[squid-users] ssl_crtd process doesn't start with Squid 3.5.6

Stanford Prescott stan.prescott at gmail.com
Sun Jul 26 00:33:10 UTC 2015


I did a new install of Squid 3.5.6 and it seems to be working now.

On Fri, Jul 24, 2015 at 7:24 PM, James Lay <jlay at slave-tothe-box.net> wrote:

>  On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
>
> Thanks for that. Any ideas why I am experiencing that?
>
>
>  Stan
>
>
>
>  On Fri, Jul 24, 2015 at 7:07 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>  On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
>
> I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5
> is started with ssl-bump enabled all the squid and ssl_crtd processes start
> and Squid functions as intended when bumping ssl sites. However, when I
> bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid
> 3.5.6 cannot successfully bump ssl.
>
>
> These are the config options I use for both 3.5.5 and 3.5.6.
>
> --enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \
> --enable-removal-policies="heap,lru" --enable-delay-pools
> --libdir=/usr/lib/ \
> --localstatedir=/var --with-dl --with-openssl --enable-http-violations \
> --with-large-files --with-libcap --disable-ipv6
> --with-swapdir=/var/spool/squid \
>  --enable-ssl-crtd --enable-follow-x-forwarded-for
>
>
>
> This is the squid.conf file used for both versions.
>
> visible_hostname smoothwallu3
>
> # Uncomment the following to send debug info to /var/log/squid/cache.log
> debug_options ALL,1 33,2 28,9
>
> # ACCESS CONTROLS
> # ----------------------------------------------------------------
> acl localhostgreen src 10.20.20.1
> acl localnetgreen src 10.20.20.0/24
>
> acl SSL_ports port 445 443 441 563
> acl Safe_ports port 80            # http
> acl Safe_ports port 81            # smoothwall http
> acl Safe_ports port 21            # ftp
> acl Safe_ports port 445 443 441 563    # https, snews
> acl Safe_ports port 70             # gopher
> acl Safe_ports port 210               # wais
> acl Safe_ports port 1025-65535        # unregistered ports
> acl Safe_ports port 280               # http-mgmt
> acl Safe_ports port 488               # gss-http
> acl Safe_ports port 591               # filemaker
> acl Safe_ports port 777               # multiling http
>
> acl CONNECT method CONNECT
>
> # TAG: http_access
> # ----------------------------------------------------------------
>
>
>
> http_access allow localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localnetgreen
> http_access allow CONNECT localnetgreen
>
> http_access allow localhostgreen
> http_access allow CONNECT localhostgreen
>
> # http_port and https_port
>
> #----------------------------------------------------------------------------
>
> # For forward-proxy port. Squid uses this port to serve error pages, ftp
> icons and communication with other proxies.
>
> #----------------------------------------------------------------------------
> http_port 3127
>
> http_port 10.20.20.1:800 intercept
> https_port 10.20.20.1:808 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
>
>
> http_port 127.0.0.1:800 intercept
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_session_cache_size 4 MB
>
> ssl_bump none localhostgreen
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump peek step1
> ssl_bump bump all
>
> sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_access deny all
>
> cache_replacement_policy heap GDSF
> memory_replacement_policy heap GDSF
>
> # CACHE OPTIONS
> #
> ----------------------------------------------------------------------------
> cache_effective_user squid
> cache_effective_group squid
>
> cache_swap_high 100
> cache_swap_low 80
>
> cache_access_log stdio:/var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_mem 64 MB
>
> cache_dir diskd /var/spool/squid/cache 1024 16 256
>
> maximum_object_size 33 MB
>
> minimum_object_size 0 KB
>
>
> request_body_max_size 0 KB
>
> # OTHER OPTIONS
> #
> ----------------------------------------------------------------------------
> #via off
> forwarded_for off
>
> pid_filename /var/run/squid.pid
>
> shutdown_lifetime 30 seconds
> icp_port 3130
>
> half_closed_clients off
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_avi_req reqmod_precache
> icap://localhost:1344/squidclamav bypass=off
> adaptation_access service_avi_req allow all
> icap_service service_avi_resp respmod_precache
> icap://localhost:1344/squidclamav bypass=on
> adaptation_access service_avi_resp allow all
>
> umask 022
>
> logfile_rotate 0
>
> strip_query_terms off
>
> redirect_program /usr/sbin/squidGuard
> url_rewrite_children 5
>
>
> And the cache.log file when starting 3.5.6 with debug options on in
> squid.conf
>
> *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL adaptation_access*
> *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL adaptation_access*
> *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL *
> *2015/07/24 17:15:06 kid1| Current Directory is /*
> *2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6 for
> i586-pc-linux-gnu...*
> *2015/07/24 17:15:06 kid1| Service Name: squid*
> *2015/07/24 17:15:06 kid1| Process ID 2907*
> *2015/07/24 17:15:06 kid1| Process Roles: worker*
> *2015/07/24 17:15:06 kid1| With 1024 file descriptors available*
> *2015/07/24 17:15:06 kid1| Initializing IP Cache...*
> *2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD 8*
> *2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 from
> /etc/resolv.conf*
> *2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5 'squidGuard'
> processes*
> *2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard' processes
> needed.*
> *2015/07/24 17:15:06 kid1| Logfile: opening log
> stdio:/var/log/squid/access.log*
> *2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15*
> *2015/07/24 17:15:06 kid1| Store logging disabled*
> *2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, estimated
> 85700 objects*
> *2015/07/24 17:15:06 kid1| Target number of buckets: 4285*
> *2015/07/24 17:15:06 kid1| Using 8192 Store buckets*
> *2015/07/24 17:15:06 kid1| Max Mem  size: 65536 KB*
> *2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB*
> *2015/07/24 17:15:06 kid1| Rebuilding storage in /var/spool/squid/cache
> (dirty log)*
> *2015/07/24 17:15:06 kid1| Using Least Load store dir selection*
> *2015/07/24 17:15:06 kid1| Current Directory is /*
> *2015/07/24 17:15:06 kid1| Finished loading MIME types and icons.*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
> clientListenerConnectionOpened constructed, this=0x946d218 [call5]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> StartListening.cc(59) will call
> clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127>
> remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c) [call5]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
