[squid-users] Squid 3.5.2 will only start if cache directory is empty

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 19 04:11:40 UTC 2015 

On 19/03/2015 11:29 a.m., Stanford Prescott wrote:
> I posted this message to the list a few days ago but haven't received any
> responses yet. I am hoping someone might be able to provide some insight on
> what is going on.
> 
> I have been trying to get Squid 3.5.2 to work with the Smoothwall Express
> 3.1 Linux firewall distribution. Specifically, I have modified the Squid
> version included with Smoothwall Express 3.1 to enable HTTPS caching. I
> have had this working successfully up to Squid version 3.4.10. Now with
> trying to upgrade to Squid 3.5.2 I am having problems that I didn't
> encounter with prior versions of Squid.
> 
> The first issue I had, which is now resolved, was improper permissions of
> the shm folder (in SWE found in /dev/shm). Changing the folder permissions
> to Squid user and group allowed Squid 3.5.2 to start. However, now it will
> only start with an empty cache directory.

Ouch. /dev/shm is a folder for system shared-memory sockets to be
created by applications. It should be owned by root user and group, with
777 permissions. Squid (or the OS kernel) should be able to create
"files" inside it, but it should not be owned by Squid.


> Once it starts with an empty
> cache directory, it seems to function correctly as far as caching SSL
> encrypted web pages. However, if Squid needs to be restarted for any
> reason, it will not restart until the cache directory
> (/var/spool/squid/cache) is emptied.

That HTTP data cache is unrelated to the SSL session cache. Its contents
should not matter.


> *2015/03/14 00:29:47 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
> processes*
> *FATAL: Ipc::Mem::Segment::open failed to
> shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory*
> 

> 
> What is the "squid-ssl_session_cache". Am I supposed to define that
> somewhere in the
> Squid configuration? Is that why I am getting that error message because an
> ssl_session_cache is not defined somewhere?

The .shm is the name of a shared memory socket "file" name. You have
sslproxy_session_cache_size defined with a size so the SSL session
ticket cache is used.

Please try patching your Squid with
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch>.
It should resolve many permissions issues Squid 3.5 workers are having
on startup.


> 
> This is my squid.conf file with SSL caching using ssl-bump enabled.
> 

> 
> *# A random port for forward-proxy port needed for SSL*
> *http_port 8081*
> 
> *http_port 192.168.100.1:800 <http://192.168.100.1:800/> intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem*
> 
> *https_port 192.168.100.1:808 <http://192.168.100.1:808/> intercept
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem*

Why two ports? one is usually sufficient.

> 
> *sslproxy_cert_error allow all*
> *sslproxy_flags DONT_VERIFY_PEER*

Please remove the DONT_VERIFY_PEER flag setting. It allows external
servers to corrupt your TLS certificates with garbage and hijack
connections.


> *ssl_bump server-first all*
> 
> *ssl_bump none localhostgreen*
> *sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB*
> *sslcrtd_children 5*
> 
> *sslproxy_session_cache_size 4 MB*



> 
> *cache_access_log /var/log/squid/access.log*
> *cache_log /var/log/squid/cache.log*

You dont need these three:
> *cache_store_log none*
> *error_directory /usr/share/errors/en-us*
> *log_mime_hdrs off*

.. all they do is set the defaults to be used.


> 
> *request_header_access Content-Type allow all*
> *request_header_access Date allow all*
> *request_header_access Host allow all*
> *request_header_access If-Modified-Since allow all*
> *request_header_access Pragma allow all*
> *request_header_access Accept allow all*
> *request_header_access Accept-Charset allow all*
> *request_header_access Accept-Encoding allow all*
> *request_header_access Accept-Language allow all*
> *request_header_access Connection allow all*
> *request_header_access All allow all*

The above settings do nothing but waste CPU time. You can remove them.

What you are instructing Squid to do is effectively "allow certain
headers X, Y, Z, oh and every other header too".

> 
> *shutdown_lifetime 3 seconds*

NOTE: very short shutdown time can corrupt the HTTP data cache as the
memory index does not have enough time to complete saving to disk.

Amos

More information about the squid-users mailing list