On 14 April 2016 at 03:56, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
-- > My config.log output is here: *http://goo.gl/LcV1yN <http://goo.gl/LcV1yN>*On 14/04/2016 6:02 a.m., Odhiambo Washington wrote:
> Hi Amos,
>
> I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
>
> I am struggling to compile squid-3.5.16. I just have to find a way to make
> it compile and run, by all means.
>
> So now here is what happens:
>
>
> #!/bin/sh
> ./configure --prefix=/opt/squid-3.5 \
> --enable-removal-policies="lru heap" \
> --disable-epoll \
> --with-pthreads \
> --enable-storeio="ufs diskd rock aufs" \
> --enable-delay-pools \
> --enable-snmp \
> --with-openssl=/usr \
> --enable-forw-via-db \
> --enable-cache-digests \
> --enable-wccpv2 \
> --enable-follow-x-forwarded-for \
> --with-large-files \
> --enable-esi \
> --enable-kqueue \
> --enable-icap-client \
> --enable-kill-parent-hack \
> --enable-ssl \
> --enable-ssl-crtd \
> --enable-url-rewrite-helpers \
> --enable-xmalloc-statistics \
> --enable-stacktraces \
> --enable-zph-qos \
> --enable-eui \
> --with-nat-devpf \
> --enable-pf-transparent \
> --enable-ipf-transparent \
> --enable-auth \
>
>
> And this is how the compile fails:Making all in negotiate_auth
> Making all in kerberos
> depbase=`echo negotiate_kerberos_auth.o | sed
> 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ -DHAVE_CONFIG_H -I../../..
> -I../../../include -I../../../lib -I../../../src -I../../../include
> -I/usr/include -I/usr/include -I../../../libltdl -I. -I/usr/include
> -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Wall
> -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
> -Werror -pipe -D_REENTRANT -I/usr/local/include -g -O2 -march=native
> -I/usr/local/include -MT negotiate_kerberos_auth.o -MD -MP -MF $depbase.Tpo
> -c -o negotiate_kerberos_auth.o negotiate_kerberos_auth.cc && mv -f
> $depbase.Tpo $depbase.Po
> negotiate_kerberos_auth.cc: In function 'int main(int, char* const*)':
> negotiate_kerberos_auth.cc:754: error:
> 'gsskrb5_extract_authz_data_from_sec_context' was not declared in this scope
> *** [negotiate_kerberos_auth.o] Error code 1
>
Strange. Check the Kerberos / krb5 libraries available are up to date.
Or for now you may need to use one or more of these:
--without-mit-kerberos \
--without-heimdal-kerbers \
--without-gssapi-kerberos
With luck, I have managed to get squid to compile successfully (after upgrading a few components here and there). I used:
#!/bin/sh
env LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include CC=clang CXX=clang++ CPP=clang-cpp ./configure --prefix=/opt/squid-3.5 \
--enable-removal-policies="lru heap" \
--disable-epoll \
--with-pthreads \
--enable-storeio="ufs diskd rock aufs" \
--enable-delay-pools \
--enable-snmp \
--with-openssl=/usr \
--enable-forw-via-db \
--enable-cache-digests \
--enable-wccpv2 \
--enable-follow-x-forwarded-for \
--with-large-files \
--enable-esi \
--enable-kqueue \
--enable-icap-client \
--enable-kill-parent-hack \
--enable-ssl \
--enable-ssl-crtd \
--enable-url-rewrite-helpers \
--enable-xmalloc-statistics \
--enable-stacktraces \
--enable-zph-qos \
--enable-eui \
--with-nat-devpf \
--enable-pf-transparent \
--enable-ipf-transparent \
--with-nat-devpf \
--without-mit-kerberos \
--without-heimdal-kerbers \
--without-gssapi-kerberos \
--enable-auth
>
> I am getting closer I think.
>
> The initial compile that I had before the upgrade from 8.4 to 9.3 cannot
> run. Gives a different error:
>
> 2016/04/13 14:12:13| Accepting NAT intercepted SSL bumped HTTPS Socket
> connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
> 2016/04/13 14:12:13| Accepting ICP messages on [::]:3130
> 2016/04/13 14:12:13| Sending ICP messages from [::]:3130
> 2016/04/13 14:12:13| ERROR: NAT/TPROXY lookup failed to locate original IPs
> on local=192.168.55.254:13128 remote=192.168.55.83:50648 FD 14 flags=33
<http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4>
I dont think IPFilter (--enable-ipf-transparent) works on FreeBSD.
paketFilte (PF, --enable-pf-transparent --with-nat-devpf) and IFPW
(--enable-ipfw-transparent) should do.
Be careful of the 'f' and 'w' characters there, it can be a bit
confusing with them all those different names.
NP: the same error message can occur if you have simply configured DNAT
/ REDIRECT external to the Squid machine.
I have it running now (redirecting using IPFilter/IPNAT), but once in a while I see this error about NAT:
2016/04/15 16:15:52| Starting Squid Cache version 3.5.16 for i386-unknown-freebsd9.3...
2016/04/15 16:15:52| Service Name: squid
2016/04/15 16:15:52| Process ID 21761
2016/04/15 16:15:52| Process Roles: master worker
2016/04/15 16:15:52| With 32768 file descriptors available
2016/04/15 16:15:52| Initializing IP Cache...
2016/04/15 16:15:52| DNS Socket created at [::], FD 9
2016/04/15 16:15:52| DNS Socket created at 0.0.0.0, FD 10
2016/04/15 16:15:52| Adding domain crownkenya.com from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 192.168.55.254 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 208.67.222.222 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 208.67.220.220 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 196.201.225.19 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 41.222.10.26 from /etc/resolv.conf
2016/04/15 16:15:52| helperOpenServers: Starting 5/15 'ssl_crtd' processes
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| helperOpenServers: Starting 5/10 'perl' processes
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:53| WARNING: no_suid: setuid(0): (1) Operation not permitted
2016/04/15 16:15:53| Logfile: opening log stdio:/usr/local/squid/logs/access.log
2016/04/15 16:15:53| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2016/04/15 16:15:53| Store logging disabled
2016/04/15 16:15:53| Swap maxSize 20971520 + 131072 KB, estimated 1623276 objects
2016/04/15 16:15:53| Target number of buckets: 81163
2016/04/15 16:15:53| Using 131072 Store buckets
2016/04/15 16:15:53| Max Mem size: 131072 KB
2016/04/15 16:15:53| Max Swap size: 20971520 KB
2016/04/15 16:15:53| Rejecting swap file v1 to avoid cache index corruption. Forcing a full cache index rebuild. See Squid bug #3441.
2016/04/15 16:15:53| Rebuilding storage in /usr/local/squid/cache (clean log)
2016/04/15 16:15:53| Using Least Load store dir selection
2016/04/15 16:15:53| Set Current Directory to /usr/local/squid/logs
2016/04/15 16:15:53| Finished loading MIME types and icons.
2016/04/15 16:15:53| HTCP Disabled.
2016/04/15 16:15:53| Squid plugin modules loaded: 0
2016/04/15 16:15:53| Adaptation support is off.
2016/04/15 16:15:53| Accepting NAT intercepted HTTP Socket connections at local=192.168.55.254:13128 remote=[::] FD 34 flags=41
2016/04/15 16:15:53| Accepting HTTP Socket connections at local=[::]:13130 remote=[::] FD 35 flags=9
2016/04/15 16:15:53| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
2016/04/15 16:15:53| Accepting ICP messages on [::]:3130
2016/04/15 16:15:53| Sending ICP messages from [::]:3130
2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
2016/04/15 16:18:53| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.62:57726 FD 357 flags=33
2016/04/15 16:21:57| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.62:57742 FD 29 flags=33
2016/04/15 16:23:21| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.62:57757 FD 60 flags=33
2016/04/15 16:24:17| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.60:49166 FD 79 flags=33
2016/04/15 16:24:17| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.55.254:13128 remote=192.168.55.60:49168 FD 79 flags=33
In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
It's the inception stage so I haven't delved deep into ssl-bump configurations...
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
