[squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

Odhiambo Washington odhiambo at gmail.com
Fri Apr 15 13:29:38 UTC 2016 

On 14 April 2016 at 03:56, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 14/04/2016 6:02 a.m., Odhiambo Washington wrote:
> > Hi Amos,
> >
> > I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
> >
> > I am struggling to compile squid-3.5.16. I just have to find a way to
> make
> > it compile and run, by all means.
> >
> > So now here is what happens:
> >
> >
> > #!/bin/sh
> > ./configure --prefix=/opt/squid-3.5 \
> >         --enable-removal-policies="lru heap" \
> >         --disable-epoll \
> >         --with-pthreads \
> >         --enable-storeio="ufs diskd rock aufs" \
> >         --enable-delay-pools \
> >         --enable-snmp  \
> >         --with-openssl=/usr \
> >         --enable-forw-via-db \
> >         --enable-cache-digests \
> >         --enable-wccpv2 \
> >         --enable-follow-x-forwarded-for \
> >         --with-large-files \
> >         --enable-esi \
> >         --enable-kqueue \
> >         --enable-icap-client \
> >         --enable-kill-parent-hack \
> >         --enable-ssl \
> >         --enable-ssl-crtd \
> >         --enable-url-rewrite-helpers \
> >         --enable-xmalloc-statistics \
> >         --enable-stacktraces \
> >         --enable-zph-qos \
> >         --enable-eui \
> >         --with-nat-devpf \
> >         --enable-pf-transparent \
> >         --enable-ipf-transparent \
> >         --enable-auth \
> >
> > My config.log output is here: *http://goo.gl/LcV1yN <
> http://goo.gl/LcV1yN>*
> >
> > And this is how the compile fails:Making all in negotiate_auth
> > Making all in kerberos
> > depbase=`echo negotiate_kerberos_auth.o | sed
> > 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ -DHAVE_CONFIG_H    -I../../..
> > -I../../../include  -I../../../lib -I../../../src  -I../../../include
> >  -I/usr/include  -I/usr/include  -I../../../libltdl -I. -I/usr/include
> > -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Wall
> > -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
> > -Werror -pipe -D_REENTRANT -I/usr/local/include  -g -O2 -march=native
> > -I/usr/local/include -MT negotiate_kerberos_auth.o -MD -MP -MF
> $depbase.Tpo
> > -c -o negotiate_kerberos_auth.o negotiate_kerberos_auth.cc && mv -f
> > $depbase.Tpo $depbase.Po
> > negotiate_kerberos_auth.cc: In function 'int main(int, char* const*)':
> > negotiate_kerberos_auth.cc:754: error:
> > 'gsskrb5_extract_authz_data_from_sec_context' was not declared in this
> scope
> > *** [negotiate_kerberos_auth.o] Error code 1
> >
>
> Strange. Check the Kerberos / krb5 libraries available are up to date.
> Or for now you may need to use one or more of these:
>  --without-mit-kerberos \
>  --without-heimdal-kerbers \
>  --without-gssapi-kerberos
>
>
With luck, I have managed to get squid to compile successfully (after
upgrading a few components here and there). I used:

#!/bin/sh
env LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include CC=clang
CXX=clang++ CPP=clang-cpp ./configure --prefix=/opt/squid-3.5 \
        --enable-removal-policies="lru heap" \
        --disable-epoll \
        --with-pthreads \
        --enable-storeio="ufs diskd rock aufs" \
        --enable-delay-pools \
        --enable-snmp  \
        --with-openssl=/usr \
        --enable-forw-via-db \
        --enable-cache-digests \
        --enable-wccpv2 \
        --enable-follow-x-forwarded-for \
        --with-large-files \
        --enable-esi \
        --enable-kqueue \
        --enable-icap-client \
        --enable-kill-parent-hack \
        --enable-ssl \
        --enable-ssl-crtd \
        --enable-url-rewrite-helpers \
        --enable-xmalloc-statistics \
        --enable-stacktraces \
        --enable-zph-qos \
        --enable-eui \
        --with-nat-devpf \
        --enable-pf-transparent \
        --enable-ipf-transparent \
        --with-nat-devpf \
        --without-mit-kerberos \
        --without-heimdal-kerbers \
        --without-gssapi-kerberos \
        --enable-auth





