Raspberry Pi (3) / Stretch repository (requird to build 3.5) / Squid 3.5.23 After further investigation the problem is something to do with permissions related to ssl_crtd. I can run squid as root but using the default account (proxy?) it won't run and is giving this error in cache.log: 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory I've checked the file and folder permissions across all aspects of squid and everything I can see is owned by proxy:proxy so not sure where it is failing. My config is now as follows: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1 coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir ufs /cache 400 16 256 oliver@xxxxxxxxxxxx lennox-it.uk tel: 07900 648 252 ________________________________ From: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> To: "'squid-users@squid-cache. org'" <squid-users@xxxxxxxxxxxxxxx> Cc: 'Olly Lennox' <oliver@xxxxxxxxxxxx>; 'L. P. H. van Belle' <belle@xxxxxxxxx> Sent: Wednesday, 19 April 2017, 22:24 Subject: RE: HTTPS woes What OS are you using? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Olly Lennox Sent: Wednesday, April 19, 2017 7:30 PM To: Olly Lennox <oliver@xxxxxxxxxxxx>; L. P. H. van Belle <belle@xxxxxxxxx>; squid-users@squid-cache. org <squid-users@xxxxxxxxxxxxxxx> Subject: Re: HTTPS woes Sorry it's back, I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy. If I remove this or leave it as is then the application won't launch on subsequent reboots. If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots. I'm guessing this is something to do with the running processes, does anyone know what's going wrong? Cheers, Olly ------------ Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this: proc /proc proc defaults 0 0 PARTUUID=0d001852-01 /boot vfat defaults 0 2 PARTUUID=0d001852-02 / ext4 defaults,noatime 0 1 # a swapfile is not a swap partition, no line here # use dphys-swapfile swap[on|off] for that tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0 none /dev/shm tmpfs defaults 0 0 could the existing tmpfs line be causing problems? oliver@xxxxxxxxxxxx lennox-it.uk tel: 07900 648 252 ________________________________ From: L. P. H. van Belle <belle@xxxxxxxxx> To: "squid-users@squid-cache. org" <squid-users@xxxxxxxxxxxxxxx> Sent: Wednesday, 19 April 2017, 11:05 Subject: Re: HTTPS woes Hai, Im guess, squid is starting to soon, or there is not /dev/shm Check/Try adding, if not already in /etc/fstab none /dev/shm tmpfs defaults 0 0 And reboot the server. Or, i dont know and someone else can tell you. ;-) But on my jessie with squid 3.5.24+ssl i dont see this problem. A small tip about the certificates on debian or ubuntu. Install ca-certificates ( apt-get install ca-certificates ) And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Olly Lennox > Verzonden: woensdag 19 april 2017 11:22 > Aan: Amos Jeffries; squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: HTTPS woes > > Thanks Amos, I'll install this. One last question if I may! > Squid is working fine now with both HTTP and HTTPS but for > some reason it is refusing to launch on boot. > > It works perfectly when started with "service squid start" > but not boot. The error is: > squid.service - LSB: Squid HTTP Proxy version 3.x > Loaded: loaded (/etc/init.d/squid; generated; vendor > preset: enabled) > Active: failed (Result: resources) since Wed 2017-04-19 > 10:19:18 BST; 53s ago > Docs: man:systemd-sysv-generator(8) > Process: 598 ExecStart=/etc/init.d/squid start > (code=exited, status=0/SUCCESS) > > Apr 19 10:19:13 raspberrypi (squid-1)[1606]: > Ipc::Mem::Segment::open failed to > shm_open(/squid-ssl_session_cache.shm): (2) No such file or > direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent: > (squid-1) process 1606 exited with status 1 Apr 19 10:19:16 > raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 > started Apr 19 10:19:18 raspberrypi squid[1283]: Squid > Parent: (squid-1) process 1633 exited with status 1 Apr 19 > 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) > process 1633 will not be restarted due to repeated, frequent > failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due > to repeated, frequent failures Apr 19 10:19:18 raspberrypi > systemd[1]: squid.service: Daemon never wrote its PID file. Failing. > Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB: > Squid HTTP Proxy version 3.x. > Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit > entered failed state. > Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed > with result 'resources'. > > Any ideas? > > > > ________________________________ > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Sent: Wednesday, 19 April 2017, 5:22 > Subject: Re: HTTPS woes > > > > Olly, Debian provides a ca-certificates package containing > the Mozilla CA list. It is updated whenever the CA set > changes. Though of course you should have apt connected to > the relevant security repository (jesse-security?) for > regular updates. > > > Amos > > > On 19/04/17 03:10, Olly Lennox wrote: > > Would you mind sharing the script you use? > > > >oliver@xxxxxxxxxxxx > >lennox-it.uk > >tel: 07900 648 252 > > > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
