[squid-users] Squid Crashing
Alex Rousskov
rousskov at measurement-factory.com
Tue Feb 9 22:01:15 UTC 2016
On 02/09/2016 02:54 PM, Rafael Akchurin wrote:
> If you need to **only** filter by IP/ CONNECT domain name/SNI then you
> do not need to install Squid’s Root CA certificate onto your client
> machines.
This is correct.
> In this case indeed there is not much sense to use ICAP as for
> it to work you **must** bump (otherwise you cannot “look into the SSL
> stream”).
This is a little misleading because Squid does send CONNECT requests
(real and faked by SslBump) to ICAP and eCAP services where they can be
acted upon. CONNECT handling happens before connection bumping. Bumping
is necessary only if you want to look at or modify HTTP messages inside
the SSL/TLS connection.
Whether it is a good idea to use ICAP/eCAP for CONNECT-only filtering is
a complicated question, but it is _possible_.
Cheers,
Alex.
> *From:*Panda Admin [mailto:pandanonomous at gmail.com]
> *Sent:* Tuesday, February 9, 2016 10:43 PM
> *To:* Rafael Akchurin <rafael.akchurin at diladele.com>
> *Cc:* squid-users at squid-cache.org
> *Subject:* Re: [squid-users] Squid Crashing
>
>
>
> I would love to use another tool, however can your tools do ssl_bumping
> aka filtering of HTTPS traffic WITHOUT putting a cert on the client
> side? This is the only way I've been able to come up with to do both
> HTTPS and HTTP Content Filtering using squid.
>
>
>
> Thanks for all advice:)
>
>
>
> On Tue, Feb 9, 2016 at 3:50 PM, Rafael Akchurin
> <rafael.akchurin at diladele.com <mailto:rafael.akchurin at diladele.com>> wrote:
>
> Hello Panda Admin,
>
>
>
> If you do not mind looking at ICAP filtering instead of only URL
> filtering please take a look at our qlproxy (ICAP web filter for Squid).
>
> The shalla list formatted folders with categories can be used as is
> as third party blacklist provider and I presume takes less time to
> process upon start.
>
>
>
> Please note we currently do not support regexes in the list of
> domain names.
>
>
>
> Best regards,
>
> Rafael
>
>
>
> *From:*squid-users [mailto:squid-users-bounces at lists.squid-cache.org
> <mailto:squid-users-bounces at lists.squid-cache.org>] *On Behalf Of
> *Panda Admin
> *Sent:* Tuesday, February 9, 2016 5:01 PM
> *To:* Kinkie <gkinkie at gmail.com <mailto:gkinkie at gmail.com>>
> *Cc:* squid-users at squid-cache.org <mailto:squid-users at squid-cache.org>
> *Subject:* Re: [squid-users] Squid Crashing
>
>
>
> I see that, but that's not possible. I still have system memory
> available.
>
> I just did a top while running squid, never went over 30% memory
> usage. It maxed out the CPU but not the memory. So, yeah...still
> confused.
>
>
>
> On Tue, Feb 9, 2016 at 10:55 AM, Kinkie <gkinkie at gmail.com
> <mailto:gkinkie at gmail.com>> wrote:
>
> Hi,
> it's all in the logs you posted:
>
> ipcCreate: fork: (12) Cannot allocate memory
> WARNING: Cannot run '/lib/squid3/ssl_crtd' process.
> ...
> FATAL: Failed to create unlinkd subprocess
>
> You've run of system memory during startup.
>
>
>
> On Tue, Feb 9, 2016 at 4:47 PM, Panda Admin
> <pandanonomous at gmail.com <mailto:pandanonomous at gmail.com>> wrote:
> > Hello,
> >
> > I am running squid 3.5.13 and it crashes with these errors:
> >
> > 2016/02/09 15:43:24 kid1| Set Current Directory to
> /var/spool/squid3
> > 2016/02/09 15:43:24 kid1| Starting Squid Cache version 3.5.13 for
> > x86_64-pc-linux-gnu...
> > 2016/02/09 15:43:24 kid1| Service Name: squid
> > 2016/02/09 15:43:24 kid1| Process ID 7279
> > 2016/02/09 15:43:24 kid1| Process Roles: worker
> > 2016/02/09 15:43:24 kid1| With 1024 file descriptors available
> > 2016/02/09 15:43:24 kid1| Initializing IP Cache...
> > 2016/02/09 15:43:24 kid1| DNS Socket created at [::], FD 6
> > 2016/02/09 15:43:24 kid1| DNS Socket created at 0.0.0.0, FD 7
> > 2016/02/09 15:43:24 kid1| Adding nameserver 10.31.2.78 from
> /etc/resolv.conf
> > 2016/02/09 15:43:24 kid1| Adding nameserver 10.31.2.79 from
> /etc/resolv.conf
> > 2016/02/09 15:43:24 kid1| Adding domain nuspire.com
> <http://nuspire.com> from /etc/resolv.conf
> > 2016/02/09 15:43:24 kid1| helperOpenServers: Starting 5/10
> 'ssl_crtd'
> > processes
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > 2016/02/09 15:43:24 kid1| WARNING: Cannot run
> '/lib/squid3/ssl_crtd'
> > process.
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > 2016/02/09 15:43:24 kid1| WARNING: Cannot run
> '/lib/squid3/ssl_crtd'
> > process.
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > 2016/02/09 15:43:24 kid1| WARNING: Cannot run
> '/lib/squid3/ssl_crtd'
> > process.
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > 2016/02/09 15:43:24 kid1| WARNING: Cannot run
> '/lib/squid3/ssl_crtd'
> > process.
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > 2016/02/09 15:43:24 kid1| WARNING: Cannot run
> '/lib/squid3/ssl_crtd'
> > process.
> > 2016/02/09 15:43:24 kid1| helperOpenServers: Starting 0/15
> 'squidGuard'
> > processes
> > 2016/02/09 15:43:24 kid1| helperOpenServers: No 'squidGuard'
> processes
> > needed.
> > 2016/02/09 15:43:24 kid1| Logfile: opening log
> syslog:local5.info <http://local5.info>
> > 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot
> allocate memory
> > FATAL: Failed to create unlinkd subprocess
> > Squid Cache (Version 3.5.13): Terminated abnormally.
> > CPU Usage: 20.041 seconds = 19.115 user + 0.926 sys
> > Maximum Resident Size: 4019840 KB
> > Page faults with physical i/o: 0
> >
> >
> > Anybody have an idea why?
> >
>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
>
> --
> Francesco
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list