I do not care if someone asks even if the docs are answering. The docs of squid-cache are not something anyone should be able to remember by heart or even browse and just "find" a solution or a direction. We(at least me) are here to try and help even for the cases which the docs already cover. All The Bests, Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Adrian Miller Sent: Monday, September 11, 2017 23:31 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: squid-users Digest, Vol 37, Issue 30 Jesus, never seen so many messages that could have been answered by reading the basic squid docs. Tempted to unsub....sheesh On 12 Sep. 2017 6:19 am, <mailto:squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote: Send squid-users mailing list submissions to mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to mailto:squid-users-request@xxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at mailto:squid-users-owner@xxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly (Rohit Sodhia) ---------------------------------------------------------------------- Message: 1 Date: Mon, 11 Sep 2017 16:18:39 -0400 From: Rohit Sodhia <mailto:sodhia.rohit@xxxxxxxxx> To: Yuri <mailto:yvoinov@xxxxxxxxx> Cc: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly Message-ID: <mailto:CAN1w9tfQt3Mivwpyo%2Bu3Qp0agQ8pOgz2MGo2Wvb5AdGU3zbkjw@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="utf-8" Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess I'll have to learn how to compile it myself; never compiled a package before. On Mon, Sep 11, 2017 at 4:17 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: > Hardly, > > most probably something in repo's package. However, upgrade is always > recommended, especially with modern functionality. It changes fast enough. > > 12.09.2017 2:15, Rohit Sodhia пишет: > > Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the > problem? > > On Mon, Sep 11, 2017 at 4:07 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: > >> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost >> closed or closed. >> >> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free >> running. >> >> Repositories software sometimes has strange quirks, or sometimes rancid. >> 12.09.2017 2:05, Rohit Sodhia пишет: >> >> I'll try to find it, but I read a few articles/SO questions that >> suggested there were bugs in 4 relating to SSL bumping? If they were wrong, >> I'd be glad to go forward. Should I be removing the yum squid package and >> compile my own? Is 3.5 problematic besides being old? >> >> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >> >>> Wait. Squid 3.5.20? So ancient? >>> >>> 12.09.2017 1:58, Rohit Sodhia пишет: >>> >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >>> >>> I used the line from the Stack Overflow question I linked earlier. >>> >>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>> >>>> Well. Let's check more deep. >>>> >>>> Show me parameter sslcrtd_program in your squid.conf >>>> >>>> 12.09.2017 1:23, Rohit Sodhia пишет: >>>> >>>> Unfortunately, no luck yet. Thank you again for your help before. >>>> >>>> I found that the user squid and group squid existed already, so I added >>>> >>>> cache_effective_user squid >>>> cache_effective_group squid >>>> >>>> to my config (first two lines), made sure /var/lib/ssl_db and it's >>>> contents were set to squid:squid and restarted the service, but I'm still >>>> getting the same error :( >>>> >>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <mailto:sodhia.rohit@xxxxxxxxx> >>>> wrote: >>>> >>>>> I'll try that immediately, thanks! I appreciate all your advice; >>>>> hopefully I won't have to reach out again :p >>>>> >>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>> >>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most >>>>>> probably it runs as nobody user. >>>>>> >>>>>> Ah, yes: >>>>>> >>>>>> # TAG: cache_effective_user >>>>>> # If you start Squid as root, it will change its effective/real >>>>>> # UID/GID to the user specified below. The default is to change >>>>>> # to UID of nobody. >>>>>> # see also; cache_effective_group >>>>>> #Default: >>>>>> # cache_effective_user nobody >>>>>> >>>>>> # TAG: cache_effective_group >>>>>> # Squid sets the GID to the effective user's default group ID >>>>>> # (taken from the password file) and supplementary group list >>>>>> # from the groups membership. >>>>>> # >>>>>> # If you want Squid to run with a specific GID regardless of >>>>>> # the group memberships of the effective user then set this >>>>>> # to the group (or GID) you want Squid to run as. When set >>>>>> # all other group privileges of the effective user are ignored >>>>>> # and only this GID is effective. If Squid is not started as >>>>>> # root the user starting Squid MUST be member of the specified >>>>>> # group. >>>>>> # >>>>>> # This option is not recommended by the Squid Team. >>>>>> # Our preference is for administrators to configure a secure >>>>>> # user account for squid with UID/GID matching system policies. >>>>>> #Default: >>>>>> # Use system group memberships of the cache_effective_user account >>>>>> >>>>>> As documented. :) >>>>>> >>>>>> AFAIK best solution is create non-privileged group & user (like >>>>>> squid/squid) and set both this parameters explicity. >>>>>> >>>>>> Then change owner recursively on SSL cache to this user. >>>>>> >>>>>> 12.09.2017 0:36, Rohit Sodhia пишет: >>>>>> >>>>>> Neither of those values are set in my config. Even though I'm not >>>>>> using squid for caching, I need those values? They aren't set in the >>>>>> default configs either. >>>>>> >>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>> >>>>>>> Most probably you squid runs as another user than squid. >>>>>>> >>>>>>> Check your squid.conf for cache_effective_user and >>>>>>> cache_effective_group values. >>>>>>> >>>>>>> Then change SSL cache permissions to this values. Should work. >>>>>>> >>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет: >>>>>>> >>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it >>>>>>> set it up like that. I changed the owner and group to squid:squid and tried >>>>>>> restarting squid, but still get the same errors. I thought to run the >>>>>>> command again, but this time it says >>>>>>> >>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db >>>>>>> >>>>>>> If this folder has incorrect permissions are there possibly other >>>>>>> permission issues? >>>>>>> >>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>> >>>>>>>> Here you root of problem. >>>>>>>> >>>>>>>> Should be (on my setups): >>>>>>>> >>>>>>>> # ls -al /var/lib/ssl_db >>>>>>>> total 326 >>>>>>>> drwxr-xr-x 3 squid squid 5 Sep 5 00:53 . >>>>>>>> drwxr-xr-x 8 root other 8 Sep 5 00:53 .. >>>>>>>> drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs >>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt >>>>>>>> -rw-r--r-- 1 squid squid 7 Sep 11 23:37 size >>>>>>>> >>>>>>>> I.e. Squid has no access to SSL cache dir structures. >>>>>>>> >>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет: >>>>>>>> >>>>>>>> total 8 >>>>>>>> drwxr-xr-x. 3 root root 48 Sep 11 12:42 . >>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 .. >>>>>>>> drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs >>>>>>>> -rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt >>>>>>>> -rw-r--r--. 1 root root 1 Sep 11 12:42 size >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>>> >>>>>>>>> Show output of >>>>>>>>> >>>>>>>>> ls -al /var/lib/ssl_db >>>>>>>>> >>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет: >>>>>>>>> >>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me >>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it >>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of >>>>>>>>> stuff; I don't see anything on how to figure out what to do about it. >>>>>>>>> >>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>>> It tells you what's happens. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет: >>>>>>>>>> > (ssl_crtd): Uninitialized SSL certificate database directory: >>>>>>>>>> > /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s >>>>>>>>>> /var/lib/ssl_db". >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> squid-users mailing list >>>>>>>>>> mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 37, Issue 30 ******************************************* _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
