Search squid archive

Help: squid restarts and squidGuard die

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Ones, I draw on your experience in seeking help to determine whether or not it is possible to achieve the configuration I am looking for, due to a strange error I am having.

Before commenting on the bug I describe my testing environment:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with blacklists and acl default.

My problem starts when I try to use source acl using ldapusersearch in squidGuard... 

systemctl status squid:
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need help!

squidGuard.conf

dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3


src WEB_BASIC {
ldapusersearch ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}

dest BL_adv {
        domainlist adv/domains
        urllist adv/urls
        log block.log
}

dest BL_aggressive {
        domainlist aggressive/domains
        urllist aggressive/urls
        log block.log
}
dest BL_alcohol {
domainlist alcohol/domains
urllist alcohol/urls
log block.log
}
dest BL_anonvpn {
domainlist anonvpn/domains
urllist anonvpn/urls
log block.log
}
dest BL_chat {
domainlist chat/domains
urllist chat/urls
log block.log
}
dest BL_costtraps {
domainlist costtraps/domains
urllist costtraps/urls
log block.log
}
dest BL_downloads {
domainlist downloads/domains
urllist downloads/urls
log block.log
}
dest BL_drugs {
domainlist drugs/domains
urllist drugs/urls
log block.log
}
dest BL_dynamic {
domainlist dynamic/domains
log block.log
}
dest BL_fortunetelling {
domainlist fortunetelling/domains
urllist fortunetelling/urls
log block.log
}
dest BL_gamble {
domainlist gamble/domains
urllist gamble/urls
log block.log
}
dest BL_government {
domainlist government/domains
urllist government/urls
log block.log
}
dest BL_hacking {
domainlist hacking/domains
urllist hacking/urls
log block.log
}
dest BL_hobby_games-misc {
domainlist hobby/games-misc/domains
urllist hobby/games-misc/urls
log block.log
}
dest BL_hobby_games-online {
domainlist hobby/games-online/domains
urllist hobby/games-online/urls
log block.log
}
dest BL_movies {
domainlist movies/domains
urllist movies/urls
log block.log
}
dest BL_music {
domainlist music/domains
urllist music/urls
log block.log
}
dest BL_porn {
domainlist porn/domains
urllist porn/urls
log block.log
}
dest BL_radiotv {
domainlist radiotv/domains
urllist radiotv/urls
log block.log
}
dest BL_redirector {
domainlist redirector/domains
urllist redirector/urls
log block.log
}
dest BL_remotecontrol {
domainlist remotecontrol/domains
urllist remotecontrol/urls
log block.log
}
dest BL_ringtones {
domainlist ringtones/domains
urllist ringtones/urls
log block.log
}
dest BL_socialnet {
domainlist socialnet/domains
urllist socialnet/urls
log block.log
}
dest BL_spyware {
domainlist spyware/domains
urllist spyware/urls
log block.log
}
dest BL_tracker {
domainlist tracker/domains
urllist tracker/urls
log block.log
}
dest BL_updatesites {
domainlist updatesites/domains
urllist updatesites/urls
log block.log
}
dest BL_violence {
domainlist violence/domains
urllist violence/urls
log block.log
}
dest BL_warez {
domainlist warez/domains
urllist warez/urls
log block.log
}
dest BL_weapons {
domainlist weapons/domains
urllist weapons/urls
log block.log
}
dest BL_webphone {
domainlist webphone/domains
urllist webphone/urls
log block.log
}
dest BL_webradio {
domainlist webradio/domains
urllist webradio/urls
log block.log
}
dest BL_WEBTV {
domainlist webtv/domains
urllist webtv/urls
log block.log
}


dest whitelist {
domainlist whitelist/domains
log block.log
}

dest blacklist {
domainlist blacklist/domains
log block.log
}


acl {

WEB_BASIC {
pass whitelist !BL_porn !blacklist all







acl dmz src 192.168.20.0/27     # DMZ net

### negotiate kerberos & ntlm authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME 
auth_param negotiate children 10 
auth_param negotiate keep_alive on

