[squid-users] Building squid | Best Practices?

Howard Waterfall hwaterfall at gmail.com
Sat Sep 26 06:21:52 UTC 2015


Hey guys back at it. I expect that Linux issues are really a much bigger
problem for me than squid!

I'm running into this problem now:

/var/run/squid3.pid: (13) Permission denied


I know it's a permission problem, but not sure the optimal way of fixing it.

I created user 'proxy' and group 'squid' to run squid:

sudo addgroup --system squid
sudo adduser --system --no-create-home --group proxy squid


And I set up my build config accordingly:

--with-default-user=proxy


but 'proxy' does not have access to /var/run:

lrwxrwxrwx 1 root root /var/run


This explains why /var/run/squid3.pid cannot be written, but I'm not sure
simply changing ownership of /var/run to 'proxy' is the best approach given
that squid is not the only service that accesses that folder. I'm thinking
that I should configure the build differently.

In order to see what configurations are used in the distro package, I
installed it:

sudo apt-get install squid


and had a look at the output of:

squid3 -v


These setting are troubling for me:

--prefix=/usr
--localstatedir=/var
--with-swapdir=/var/spool/squid3
--with-logdir=/var/log/squid3
--with-pidfile=/var/run/squid3.pid
--datadir=/usr/share/squid3
--mandir=/usr/share/man'
--sysconfdir=/etc
--sysconfdir=/etc/squid3


Yes --sysconfdir is defined twice! Regardless of that, wouldn't it better
to set them up this way:

--prefix=/usr
--localstatedir=${prefix}/var
--with-swapdir=${localstatedir}/spool/squid3
--with-logdir=${localstatedir}/log/squid3
--with-pidfile=${localstatedir}/run/squid3.pid
--datadir=${prefix}/share/squid3
--mandir=${prefix}/share/man'
--sysconfdir=${prefix}/etc/squid3


I'm not positive about this directive:

--sysconfdir=${prefix}/etc/squid3


that may be better left as:

--sysconfdir=/etc/squid3


I am curious about the others though. If what I've said makes sense, I'll
update my build config that way and make one more change:

--prefix=/proxy


Thanks
Deiter


On Mon, Sep 7, 2015 at 6:44 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 8/09/2015 10:10 a.m., Eliezer Croitoru wrote:
> > Hey Howard,
> >
> > I forgot to mention that squid uses the directory "/var/run/squid" as
> > the IPC directory which should be owned by the proxy or squid
> > user(depends on the OS).
> > From what you have mentioned squid tries to access some directory and is
> > getting denied by permissions.
> > Please Don't run squid with a "-n" option if possible, it will limit
> > your options to using only one worker(which is the default and is OK in
> > most basic cases).
>
> No. The -N (upper case) means that. On Ubuntu the -N was needed for
> Upstart integration (now defunct in the custom build).
>
> Not to be confused with -n (lower case) which means a multi-tenant /
> multi-instance named service is being used.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150925/bcd6df03/attachment-0001.html>


More information about the squid-users mailing list