[squid-users] Centos 7 squid 3.5.2 / kid2| commBind: Cannot bind socket FD 782 to [::]: (2) No such file or directory

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 10 10:55:14 UTC 2016


On 10/06/2016 9:13 p.m., --Ahmad-- wrote:
> again , if i use the  same steps below  on centos 6 is works fine  without any issue 
> 

That means nothing. CentOS is based on RHEL, whic on ly gets updated
periodically. There are about five years worth of changes across the
entire IOS and everything installed with it between v6 and v7.

Obviously something in those changes to CentOS does not work with that
very old version of Squid and seems to work fine with the newer Squid.


>> On Jun 10, 2016, at 11:54 AM, --Ahmad-- wrote:
>>
>> hi eliezer
>> =============================================
>> 1- selinux is disabled
>> [root at localhost ~]# sestatus
>> SELinux status:                 disabled
>> [root at localhost ~]# 
>>
>> 2-
>> i have the PID file with permission to squid
>> [root at localhost ~]# ls -l /var/run/squid.pid 
>> -rw-r--r-- 1 squid squid 5 Jun 10 04:45 /var/run/squid.pid
>> [root at localhost ~]# 

squid.pid should not exist when Squid is shutdown.

You should delete it and ensure that Squid is started by the root user,
which already should have permission to alter the /var/run directory and
create the squid.pid file correctly.

>>
>> but here i don’t see the file /var/run/squid …….i used to see file called /var/run/squid not /var/run/squid.pid
>>

/var/run/squid should be a directory. Its where the state data gets
placed now. It may be unused in your installation or just not.

squid.pid may be under /var/run/squid or /var/run depending on your
installation.

/run may be used instead of /var/run if you have a new enough system.


** For pre-packaged Squid. Don't worry about these unless Squid
explicitly complains. Just go with what the package installation chose.


** For custom builds, the "make install" action should create
/var/run/squid directory. If for some reason it does not (such as newly
building an already deprecated old Squid version - which one shodul
never do anyway). You may need to create it yourself, and assign
squid:squid ownership.


>> i also tried to add directive to squid.conf ==> pid_filename /var/run/squid.pid
>>
>> but i have the same errror
>>
>> 3-im using kernel default for Centos 7 and it do support IPV6 , i didn’t compile any kernel 
>>
>>
>>
>> agin the error that i have is :
>> kid2| commBind: Cannot bind	socket FD 782 to [::]: (2) No such file or directory
>>

As mentioned in the URL Eliezer reference you to already
(<http://wiki.squid-cache.org/Features/SmpScale#Cannot_bind_socket_FD_NN_to_.5B::.5D:_.2813.29_Permission_denied>)
that error is about the SMP UDS sockets.
More specifically it is about the system shared memory device (/dev/shm).

* Some systems need the /dev/shm device to be explicitly turned on
during startup. Check if it is enabled in your system and if not, what
you have to do to fix that. Hints in the wiki.

* Check that /dev/shm path is owned by root. Only the OS itself should
be doing things in there. Programs like Squid use kernel syscalls to
make changes.

* Older Squid like yours could leave UDS sockets after a crash or broken
config abort. Check that /dev/shm/ does not contain any "files" starting
with "squid-" or owned by Squid when Squid is shutdown.
 If some exist use 'rm' to remove them and try restarting Squid.


>>
>> not 
>> kid2| commBind: Cannot bind	socket FD 782 to [::]: permission denied
>>
>>
>> here is again compile options :
>>
>>>> Squid Cache: Version 3.5.2
>>>> Service Name: squid
>>>> configure options:  '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
>> '--enable-cachemgr-hostname=Ahmad-Allzaeem'

... unusual URL for accessing management reports:
     http://Ahmad-Allzaeem/squid-internal-mgr/

'cachemgr' means the Squid cache management API, specifically the
cachemgr.cgi tool. Not an administrators name.


>> '--localstatedir=/var' '--libexecdir=/lib/squid' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '' '--with-large-files' '--with-default-user=squid' --with-openssl' '--enable-snmp' '--with-included-ltdl' '--disable-arch-native'
>>>> [root at localhost ~]# 
>>
>>
>> and here is squid.conf 
>>
>> [root at localhost ~]# cat /etc/squid/squid.conf | less
>> cache deny all
>> #################
>> #pid_filename /var/run/squid.pid
>> ####################
>> visible_hostname squid
>> cache_effective_user squid
>> cache_effective_group squid

You should not need to use cache_effective_group. Particularly if you
are wanting to use NTLM or Kerberos related functionality with Squid.


>> ####################################
>> #workers 2
>> ########################################################################
>> # Lockdown Procedures
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> http_access allow ncsa_users
>> ############################
>> f

Please move the auth and http_access lines down to below where it says:
"
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
"

Doing complex things like auth up here at the top of the config your
proxy is made more vulnerable than it should be to various DoS and
traffic smuggling attacks.


<snip>
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> http_access allow localnet
>> http_access allow localhost
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # Squid normally listens to port 3128
>> http_port 1234

Why 1234? 3128 has been formally registered for Squid use.


Amos


More information about the squid-users mailing list