Search squid archive

Re: ssl_crtd process doesn't start with Squid 3.5.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I did a new install of Squid 3.5.6 and it seems to be working now.

On Fri, Jul 24, 2015 at 7:24 PM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote:
On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
Thanks for that. Any ideas why I am experiencing that?


Stan



On Fri, Jul 24, 2015 at 7:07 PM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote:
On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5 is started with ssl-bump enabled all the squid and ssl_crtd processes start and Squid functions as intended when bumping ssl sites. However, when I bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid 3.5.6 cannot successfully bump ssl.


These are the config options I use for both 3.5.5 and 3.5.6.

--enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \
--enable-removal-policies="heap,lru" --enable-delay-pools --libdir=/usr/lib/ \
--localstatedir=/var --with-dl --with-openssl --enable-http-violations \
--with-large-files --with-libcap --disable-ipv6 --with-swapdir=/var/spool/squid \
 --enable-ssl-crtd --enable-follow-x-forwarded-for



This is the squid.conf file used for both versions.

visible_hostname smoothwallu3

# Uncomment the following to send debug info to /var/log/squid/cache.log
debug_options ALL,1 33,2 28,9

# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.20.20.1
acl localnetgreen src 10.20.20.0/24

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80            # http
acl Safe_ports port 81            # smoothwall http
acl Safe_ports port 21            # ftp
acl Safe_ports port 445 443 441 563    # https, snews
acl Safe_ports port 70             # gopher
acl Safe_ports port 210               # wais 
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 777               # multiling http

acl CONNECT method CONNECT

# TAG: http_access
# ----------------------------------------------------------------



http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnetgreen
http_access allow CONNECT localnetgreen

http_access allow localhostgreen
http_access allow CONNECT localhostgreen

# http_port and https_port
#----------------------------------------------------------------------------

# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127

http_port 10.20.20.1:800 intercept
https_port 10.20.20.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem


http_port 127.0.0.1:800 intercept

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1
ssl_bump bump all

sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

http_access deny all

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid

cache_swap_high 100
cache_swap_low 80

cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB

cache_dir diskd /var/spool/squid/cache 1024 16 256

maximum_object_size 33 MB

minimum_object_size 0 KB


request_body_max_size 0 KB

# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off

pid_filename /var/run/squid.pid

shutdown_lifetime 30 seconds
icp_port 3130

half_closed_clients off
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

umask 022

logfile_rotate 0

strip_query_terms off

redirect_program /usr/sbin/squidGuard
url_rewrite_children 5


And the cache.log file when starting 3.5.6 with debug options on in squid.conf

2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL adaptation_access
2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL adaptation_access
2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06 kid1| Current Directory is /
2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6 for i586-pc-linux-gnu...
2015/07/24 17:15:06 kid1| Service Name: squid
2015/07/24 17:15:06 kid1| Process ID 2907
2015/07/24 17:15:06 kid1| Process Roles: worker
2015/07/24 17:15:06 kid1| With 1024 file descriptors available
2015/07/24 17:15:06 kid1| Initializing IP Cache...
2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD 8
2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5 'squidGuard' processes
2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard' processes needed.
2015/07/24 17:15:06 kid1| Logfile: opening log stdio:/var/log/squid/access.log
2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15
2015/07/24 17:15:06 kid1| Store logging disabled
2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, estimated 85700 objects
2015/07/24 17:15:06 kid1| Target number of buckets: 4285
2015/07/24 17:15:06 kid1| Using 8192 Store buckets
2015/07/24 17:15:06 kid1| Max Mem  size: 65536 KB
2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB
2015/07/24 17:15:06 kid1| Rebuilding storage in /var/spool/squid/cache (dirty log)
2015/07/24 17:15:06 kid1| Using Least Load store dir selection
2015/07/24 17:15:06 kid1| Current Directory is /
2015/07/24 17:15:06 kid1| Finished loading MIME types and icons.
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x946d218 [call5]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c) [call5]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x946d3a8 [call7]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc) [call7]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x946d510 [call9]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544) [call9]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x946d6b0 [call11]
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4) [call11]
2015/07/24 17:15:06.578 kid1| HTCP Disabled.
2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0
2015/07/24 17:15:06.578 kid1| Adaptation support is on
2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call5]
2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3127 remote=[::] FD 20 flags=9
2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)
2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)
2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call7]
2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP Socket connections at local=10.20.20.1:800 remote=[::] FD 21 flags=41
2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)
2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)
2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call9]
2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:800 remote=[::] FD 22 flags=41
2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)
2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)
2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call11]
2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=10.20.20.1:808 remote=[::] FD 23 flags=41
2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)
2015/07/24 17:15:06.579 kid1| Accepting ICP messages on 0.0.0.0:3130
2015/07/24 17:15:06.579 kid1| Sending ICP messages from 0.0.0.0:3130
2015/07/24 17:15:06.579 kid1| Done reading /var/spool/squid/cache swaplog (12 entries)
2015/07/24 17:15:06.579 kid1| Finished rebuilding storage from disk.
2015/07/24 17:15:06.579 kid1|        12 Entries scanned
2015/07/24 17:15:06.579 kid1|         0 Invalid entries.
2015/07/24 17:15:06.579 kid1|         0 With invalid flags.
2015/07/24 17:15:06.579 kid1|        12 Objects loaded.
2015/07/24 17:15:06.579 kid1|         0 Objects expired.
2015/07/24 17:15:06.579 kid1|         0 Objects cancelled.
2015/07/24 17:15:06.579 kid1|         0 Duplicate URLs purged.
2015/07/24 17:15:06.579 kid1|         0 Swapfile clashes avoided.
2015/07/24 17:15:06.579 kid1|   Took 0.06 seconds (210.47 objects/sec).
2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure
2015/07/24 17:15:06.579 kid1|   Completed Validation Procedure
2015/07/24 17:15:06.579 kid1|   Validated 12 Entries
2015/07/24 17:15:06.579 kid1|   store_swap_size = 1444.00 KB
2015/07/24 17:15:07 kid1| storeLateRelease: released 0 objects



Any help or suggestions greatly appreciated.


Regards


Stan


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

I do not experience this issue:

[18:04:56 jlay:~/nobackup/build$] ps aux | egrep "ssl|squid"
root      3173  0.0  0.0  18840   372 ?        Ss   Jul23   0:00 /opt/sbin/squid
nobody    3175  0.0  1.2  52856 39744 ?        S    Jul23   0:47 (squid-1)
nobody    3177  0.0  0.0   5916  2040 ?        S    Jul23   0:05 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
nobody    3178  0.0  0.0   5828  1840 ?        S    Jul23   0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
nobody    3179  0.0  0.0   5828  1708 ?        S    Jul23   0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
nobody    3180  0.0  0.0   5648   912 ?        S    Jul23   0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
nobody    3181  0.0  0.0   5648   912 ?        S    Jul23   0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096

my config line:
./configure --prefix=/opt --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none

Squid Cache: Version 3.5.6

James

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

I recall when just starting out with ssl_crtd and had issue until I set the user running as squid  on my ssl_db dir:

drwxr-xr-x 3 nobody root 4096 May 30 17:22 ssl_db

My ssl_crtd lines:
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

Hope it helps.

James

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux