[squid-users] Help: squid restarts and squidGuard die

Amos Jeffries squid3 at treenet.co.nz
Mon Sep 17 18:38:06 UTC 2018 

On 18/09/18 3:37 AM, Service MV wrote:
> Dear Ones, I draw on your experience in seeking help to determine
> whether or not it is possible to achieve the configuration I am looking
> for, due to a strange error I am having.

FYI: SquidGuard has not been maintained for many years now.

I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.

You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion.



> 
> Before commenting on the bug I describe my testing environment:
> - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
> - My VM is attached to my domain W2012R2 (following this post
> https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
> to achieve kerberos authentication transparent to the user. SElinux
> disabled. Owner permissions to user squid in all folders/files involved.
> - squid 3.5.20 installed and working great with kerberos, NTLM and basic
> authentication. All authentication mechanisms tested and working great.
> - SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
> blacklists and acl default.
> 
> My problem starts when I try to use source acl using ldapusersearch in
> squidGuard... 
> 
> systemctl status squid:
> (squid-1)[12627]: The redirector helpers are crashing too rapidly, need
> help!
> 
> *squidGuard.conf*
> 
> dbhome /etc/squid/db
> logdir /var/log/squidGuard
> ldapbinddn
> CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
> ldapbindpass myULTRAsecretPASS
> ldapprotover 3
> 
> 
> src WEB_BASIC {
> ldapusersearch
> ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
> log block.log
> }
> 
...
> 
> acl {
> 
> WEB_BASIC{
> pass whitelist !BL_porn !blacklist all
> redirect
> http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
> log block.log
> }
> 
...


> *squid.conf*
> 
> acl localnet src 10.10.8.0/22 # LAN net
> acl dmz src 192.168.20.0/27   # DMZ net

These ACLs are never used dues to what you are doing with the "auth" ACL.

...
> 
> ### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
> acl auth proxy_auth REQUIRED
> 
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS

These have nothing to do with redirects and are never used.

> 
> ### enforce authentication
> http_access allow auth 
> http_access deny !auth
> 

All possible traffic will match either "auth" or "!auth" above.

That means no http_access rules following this point do anything.


> ### standard access rules
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> http_access allow localhost manager 
> http_access deny manager

Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.


> http_access allow localnet
> http_access allow dmz
> http_access allow localhost 
> http_access deny all
> 

...
> visible_hostname eren 

The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.

FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.


> httpd_suppress_version_string on 
> uri_whitespace strip
> 
> 
> ## squidGuard ##
> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 10 startup=5 idle=1 concurrency=0
> url_rewrite_bypass off
> 
> 

Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
this config line:

 url_rewrite_access deny CONNECT


.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.

> 
> *messages*
> 
> Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
> ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
> libldap-2.4.so.2.10.7[7fdbf2027000+52000]
> Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
> ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
> libldap-2.4.so.2.10.7[7fd79b75c000+52000]

...

> 
> If I disable src and acl WEB_BASIC I have no problem. The default acl
> does its thing without problems.
> But when I enable src and acl WEB_BASIC squidGuard explodes and squid
> restarts so I get to notice.
> I see an error in a libldap library... Will it be a library error? Or am
> I misconfiguring my squid ?
> 

It is not a Squid error. It is something in SquidGuard and/or the library.

Amos

More information about the squid-users mailing list