### basic authentication for not kerberos or ntlm authenticated users
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=mydomain,dc=local" -D "ldap@mydomain.local" -w " myULTRAsecretPASS  " -f sAMAccountName=%s -h dc-1.mydomain.local 
auth_param basic children 10 
auth_param basic realm Identifiquese 
auth_param basic credentialsttl 4 hours

### standard allowed ports
acl SSL_ports port 443 
acl Safe_ports port 80 # http 
acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 # https 
acl Safe_ports port 70 # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl CONNECT method CONNECT

### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

### enforce authentication
http_access allow auth 
http_access deny !auth

### standard access rules
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost manager 
http_access deny manager 
http_access allow localnet
http_access allow dmz
http_access allow localhost 
http_access deny all

### OPCIONES VARIAS ###
http_port 8080 
coredump_dir /var/spool/squid 
refresh_pattern ^ftp: 1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern .  0 20% 4320 
quick_abort_min 0 KB 
quick_abort_max 0 KB 
read_timeout 5 minutes 
request_timeout 3 minutes 
half_closed_clients off 
shutdown_lifetime 15 seconds 
log_icp_queries off 
dns_v4_first on 
ipcache_size 2048 
ipcache_low 90 
fqdncache_size 4096 
forwarded_for off 
visible_hostname eren 
httpd_suppress_version_string on 
uri_whitespace strip


## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off


cache.log

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.055 user + 0.015 sys
Maximum Resident Size: 68768 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2018/09/17 11:13:36 kid1| Service Name: squid
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name authenticated
2018/09/17 11:13:36 kid1| WARNING: redirector #Hlpr1 exited
FATAL: The redirector helpers are crashing too rapidly, need help!

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.086 seconds = 0.057 user + 0.029 sys
Maximum Resident Size: 68752 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name authenticated
2018/09/17 11:13:39 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2018/09/17 11:13:39 kid1| Service Name: squid

access.log

1537193586.999      0 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html
1537193587.242      0 10.10.11.154 TCP_DENIED/407 4185 CONNECT clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193587.269      0 10.10.11.154 TCP_DENIED/407 4145 CONNECT accounts.google.com:443 - HIER_NONE/- text/html
1537193587.269      0 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html
1537193613.322      0 10.10.11.154 TCP_DENIED/407 4185 CONNECT clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193616.653      1 10.10.11.154 TCP_DENIED/407 4125 CONNECT www.clarin.com:443 - HIER_NONE/- text/html
1537193616.732      0 10.10.11.154 TCP_DENIED/407 4145 CONNECT accounts.google.com:443 - HIER_NONE/- text/html
1537193616.749      1 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html

messages

Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in libldap-2.4.so.2.10.7[7fd79b75c000+52000]
Sep 17 11:13:07 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:07 proxy squid[12549]: Squid Parent: (squid-1) process 12551 exited with status 1
Sep 17 11:13:10 proxy squid[12549]: Squid Parent: (squid-1) process 12627 started
Sep 17 11:13:33 proxy kernel: squidGuard[12628]: segfault at 1fbd2bb0 ip 00007f452b305e70 sp 00007ffda8c714b0 error 4 in libldap-2.4.so.2.10.7[7f452b2da000+52000]
Sep 17 11:13:33 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:33 proxy squid[12549]: Squid Parent: (squid-1) process 12627 exited with status 1
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643 started
Sep 17 11:13:36 proxy kernel: squidGuard[12644]: segfault at 540fdbb0 ip 00007fab84f2de70 sp 00007ffc1aa8d2a0 error 4 in libldap-2.4.so.2.10.7[7fab84f02000+52000]
Sep 17 11:13:36 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643 exited with status 1
Sep 17 11:13:39 proxy squid[12549]: Squid Parent: (squid-1) process 12658 started


If I disable src and acl WEB_BASIC I have no problem. The default acl does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am I misconfiguring my squid ?

Just in case I've checked more than ten times the URLs of LDAP queries (, %2c, etc etc)

Thank you very much for any help you can give me.
Best regards

Gabriel


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux