[squid-users] Debian jessie + squid 3.5.16 - Will not start.

Markey, Bruce bmarkey at steinmancommunications.com
Thu Apr 7 15:58:56 UTC 2016

I'm running debian Jessie.
Squid 3.5.16 compiled from source with the following:

./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=${prefix}/include \
--mandir=${prefix}/share/man \
--infodir=${prefix}/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid3 \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--enable-inline \
--enable-gnuregex \
--enable-xmalloc-statistics \
--enable-useragent-log \
--enable-kill-parent-hack \
--enable-htpc \
--enable-forw-via-db \
--enable-dl-malloc \
--enable-time-hack \
--enable-err-language=English \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,smb_lm \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid3 \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--enable-wccpv2 \
--with-openssl \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

Here is my squid.conf

#Access Lists
acl internal src
acl wireless src

#Ports allowed through Squid
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443

http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
ssl_bump splice all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 5

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

#access_log syslog:daemon.info mine
access_log daemon:/var/log/squid3/access.log mine

http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-cer
tificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE


#WCCPv2 items
wccp_version 2
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=LNP1
wccp2_service dynamic 70 password=LNP1
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

-I did initialize the ssl_db
-I did create certs

I'm simply trying to start via :  sudo squid   It throws no errors nothing.  The pid lives for a sec then dies. This is the only log message I get.

Apr  7 11:51:19 LNP-Proxy (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

I tried deleting and recreating the ssl_db as I saw from a few other posts, did not work.

Other info:

Tunnel is up:

gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
wccp0: gre/ip  remote  local  dev eth3  ttl inherit


bruce at LNP-Proxy:/var/log$ sudo iptables -t nat -L
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination

I'm not sure what to even check next.  I cant do a sudo squid -k debug since the process doesn't last long enough.


Bruce Markey | Network Security Analyst
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160407/ec6d32f1/attachment-0001.html>

More information about the squid-users mailing list