>
> >
> > I am getting closer I think.
> >
> > The initial compile that I had before the upgrade from 8.4 to 9.3 cannot
> > run. Gives a different error:
> >
> > 2016/04/13 14:12:13| Accepting NAT intercepted SSL bumped HTTPS Socket
> > connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
> > 2016/04/13 14:12:13| Accepting ICP messages on [::]:3130
> > 2016/04/13 14:12:13| Sending ICP messages from [::]:3130
> > 2016/04/13 14:12:13| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> > on local=192.168.55.254:13128 remote=192.168.55.83:50648 FD 14 flags=33
>
>
> <http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4>
>
> I dont think IPFilter (--enable-ipf-transparent) works on FreeBSD.
>
> paketFilte (PF, --enable-pf-transparent --with-nat-devpf) and IFPW
> (--enable-ipfw-transparent) should do.
>
> Be careful of the 'f' and 'w' characters there, it can be a bit
> confusing with them all those different names.
>
>
> NP: the same error message can occur if you have simply configured DNAT
> / REDIRECT external to the Squid machine.
>


I have it running now (redirecting using IPFilter/IPNAT), but once in a
while I see this error about NAT:


2016/04/15 16:15:52| Starting Squid Cache version 3.5.16 for
i386-unknown-freebsd9.3...
2016/04/15 16:15:52| Service Name: squid
2016/04/15 16:15:52| Process ID 21761
2016/04/15 16:15:52| Process Roles: master worker
2016/04/15 16:15:52| With 32768 file descriptors available
2016/04/15 16:15:52| Initializing IP Cache...
2016/04/15 16:15:52| DNS Socket created at [::], FD 9
2016/04/15 16:15:52| DNS Socket created at 0.0.0.0, FD 10
2016/04/15 16:15:52| Adding domain crownkenya.com from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 192.168.55.254 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 208.67.222.222 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 208.67.220.220 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 196.201.225.19 from /etc/resolv.conf
2016/04/15 16:15:52| Adding nameserver 41.222.10.26 from /etc/resolv.conf
2016/04/15 16:15:52| helperOpenServers: Starting 5/15 'ssl_crtd' processes
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| helperOpenServers: Starting 5/10 'perl' processes
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:52| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:53| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/04/15 16:15:53| Logfile: opening log
stdio:/usr/local/squid/logs/access.log
2016/04/15 16:15:53| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2016/04/15 16:15:53| Store logging disabled
2016/04/15 16:15:53| Swap maxSize 20971520 + 131072 KB, estimated 1623276
objects
2016/04/15 16:15:53| Target number of buckets: 81163
2016/04/15 16:15:53| Using 131072 Store buckets
2016/04/15 16:15:53| Max Mem  size: 131072 KB
2016/04/15 16:15:53| Max Swap size: 20971520 KB
2016/04/15 16:15:53| Rejecting swap file v1 to avoid cache index
corruption. Forcing a full cache index rebuild. See Squid bug #3441.
2016/04/15 16:15:53| Rebuilding storage in /usr/local/squid/cache (clean
log)
2016/04/15 16:15:53| Using Least Load store dir selection
2016/04/15 16:15:53| Set Current Directory to /usr/local/squid/logs
2016/04/15 16:15:53| Finished loading MIME types and icons.
2016/04/15 16:15:53| HTCP Disabled.
2016/04/15 16:15:53| Squid plugin modules loaded: 0
2016/04/15 16:15:53| Adaptation support is off.
2016/04/15 16:15:53| Accepting NAT intercepted HTTP Socket connections at
local=192.168.55.254:13128 remote=[::] FD 34 flags=41
2016/04/15 16:15:53| Accepting HTTP Socket connections at local=[::]:13130
remote=[::] FD 35 flags=9
2016/04/15 16:15:53| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
2016/04/15 16:15:53| Accepting ICP messages on [::]:3130
2016/04/15 16:15:53| Sending ICP messages from [::]:3130
2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
2016/04/15 16:18:53| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.62:57726 FD 357 flags=33
2016/04/15 16:21:57| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.62:57742 FD 29 flags=33
2016/04/15 16:23:21| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.62:57757 FD 60 flags=33
2016/04/15 16:24:17| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.60:49166 FD 79 flags=33
2016/04/15 16:24:17| ERROR: NAT/TPROXY lookup failed to locate original IPs
on local=192.168.55.254:13128 remote=192.168.55.60:49168 FD 79 flags=33


In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
It's the inception stage so I haven't delved deep into ssl-bump
configurations...


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/64b069af/attachment.html>

More information about the squid-users mailing list