[squid-users] Portal Splash Pages example on squid 3.3.13

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 7 11:36:19 UTC 2017 

On 04/08/17 16:56, mm wrote:
> hi, i m also trying to configure squid proxy server in my ubuntu machine and
> using version 3.3.8. i have used the same example as mentioned in your post.
> but i am getting the following error :
> 2017/08/04 10:14:05| WARNING: -D command-line option is obsolete.

Your init script should not be using the -D option any more. Check that 
you are using the proper one from Ubuntu. If you are, then don't worry 
about this warning - it will disappear on a future upgrade of the init 
script (IIRC in Xenial).


> 2017/08/04 10:14:05| aclIpParseIpData: WARNING: Netmask masks away part of
> the specified IP in '10.0.2.0/16'
> 2017/08/04 10:14:05| aclIpParseIpData: WARNING: Netmask masks away part of
> the specified IP in '10.0.3.0/16'
> 2017/08/04 10:14:05| WARNING: (B) '10.0.0.0/16' is a subnetwork of (A)
> '10.0.0.0/16'
> 2017/08/04 10:14:05| WARNING: because of this '10.0.0.0/16' is ignored to
> keep splay tree searching predictable
> 2017/08/04 10:14:05| WARNING: You should probably remove '10.0.0.0/16' from
> the ACL named 'localnet'
> 2017/08/04 10:14:05| WARNING: (B) '10.0.0.0/16' is a subnetwork of (A)
> '10.0.0.0/8'
> 2017/08/04 10:14:05| WARNING: because of this '10.0.0.0/8' is ignored to
> keep splay tree searching predictable
> 2017/08/04 10:14:05| WARNING: You should probably remove '10.0.0.0/16' from
> the ACL named 'localnet'

All the above warnings seem to be from two problems.

1) I think you have left the default localnet ACL definition in while 
also adding your LAN 10.0.*.0/16 ranges.

2) the /16 on 10.0.2.0 and 10.0.3.0 masks away the '2' and '3' portion. 
Leaving these entries both as 10.0.0.0/16.

There are several ways to fix these:

either,
  mask the 10.0.x.0 ranges as the /24 they are:

   acl localnet src 10.0.2.0/24 10.0.3.0/24

or,
  specify the start-end of the sub-subnet range within the /16 which you 
are using for your LAN:

   acl localnet src 10.0.2.0-10.0.3.255/16

or,
  list the whole /16 (what Squid is currently assuming you meant to do):

   acl localnet src 10.0.0.0/16

or,
  leave the default Squid definition for RFC 1918 ranges provided and 
not configure your specific RFC 1918 sub-ranges.

If you choose anything but the last option, remove the default localnet 
definition specifying all of 10/8 as localnet, and probably the other 
IPv4 ranges as well. The IPv6 ranges you will need to look into and make 
a decision about.


> 2017/08/04 10:14:05| Starting Squid Cache version 3.3.8 for
> x86_64-pc-linux-gnu...
> 2017/08/04 10:14:05| Process ID 3891
> 2017/08/04 10:14:05| Process Roles: master worker
> 2017/08/04 10:14:05| With 65536 file descriptors available
> 2017/08/04 10:14:05| Initializing IP Cache...
> 2017/08/04 10:14:05| DNS Socket created at [::], FD 5
> 2017/08/04 10:14:05| DNS Socket created at 0.0.0.0, FD 6
> 2017/08/04 10:14:05| Warning: Could not find any nameservers. Trying to use
> localhost
> 2017/08/04 10:14:05| Please check your /etc/resolv.conf file
> 2017/08/04 10:14:05| or use the 'dns_nameservers' option in squid.conf.


That one is a semi-serious issue on Ubuntu. resolv.conf not being setup 
properly with "nameserver ..." entries will break a huge amount of things.

If it is unset because your network connection is dynamic and currently 
offline, then you WILL need to run "squid -k reconfigure" each time it 
gets connected and changes resolv.conf contents.

NOTE: avoid "service squid reload" from upstart (and later systemd) - 
that way leads to some bad troubles with Squid-3.


