[squid-users] Help: squid restarts and squidGuard die

Flashdown flashdown at data-core.org
Mon Sep 17 23:10:54 UTC 2018


Just want to add, I use SquidGuard in two High load setups and never ran into issues. I didnt integrate it as url rewrite helper but as external acl helper and it works great with 800 Users.. 

Am 17. September 2018 20:38:06 MESZ schrieb Amos Jeffries <squid3 at treenet.co.nz>:
>On 18/09/18 3:37 AM, Service MV wrote:
>> Dear Ones, I draw on your experience in seeking help to determine
>> whether or not it is possible to achieve the configuration I am
>looking
>> for, due to a strange error I am having.
>
>FYI: SquidGuard has not been maintained for many years now.
>
>I recommend you convert as many of your filtering rules as you can into
>normal Squid ACLs. Traffic which is being blocked for simple reasons
>can
>be done much more efficiently by Squid than a helper.
>
>You can use the more up-to-date ufdbguard helper as a drop-in
>replacement for squidguard during the conversion.
>
>
>
>> 
>> Before commenting on the bug I describe my testing environment:
>> - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
>> - My VM is attached to my domain W2012R2 (following this post
>>
>https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
>> to achieve kerberos authentication transparent to the user. SElinux
>> disabled. Owner permissions to user squid in all folders/files
>involved.
>> - squid 3.5.20 installed and working great with kerberos, NTLM and
>basic
>> authentication. All authentication mechanisms tested and working
>great.
>> - SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
>> blacklists and acl default.
>> 
>> My problem starts when I try to use source acl using ldapusersearch
>in
>> squidGuard... 
>> 
>> systemctl status squid:
>> (squid-1)[12627]: The redirector helpers are crashing too rapidly,
>need
>> help!
>> 
>> *squidGuard.conf*
>> 
>> dbhome /etc/squid/db
>> logdir /var/log/squidGuard
>> ldapbinddn
>>
>CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
>> ldapbindpass myULTRAsecretPASS
>> ldapprotover 3
>> 
>> 
>> src WEB_BASIC {
>> ldapusersearch
>>
>ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
>> log block.log
>> }
>> 
>...
>> 
>> acl {
>> 
>> WEB_BASIC{
>> pass whitelist !BL_porn !blacklist all
>> redirect
>>
>http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
>> log block.log
>> }
>> 
>...
>
>
>> *squid.conf*
>> 
>> acl localnet src 10.10.8.0/22 # LAN net
>> acl dmz src 192.168.20.0/27   # DMZ net
>
>These ACLs are never used dues to what you are doing with the "auth"
>ACL.
>
>...
>> 
>> ### acl for proxy authentication (kerberos or ntlm) and ldap
>authorizations
>> acl auth proxy_auth REQUIRED
>> 
>> # Define protocols used for redirects
>> acl HTTP proto HTTP
>> acl HTTPS proto HTTPS
>
>These have nothing to do with redirects and are never used.
>
>> 
>> ### enforce authentication
>> http_access allow auth 
>> http_access deny !auth
>> 
>
>All possible traffic will match either "auth" or "!auth" above.
>
>That means no http_access rules following this point do anything.
>
>
>> ### standard access rules
>> http_access deny !Safe_ports 
>> http_access deny CONNECT !SSL_ports 
>> http_access allow localhost manager 
>> http_access deny manager
>
>Your custom http_access rules (eg the auth checks) should be down here
>so the basic security rules above have a chance to protect your proxy
>again DoS, traffic smuggling attacks etc. before more complicated and
>resource consuming things happen.
>
>
>> http_access allow localnet
>> http_access allow dmz
>> http_access allow localhost 
>> http_access deny all
>> 
>
>...
>> visible_hostname eren 
>
>The hostname needs to be a FQDN. It is delivered to clients in URLs
>generated by Squid so they can fetch objects directly from the proxy.
>
>FYI: Squid-3 should be able to automatically locate the hostname of the
>machine it is running on. If that is not working then you need to fix
>your machine, other software will be using the same mechanism and
>likewise be encountering problems.
>
>
>> httpd_suppress_version_string on 
>> uri_whitespace strip
>> 
>> 
>> ## squidGuard ##
>> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>> url_rewrite_children 10 startup=5 idle=1 concurrency=0
>> url_rewrite_bypass off
>> 
>> 
>
>Your traffic in your access.log is all CONNECT requests. Those messages
>cannot be re-written by SquidGuard. So at the very least you require
>this config line:
>
> url_rewrite_access deny CONNECT
>
>
>.. at this point you may notice your SG rules have no effect. This is
>one of many reasons why you should do access control in the proxy
>config, not externally in a complicated and slow helper.
>
>> 
>> *messages*
>> 
>> Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
>> ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
>> libldap-2.4.so.2.10.7[7fdbf2027000+52000]
>> Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
>> ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
>> libldap-2.4.so.2.10.7[7fd79b75c000+52000]
>
>...
>
>> 
>> If I disable src and acl WEB_BASIC I have no problem. The default acl
>> does its thing without problems.
>> But when I enable src and acl WEB_BASIC squidGuard explodes and squid
>> restarts so I get to notice.
>> I see an error in a libldap library... Will it be a library error? Or
>am
>> I misconfiguring my squid ?
>> 
>
>It is not a Squid error. It is something in SquidGuard and/or the
>library.
>
>Amos
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180918/f6692bfb/attachment.html>


More information about the squid-users mailing list