For a change, I agree with Eliezer. And about the documentation of OpenSource is best mournfully silent. 14.09.2017 0:02, Eliezer Croitoru пишет: > I do not care if someone asks even if the docs are answering. > The docs of squid-cache are not something anyone should be able to remember by heart or even browse and just "find" a solution or a direction. > We(at least me) are here to try and help even for the cases which the docs already cover. > > All The Bests, > Eliezer > > ---- > http://ngtech.co.il/lmgtfy/ > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Adrian Miller > Sent: Monday, September 11, 2017 23:31 > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: squid-users Digest, Vol 37, Issue 30 > > Jesus, never seen so many messages that could have been answered by reading the basic squid docs. > > Tempted to unsub....sheesh > > On 12 Sep. 2017 6:19 am, <mailto:squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote: > Send squid-users mailing list submissions to > mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > mailto:squid-users-request@xxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > mailto:squid-users-owner@xxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Re: Need assistance debugging Squid error: ssl_ctrd helpers > crashing too quickly (Rohit Sodhia) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 11 Sep 2017 16:18:39 -0400 > From: Rohit Sodhia <mailto:sodhia.rohit@xxxxxxxxx> > To: Yuri <mailto:yvoinov@xxxxxxxxx> > Cc: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Need assistance debugging Squid error: > ssl_ctrd helpers crashing too quickly > Message-ID: > <mailto:CAN1w9tfQt3Mivwpyo%2Bu3Qp0agQ8pOgz2MGo2Wvb5AdGU3zbkjw@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess > I'll have to learn how to compile it myself; never compiled a package > before. > > On Mon, Sep 11, 2017 at 4:17 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: > >> Hardly, >> >> most probably something in repo's package. However, upgrade is always >> recommended, especially with modern functionality. It changes fast enough. >> >> 12.09.2017 2:15, Rohit Sodhia пишет: >> >> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the >> problem? >> >> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >> >>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost >>> closed or closed. >>> >>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free >>> running. >>> >>> Repositories software sometimes has strange quirks, or sometimes rancid. >>> 12.09.2017 2:05, Rohit Sodhia пишет: >>> >>> I'll try to find it, but I read a few articles/SO questions that >>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong, >>> I'd be glad to go forward. Should I be removing the yum squid package and >>> compile my own? Is 3.5 problematic besides being old? >>> >>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>> >>>> Wait. Squid 3.5.20? So ancient? >>>> >>>> 12.09.2017 1:58, Rohit Sodhia пишет: >>>> >>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >>>> >>>> I used the line from the Stack Overflow question I linked earlier. >>>> >>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>> >>>>> Well. Let's check more deep. >>>>> >>>>> Show me parameter sslcrtd_program in your squid.conf >>>>> >>>>> 12.09.2017 1:23, Rohit Sodhia пишет: >>>>> >>>>> Unfortunately, no luck yet. Thank you again for your help before. >>>>> >>>>> I found that the user squid and group squid existed already, so I added >>>>> >>>>> cache_effective_user squid >>>>> cache_effective_group squid >>>>> >>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's >>>>> contents were set to squid:squid and restarted the service, but I'm still >>>>> getting the same error :( >>>>> >>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <mailto:sodhia.rohit@xxxxxxxxx> >>>>> wrote: >>>>> >>>>>> I'll try that immediately, thanks! I appreciate all your advice; >>>>>> hopefully I won't have to reach out again :p >>>>>> >>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>> >>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most >>>>>>> probably it runs as nobody user. >>>>>>> >>>>>>> Ah, yes: >>>>>>> >>>>>>> # TAG: cache_effective_user >>>>>>> # If you start Squid as root, it will change its effective/real >>>>>>> # UID/GID to the user specified below. The default is to change >>>>>>> # to UID of nobody. >>>>>>> # see also; cache_effective_group >>>>>>> #Default: >>>>>>> # cache_effective_user nobody >>>>>>> >>>>>>> # TAG: cache_effective_group >>>>>>> # Squid sets the GID to the effective user's default group ID >>>>>>> # (taken from the password file) and supplementary group list >>>>>>> # from the groups membership. >>>>>>> # >>>>>>> # If you want Squid to run with a specific GID regardless of >>>>>>> # the group memberships of the effective user then set this >>>>>>> # to the group (or GID) you want Squid to run as. When set >>>>>>> # all other group privileges of the effective user are ignored >>>>>>> # and only this GID is effective. If Squid is not started as >>>>>>> # root the user starting Squid MUST be member of the specified >>>>>>> # group. >>>>>>> # >>>>>>> # This option is not recommended by the Squid Team. >>>>>>> # Our preference is for administrators to configure a secure >>>>>>> # user account for squid with UID/GID matching system policies. >>>>>>> #Default: >>>>>>> # Use system group memberships of the cache_effective_user account >>>>>>> >>>>>>> As documented. :) >>>>>>> >>>>>>> AFAIK best solution is create non-privileged group & user (like >>>>>>> squid/squid) and set both this parameters explicity. >>>>>>> >>>>>>> Then change owner recursively on SSL cache to this user. >>>>>>> >>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет: >>>>>>> >>>>>>> Neither of those values are set in my config. Even though I'm not >>>>>>> using squid for caching, I need those values? They aren't set in the >>>>>>> default configs either. >>>>>>> >>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>> >>>>>>>> Most probably you squid runs as another user than squid. >>>>>>>> >>>>>>>> Check your squid.conf for cache_effective_user and >>>>>>>> cache_effective_group values. >>>>>>>> >>>>>>>> Then change SSL cache permissions to this values. Should work. >>>>>>>> >>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет: >>>>>>>> >>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it >>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried >>>>>>>> restarting squid, but still get the same errors. I thought to run the >>>>>>>> command again, but this time it says >>>>>>>> >>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db >>>>>>>> >>>>>>>> If this folder has incorrect permissions are there possibly other >>>>>>>> permission issues? >>>>>>>> >>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>>> >>>>>>>>> Here you root of problem. >>>>>>>>> >>>>>>>>> Should be (on my setups): >>>>>>>>> >>>>>>>>> # ls -al /var/lib/ssl_db >>>>>>>>> total 326 >>>>>>>>> drwxr-xr-x 3 squid squid 5 Sep 5 00:53 . >>>>>>>>> drwxr-xr-x 8 root other 8 Sep 5 00:53 .. >>>>>>>>> drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs >>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt >>>>>>>>> -rw-r--r-- 1 squid squid 7 Sep 11 23:37 size >>>>>>>>> >>>>>>>>> I.e. Squid has no access to SSL cache dir structures. >>>>>>>>> >>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет: >>>>>>>>> >>>>>>>>> total 8 >>>>>>>>> drwxr-xr-x. 3 root root 48 Sep 11 12:42 . >>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 .. >>>>>>>>> drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs >>>>>>>>> -rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt >>>>>>>>> -rw-r--r--. 1 root root 1 Sep 11 12:42 size >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>>> Show output of >>>>>>>>>> >>>>>>>>>> ls -al /var/lib/ssl_db >>>>>>>>>> >>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет: >>>>>>>>>> >>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me >>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it >>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of >>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it. >>>>>>>>>> >>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <mailto:yvoinov@xxxxxxxxx> wrote: >>>>>>>>>> >>>>>>>>>>> It tells you what's happens. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет: >>>>>>>>>>>> (ssl_crtd): Uninitialized SSL certificate database directory: >>>>>>>>>>>> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s >>>>>>>>>>> /var/lib/ssl_db". >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> squid-users mailing list >>>>>>>>>>> mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 37, Issue 30 > ******************************************* > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