> clientListenerConnectionOpened constructed, this=0x946d3a8 [call7]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> StartListening.cc(59) will call
> clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
> remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc) [call7]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
> clientListenerConnectionOpened constructed, this=0x946d510 [call9]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> StartListening.cc(59) will call
> clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
> remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544) [call9]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
> clientListenerConnectionOpened constructed, this=0x946d6b0 [call11]*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> StartListening.cc(59) will call
> clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808>
> remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4) [call11]*
> *2015/07/24 17:15:06.578 kid1| HTCP Disabled.*
> *2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0*
> *2015/07/24 17:15:06.578 kid1| Adaptation support is on*
> *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering
> clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127>
> remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call
> clientListenerConnectionOpened [call5]*
> *2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket connections at
> local=0.0.0.0:3127 <http://0.0.0.0:3127> remote=[::] FD 20 flags=9*
> *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving
> clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127>
> remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)*
> *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering
> clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
> remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)*
> *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call
> clientListenerConnectionOpened [call7]*
> *2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP Socket
> connections at local=10.20.20.1:800 <http://10.20.20.1:800> remote=[::] FD
> 21 flags=41*
> *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving
> clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
> remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)*
> *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering
> clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
> remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)*
> *2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call
> clientListenerConnectionOpened [call9]*
> *2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP Socket
> connections at local=127.0.0.1:800 <http://127.0.0.1:800> remote=[::] FD 22
> flags=41*
> *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving
> clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
> remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)*
> *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering
> clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808>
> remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)*
> *2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call
> clientListenerConnectionOpened [call11]*
> *2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=10.20.20.1:808 <http://10.20.20.1:808>
> remote=[::] FD 23 flags=41*
> *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving
> clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808>
> remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)*
> *2015/07/24 17:15:06.579 kid1| Accepting ICP messages on 0.0.0.0:3130
> <http://0.0.0.0:3130>*
> *2015/07/24 17:15:06.579 kid1| Sending ICP messages from 0.0.0.0:3130
> <http://0.0.0.0:3130>*
> *2015/07/24 17:15:06.579 kid1| Done reading /var/spool/squid/cache swaplog
> (12 entries)*
> *2015/07/24 17:15:06.579 kid1| Finished rebuilding storage from disk.*
> *2015/07/24 17:15:06.579 kid1|        12 Entries scanned*
> *2015/07/24 17:15:06.579 kid1|         0 Invalid entries.*
> *2015/07/24 17:15:06.579 kid1|         0 With invalid flags.*
> *2015/07/24 17:15:06.579 kid1|        12 Objects loaded.*
> *2015/07/24 17:15:06.579 kid1|         0 Objects expired.*
> *2015/07/24 17:15:06.579 kid1|         0 Objects cancelled.*
> *2015/07/24 17:15:06.579 kid1|         0 Duplicate URLs purged.*
> *2015/07/24 17:15:06.579 kid1|         0 Swapfile clashes avoided.*
> *2015/07/24 17:15:06.579 kid1|   Took 0.06 seconds (210.47 objects/sec).*
> *2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure*
> *2015/07/24 17:15:06.579 kid1|   Completed Validation Procedure*
> *2015/07/24 17:15:06.579 kid1|   Validated 12 Entries*
> *2015/07/24 17:15:06.579 kid1|   store_swap_size = 1444.00 KB*
> *2015/07/24 17:15:07 kid1| storeLateRelease: released 0 objects*
>
>
>
> Any help or suggestions greatly appreciated.
>
>
> Regards
>
>
> Stan
>
>
>    _______________________________________________
> squid-users mailing listsquid-users at lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
> I do not experience this issue:
>
> [18:04:56 jlay <jlay at gateway>:~/nobackup/build$] ps aux | egrep
> "ssl|squid"
> root      3173  0.0  0.0  18840   372 ?        Ss   Jul23   0:00
> /opt/sbin/squid
> nobody    3175  0.0  1.2  52856 39744 ?        S    Jul23   0:47 (squid-1)
> nobody    3177  0.0  0.0   5916  2040 ?        S    Jul23   0:05
> (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody    3178  0.0  0.0   5828  1840 ?        S    Jul23   0:00
> (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody    3179  0.0  0.0   5828  1708 ?        S    Jul23   0:00
> (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody    3180  0.0  0.0   5648   912 ?        S    Jul23   0:00
> (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody    3181  0.0  0.0   5648   912 ?        S    Jul23   0:00
> (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
>
> my config line:
> ./configure --prefix=/opt --with-openssl --enable-ssl --enable-ssl-crtd
> --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files
> --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none
>
> Squid Cache: Version 3.5.6
>
> James
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>  _______________________________________________
> squid-users mailing listsquid-users at lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
> I recall when just starting out with ssl_crtd and had issue until I set
> the user running as squid  on my ssl_db dir:
>
> drwxr-xr-x 3 nobody root 4096 May 30 17:22 ssl_db
>
> My ssl_crtd lines:
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> sslcrtd_children 5
>
> Hope it helps.
>
> James
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150725/dcfd5568/attachment-0001.html>


More information about the squid-users mailing list