On 10/06/2016 9:13 p.m., --Ahmad-- wrote:
again , if i use the same steps below on centos 6 is works fine without any issue
That means nothing. CentOS is based on RHEL, whic on ly gets updated
periodically. There are about five years worth of changes across the
entire IOS and everything installed with it between v6 and v7.
Obviously something in those changes to CentOS does not work with that
very old version of Squid and seems to work fine with the newer Squid.
On Jun 10, 2016, at 11:54 AM, --Ahmad-- wrote:
hi eliezer
=============================================
1- selinux is disabled
[root@localhost ~]# sestatus
SELinux status: disabled
[root@localhost ~]#
2-
i have the PID file with permission to squid
[root@localhost ~]# ls -l /var/run/squid.pid
-rw-r--r-- 1 squid squid 5 Jun 10 04:45 /var/run/squid.pid
[root@localhost ~]#
squid.pid should not exist when Squid is shutdown.
You should delete it and ensure that Squid is started by the root user,
which already should have permission to alter the /var/run directory and
create the squid.pid file correctly.
but here i don’t see the file /var/run/squid …….i used to see file called /var/run/squid not /var/run/squid.pid
/var/run/squid should be a directory. Its where the state data gets
placed now. It may be unused in your installation or just not.
squid.pid may be under /var/run/squid or /var/run depending on your
installation.
/run may be used instead of /var/run if you have a new enough system.
** For pre-packaged Squid. Don't worry about these unless Squid
explicitly complains. Just go with what the package installation chose.
** For custom builds, the "make install" action should create
/var/run/squid directory. If for some reason it does not (such as newly
building an already deprecated old Squid version - which one shodul
never do anyway). You may need to create it yourself, and assign
squid:squid ownership.
i also tried to add directive to squid.conf ==> pid_filename /var/run/squid.pid
but i have the same errror
3-im using kernel default for Centos 7 and it do support IPV6 , i didn’t compile any kernel
agin the error that i have is :
kid2| commBind: Cannot bind socket FD 782 to [::]: (2) No such file or directory
As mentioned in the URL Eliezer reference you to already
(<
http://wiki.squid-cache.org/Features/SmpScale#Cannot_bind_socket_FD_NN_to_.5B::.5D:_.2813.29_Permission_denied>)
that error is about the SMP UDS sockets.
More specifically it is about the system shared memory device (/dev/shm).
* Some systems need the /dev/shm device to be explicitly turned on
during startup. Check if it is enabled in your system and if not, what
you have to do to fix that. Hints in the wiki.
* Check that /dev/shm path is owned by root. Only the OS itself should
be doing things in there. Programs like Squid use kernel syscalls to
make changes.
* Older Squid like yours could leave UDS sockets after a crash or broken
config abort. Check that /dev/shm/ does not contain any "files" starting
with "squid-" or owned by Squid when Squid is shutdown.
If some exist use 'rm' to remove them and try restarting Squid.
not
kid2| commBind: Cannot bind socket FD 782 to [::]: permission denied
here is again compile options :
Squid Cache: Version 3.5.2
Service Name: squid
configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--enable-cachemgr-hostname=Ahmad-Allzaeem'
... unusual URL for accessing management reports:
http://Ahmad-Allzaeem/squid-internal-mgr/'cachemgr' means the Squid cache management API, specifically the
cachemgr.cgi tool. Not an administrators name.
'--localstatedir=/var' '--libexecdir=/lib/squid' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '' '--with-large-files' '--with-default-user=squid' --with-openssl' '--enable-snmp' '--with-included-ltdl' '--disable-arch-native'
[root@localhost ~]#
and here is squid.conf
[root@localhost ~]# cat /etc/squid/squid.conf | less
cache deny all
#################
#pid_filename /var/run/squid.pid
####################
visible_hostname squid
cache_effective_user squid
cache_effective_group squid
You should not need to use cache_effective_group. Particularly if you
are wanting to use NTLM or Kerberos related functionality with Squid.
####################################
#workers 2
########################################################################
# Lockdown Procedures
auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
############################
f
Please move the auth and http_access lines down to below where it says:
"
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
"
Doing complex things like auth up here at the top of the config your
proxy is made more vulnerable than it should be to various DoS and
traffic smuggling attacks.
<snip>
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 1234
Why 1234? 3128 has been formally registered for Squid use.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxxhttp://lists.squid-cache.org/listinfo/squid-users