr/lib/squid/smb_auth.sh 1943062 48 -rwxr-xr-x 1 root root 45066 Sep 22 16:06 /cache/usr/lib/squid/msnt_auth 1943061 24 -rwxr-xr-x 1 root root 22096 Sep 22 16:06 /cache/usr/lib/squid/diskd-daemon 1943059 20 -rwxr-xr-x 1 root root 17339 Sep 22 16:06 /cache/usr/lib/squid/yp_auth 1943053 24 -rwsr-x--- 1 root squid 22935 Sep 22 16:06 /cache/usr/lib/squid/ncsa_auth 1943057 56 -rwxr-xr-x 1 root root 52675 Sep 22 16:06 /cache/usr/lib/squid/ntlm_auth 1943064 28 -rwxr-xr-x 1 root root 25892 Sep 22 16:06 /cache/usr/lib/squid/squid_ldap_auth 1943047 20 -rwsr-x--- 1 root squid 19800 Sep 22 16:06 /cache/usr/lib/squid/pam_auth 1943048 20 -rwxr-xr-x 1 root root 18959 Sep 22 16:06 /cache/usr/lib/squid/fakeauth_auth 1943051 24 -rwxr-xr-x 1 root root 22356 Sep 22 16:06 /cache/usr/lib/squid/digest_pw_auth 1943050 20 -rwxr-xr-x 1 root root 16513 Sep 22 16:06 /cache/usr/lib/squid/getpwname_auth 1943052 20 -rwxr-xr-x 1 root root 17250 Sep 22 16:06 /cache/usr/lib/squid/sasl_auth 1943058 28 -rwxr-xr-x 1 root root 26974 Sep 22 16:06 /cache/usr/lib/squid/squid_ldap_group 1943049 4 -rwxr-xr-x 1 root root 4010 Sep 22 16:06 /cache/usr/lib/squid/smb_auth.pl 1943045 4 -rwxr-xr-x 1 root root 2359 Sep 22 16:06 /cache/usr/lib/squid/wbinfo_group.pl 1943056 20 -rwxr-xr-x 1 root root 18345 Sep 22 16:06 /cache/usr/lib/squid/smb_auth 1943060 8 -rwxr-xr-x 1 root root 7423 Sep 22 16:06 /cache/usr/lib/squid/unlinkd 1943055 20 -rwxr-xr-x 1 root root 18359 Sep 22 16:06 /cache/usr/lib/squid/ip_user_check 1943054 20 -rwxr-xr-x 1 root root 18634 Sep 22 16:06 /cache/usr/lib/squid/squid_unix_group 1943046 32 -rwxr-xr-x 1 root root 30222 Sep 22 16:06 /cache/usr/lib/squid/cachemgr.cgi 1942083 4 drwxr-xr-x 3 root root 4096 Sep 22 15:01 /cache/usr/share 1942085 4 drwxr-xr-x 4 root root 4096 Sep 22 15:01 /cache/usr/share/squid 1942086 4 drwxr-xr-x 32 root root 4096 Sep 22 15:01 /cache/usr/share/squid/errors ---snip--snip--snip--- 1943017 4 drwxr-xr-x 2 root root 4096 Sep 22 15:01 /cache/usr/share/squid/icons ---snip--snip--snip--- 979201 4 drwxr-x--- 4 squid squid 4096 Sep 22 14:47 /cache/data 979203 4 drwx------ 66 squid squid 4096 Sep 22 16:21 /cache/data/data2 ---snip--snip--snip--- 979202 4 drwx------ 66 squid squid 4096 Sep 22 16:21 /cache/data/data1 ---snip--snip--snip---
