Search squid archive

Re: commBind: Cannot bind socket error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The squid.conf is driven by the GUI front end provided in ClearOS 5.2. The only options there are:
Configuration:
    Maximum Cache Size - set to 100MB
    Minimum Size Object - set to 4MB
    MaximumDownload File Size - Set to unlimited
Web Proxy Mode:
    Transparent mode - set to enabled
    Banner and Pop-Up filter - set to disabled
    User Authentication - set to disabled

The rest of the configuration is as provided by ClearOS.

Following what you've said, I've removed the line "http_port 3128" because the other three http_port lines are written to dynamically by the ClearOS init script. This allows the proxy to start. And it is working. Thanks.

I've put some comments in line as well and I'll contact the ClearOS devs about the security issue.

Thanks,

Nick

On 01/05/2012 06:51, Amos Jeffries wrote:
On 1/05/2012 1:36 a.m., Nick Howitt wrote:
Hi,
I am new to squid and I am trying to run in on my ClearOS 5.2 gateway where it is supplied as a pre-configured package. However, whenever I try to start it I lose all internet access. I would like to run it in transparent mode which is a menu option I have for it.

My cache.log reads:
2012/04/25 12:51:06| Starting Squid Cache version 2.6.STABLE21 for i686-redhat-linux-gnu...

<snip>
2012/04/25 12:51:06| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 13.

So squid is configured to listen on a wildcard port (*:3128) which binds to every IP address the box has using a single open+listen operation. This is successful.

Then Squid is *also* instructed to bind particular IP:port combinations ...

2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to 192.168.3.1:3128: (98) Address already in use

... oops,  *:3128 is already open ...

2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to 192.168.2.1:3128: (98) Address already in use

... oops, *:3128 is already open ...

2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to 127.0.0.1:3128: (98) Address already in use

... oops, *:3128 is already open ...

At this point I lose internet access. and it does not change when I switch it to transparent mode. I am not aware of anything else running on port 3128 and netstat -an -t | grep 3128 shows nothing.

You configured Squid to open port 3128 four times. Only the first attempt succeeds, the others clash with it.

Squid is operating with the wildcard port open for all traffic. BUT, intercepted traffic cannot be received by the regular forward-proxy port 3128. Your requests passed to any IP and port 3128 are rejected as malformed client->proxy requests (true, because they are client->origin format requests).



If it helps at all, this is my squid.conf:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl webconfig_lan src 192.168.2.0/24 192.168.3.0/24  192.168.10.0/24
acl webconfig_to_lan dst 192.168.2.0/24 192.168.3.0/24  192.168.10.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow webconfig_to_lan

The above "allow webconfig_to_lan" rule opens your proxy to 4 out of the 5 most common proxy attacks
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

Oops.


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Move your global allow rule down to here below the basic security protections.


And consider carefully why you need it in the first place. There are no accel mode ports configured. For an interception proxy you should be able to depend on the src type ACL to operate correctly or you have configured the interception rules wrong.
I'll ping the devs on this one as I don't like security issues and this will be the same on all ClearOS implementations


http_access allow localhost
http_access allow webconfig_lan
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
error_directory /etc/squid/errors
follow_x_forwarded_for allow localhost
http_port 192.168.3.1:3128 transparent
http_port 192.168.2.1:3128 transparent
http_port 127.0.0.1:3128 transparent

Can anyone help me, please?

Please follow the advice in http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat#iptables_configuration
The ClearOS iptables rules are pretty similar and I believe they do the same.

Additionally, why do you have three interception ports? and why is 127.0.0.1 involved?
I have two LANS so I can understand the two interception addresses. I'll ping the devs about 127.0.0.1.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux