[squid-users] SMP + Ssl-Bump squid-tls_session_cache.shm

Joshua Bazgrim joshuakronemeyer at gmail.com
Sun May 24 03:31:35 UTC 2020 

Squid 4.9
Ubuntu 18.04.03

I'm trying to implement ssl-bumping into the frontend of a squid smp setup,
but I keep getting the following error:
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-tls_session_cache.shm): (2) No such file or directory

shm is working correctly and generating/reading from other squid shm files,
but not properly generating this file upon start-up in SMP mode.

My ssl-bump configuration works fine in non-smp mode.
I'm guessing it's some sort of race condition to do with improperly setup
config files for ssl-bumping, but unsure of how to correct it.

Thanks in advance

########## squid.conf #########

debug_options ALL,3
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
#http_access allow localhost manager
#http_access deny manager

# Set cache user
cache_effective_user nobody

workers 3
if ${process_number} = 1
include /etc/squid/frontend.conf
else
include /etc/squid/backend.conf
endif

http_access deny all

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


####### frontend.conf - some names changed/omitted##########
# Squid normally listens to port 3128
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/mycert.pem \
key=/etc/squid/ssl_cert/mycert.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4mb

# Where to look for ssl cert
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Enable URL Params
strip_query_terms off

# add user authentication and similar options here
http_access allow manager localhost
http_access deny manager

http_access allow localnet
http_access allow localhost

# add backends - one line for each additional worker you configured
# NOTE how the port number matches the kid number
cache_peer localhost parent 4002 0 carp login=PASS name=backend-kid2
cache_peer localhost parent 4003 0 carp login=PASS name=backend-kid3

#you want the frontend to have a significant cache_mem
cache_mem 512 MB

# change /tmp to your own log directory, e.g. /var/log/squid
access_log /var/log/squid/frontend.access.log
cache_log /var/log/squid/frontend.cache.log

# the frontend requires a different name to the backend(s)
visible_hostname Squid-Test

########## backend.conf #############
# each backend must listen on a unique port
# without this the CARP algorithm would be useless
http_port 400${process_number}

# TODO: Change 512 to larger after testing is done
cache_dir rock /var/log/squid/cacheRock 512 max-size=32768

# NP: for now AUFS does not support SMP but the CARP algorithm helps reduce
object duplications
# TODO: Change 512 to larger after testing is done
cache_dir aufs /var/log/squid/cache${process_number} 512 128 128
min-size=32769

# the default maximum cached object size is a bit small
# you want the backend to be able to cache some fairly large objects
maximum_object_size 512 MB

# you want the backend to have a small cache_mem
cache_mem 4 MB

# the backends require a different name to frontends, but can share one
# this prevents forwarding loops between backends while allowing
# frontend to forward via the backend
visible_hostname Squid-Test${process_number}

# change /var/log/squid to your own log directory
access_log /var/log/squid/backend${process_number}.access.log
cache_log /var/log/squid/backend${process_number}.cache.log

# add just enough access permissions to allow the frontend
http_access allow localhost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200523/7683df69/attachment.html>

More information about the squid-users mailing list