Debian jessie + squid 3.5.16 - Will not start.

["Markey, Bruce" <bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx>]

I’m running debian Jessie.

Squid 3.5.16 compiled from source with the following:

 

./configure --build=x86_64-linux-gnu \

--prefix=/usr \

--includedir=${prefix}/include \

--mandir=${prefix}/share/man \

--infodir=${prefix}/share/info \

--sysconfdir=/etc \

--localstatedir=/var \

--libexecdir=${prefix}/lib/squid3 \

--srcdir=. \

--disable-maintainer-mode \

--disable-dependency-tracking \

--disable-silent-rules \

--datadir=/usr/share/squid3 \

--sysconfdir=/etc/squid3 \

--mandir=/usr/share/man \

--enable-inline \

--enable-gnuregex \

--enable-xmalloc-statistics \

--enable-useragent-log \

--enable-kill-parent-hack \

--enable-htpc \

--enable-forw-via-db \

--enable-dl-malloc \

--enable-time-hack \

--enable-err-language=English \

--disable-arch-native \

--enable-async-io=8 \

--enable-storeio=ufs,aufs,diskd,rock \

--enable-removal-policies=lru,heap \

--enable-delay-pools \

--enable-cache-digests \

--enable-icap-client \

--enable-follow-x-forwarded-for \

--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \

--enable-auth-digest=file,LDAP \

--enable-auth-negotiate=kerberos,wrapper \

--enable-auth-ntlm=fake,smb_lm \

--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group \

--enable-url-rewrite-helpers=fake \

--enable-eui \

--enable-esi \

--enable-icmp \

--enable-zph-qos \

--enable-ecap \

--disable-translation \

--with-swapdir=/var/spool/squid3 \

--with-logdir=/var/log/squid3 \

--with-pidfile=/var/run/squid3.pid \

--with-filedescriptors=65536 \

--with-large-files \

--with-default-user=proxy \

--enable-ssl \

--enable-ssl-crtd \

--enable-wccpv2 \

--with-openssl \

--enable-linux-netfilter \

'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' \

'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \

'CPPFLAGS=-D_FORTIFY_SOURCE=2' \

'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

 

Here is my squid.conf

 

#Access Lists

acl internal src 192.168.200.0/21

acl wireless src 192.168.100.0/23

 

#Ports allowed through Squid

acl Safe_ports port 80

acl Safe_ports port 443

acl SSL_ports port 443

acl CONNECT method CONNECT

 

#allow/deny

http_access allow internal

http_access allow wireless

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

 

#Bumping

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

ssl_bump peek all

ssl_bump splice all

 

sslproxy_capath /etc/ssl/certs

 

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB

sslcrtd_children 5

 

 

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

 

#access_log syslog:daemon.info mine

access_log daemon:/var/log/squid3/access.log mine

 

#intercept

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-cer

tificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

 

#nameservers

dns_nameservers 192.168.201.1 8.8.8.8

 

#WCCPv2 items

wccp_version 2

wccp2_router 192.168.200.73

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=LNP1

wccp2_service dynamic 70 password=LNP1

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

 

-I did initialize the ssl_db

-I did create certs

 

I’m simply trying to start via :  sudo squid   It throws no errors nothing.  The pid lives for a sec then dies. This is the only log message I get.

 

Apr  7 11:51:19 LNP-Proxy (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

 

I tried deleting and recreating the ssl_db as I saw from a few other posts, did not work.

 

Other info:

 

Tunnel is up:

 

gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc

wccp0: gre/ip  remote 192.168.200.73  local 192.168.201.248  dev eth3  ttl inherit

 

Iptables:

 

bruce@LNP-Proxy:/var/log$ sudo iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination        

DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:192.168.201.248:3128

DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:192.168.201.248:3129

 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination        

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination        

 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

 

I’m not sure what to even check next.  I cant do a sudo squid –k debug since the process doesn’t last long enough.

 

Thanks

 

 

Bruce Markey | Network Security Analyst

STEINMAN COMMUNICATIONS

717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx

8 West King St | PO Box 1328, Lancaster, PA 17608-1328

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users