> 2017/08/04 10:14:05| helperOpenServers: Starting 5/5 'ext_session_acl'
> processes
> 2017/08/04 10:14:05| Logfile: opening log daemon:/var/log/squid3/access.log
> 2017/08/04 10:14:05| Logfile Daemon: opening log /var/log/squid3/access.log
> 2017/08/04 10:14:05| Local cache digest enabled; rebuild/rewrite every
> 3600/3600 sec
> 2017/08/04 10:14:05| Store logging disabled
> 2017/08/04 10:14:05| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2017/08/04 10:14:05| Target number of buckets: 1008
> 2017/08/04 10:14:05| Using 8192 Store buckets
> 2017/08/04 10:14:05| Max Mem  size: 262144 KB
> 2017/08/04 10:14:05| Max Swap size: 0 KB
> 2017/08/04 10:14:05| Using Least Load store dir selection
> 2017/08/04 10:14:05| chdir: /var/spool/squid: (2) No such file or directory
> 2017/08/04 10:14:05| Current Directory is /home/misha
> 2017/08/04 10:14:05| Loaded Icons.
> 2017/08/04 10:14:05| HTCP Disabled.
> 2017/08/04 10:14:05| Pinger socket opened on FD 21
> 2017/08/04 10:14:05| Configuring Parent 10.0.0.2/3128/0
> 2017/08/04 10:14:05| Squid plugin modules loaded: 0
> 2017/08/04 10:14:05| Adaptation support is off.
> 2017/08/04 10:14:05| Accepting HTTP Socket connections at local=[::]:3128
> remote=[::] FD 19 flags=9
> 2017/08/04 10:14:05| WARNING: session #2 exited
> 2017/08/04 10:14:05| Too few session processes are running (need 1/5)
> 2017/08/04 10:14:05| Closing HTTP port [::]:3128
> 2017/08/04 10:14:05| storeDirWriteCleanLogs: Starting...
> 2017/08/04 10:14:05|   Finished.  Wrote 0 entries.
> 2017/08/04 10:14:05|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: The session helpers are crashing too rapidly, need help!
> 
> 
> My squid.conf file is as follows:
> acl localnet src 10.0.2.0/16
> acl localnet src 10.0.3.0/16
> 
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
> 
> ## addition for splash page active##
> external_acl_type session ipv4 concurrency=100 ttl=3 %SRC
> /usr/lib/squid/ext_session_acl -T 60 -b /var/lib/squid/session.db
> acl session_login external session LOGIN
> acl session_is_active external session
> acl clicked_login_url url_regex -i
> ^https://www.drdo.gov.in/drdo/English/index.jsp$
> http_access allow clicked_login_url session_login
> http_access deny !session_is_active
> deny_info 511:/etc/squid3/splash.html session_is_active
> 
> 
> Pls tell me what going wrong??
> 


First massive problem is the helpers existing. They should not be doing 
that until Squid kills them on reconfigure or shutdown.

Check the helpers session DB (/var/lib/squid/session.db) has been 
properly initialized and the helpers are able to both read and write to 
it when run by Squid with its low-privilege user account - on Ubuntu 
that should be the user account "proxy".



Second major problem (not causing you problem yet, but it will) is that 
you placed the splash page config *after* the "http_access deny all" 
line. So none of it will actually ever do anything.

The lines where it says:
   http_access allow localnet
   http_access allow localhost

are in a section of the config for local policy rules. As you might 
expect the default policy is to let localnet clients and localhost use 
the proxy.
You can freely replace or add to those two lines with any settings you like.

FWIW: that is a bit clearer in the 3.5 default config file. You can 
replace the 3.3 config with the 3.5 updated version if you want:
  <https://wiki.squid-cache.org/Squid-3.5#Squid-3.5_default_config>

To use the splash page stuff remove the "allow localnet" line and paste 
the splash config just below where it says "INSERT YOUR OWN RULE(S) HERE"


Amos

More information about the squid-users mailing list