[squid-users] SMP + Ssl-Bump squid-tls_session_cache.shm

NgTech LTD ngtech1ltd at gmail.com
Sun May 24 05:56:44 UTC 2020 

can you send the output of:
squid -v

Eliezer

On Sun, May 24, 2020, 06:31 Joshua Bazgrim <joshuakronemeyer at gmail.com>
wrote:

> Squid 4.9
> Ubuntu 18.04.03
>
> I'm trying to implement ssl-bumping into the frontend of a squid smp
> setup, but I keep getting the following error:
> FATAL: Ipc::Mem::Segment::open failed to
> shm_open(/squid-tls_session_cache.shm): (2) No such file or directory
>
> shm is working correctly and generating/reading from other squid shm
> files, but not properly generating this file upon start-up in SMP mode.
>
> My ssl-bump configuration works fine in non-smp mode.
> I'm guessing it's some sort of race condition to do with improperly setup
> config files for ssl-bumping, but unsure of how to correct it.
>
> Thanks in advance
>
> ########## squid.conf #########
>
> debug_options ALL,3
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
> acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
> machines
> acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
> acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged)
> machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> #http_access allow localhost manager
> #http_access deny manager
>
> # Set cache user
> cache_effective_user nobody
>
> workers 3
> if ${process_number} = 1
> include /etc/squid/frontend.conf
> else
> include /etc/squid/backend.conf
> endif
>
> http_access deny all
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> ####### frontend.conf - some names changed/omitted##########
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl_cert/mycert.pem \
> key=/etc/squid/ssl_cert/mycert.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4mb
>
> # Where to look for ssl cert
> sslcrtd_program /usr/lib/squid/security_file_certgen -s
> /var/lib/squid/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
> # Enable URL Params
> strip_query_terms off
>
> # add user authentication and similar options here
> http_access allow manager localhost
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
>
> # add backends - one line for each additional worker you configured
> # NOTE how the port number matches the kid number
> cache_peer localhost parent 4002 0 carp login=PASS name=backend-kid2
> cache_peer localhost parent 4003 0 carp login=PASS name=backend-kid3
>
> #you want the frontend to have a significant cache_mem
> cache_mem 512 MB
>
> # change /tmp to your own log directory, e.g. /var/log/squid
> access_log /var/log/squid/frontend.access.log
> cache_log /var/log/squid/frontend.cache.log
>
> # the frontend requires a different name to the backend(s)
> visible_hostname Squid-Test
>
> ########## backend.conf #############
> # each backend must listen on a unique port
> # without this the CARP algorithm would be useless
> http_port 400${process_number}
>
> # TODO: Change 512 to larger after testing is done
> cache_dir rock /var/log/squid/cacheRock 512 max-size=32768
>
> # NP: for now AUFS does not support SMP but the CARP algorithm helps
> reduce object duplications
> # TODO: Change 512 to larger after testing is done
> cache_dir aufs /var/log/squid/cache${process_number} 512 128 128
> min-size=32769
>
> # the default maximum cached object size is a bit small
> # you want the backend to be able to cache some fairly large objects
> maximum_object_size 512 MB
>
> # you want the backend to have a small cache_mem
> cache_mem 4 MB
>
> # the backends require a different name to frontends, but can share one
> # this prevents forwarding loops between backends while allowing
> # frontend to forward via the backend
> visible_hostname Squid-Test${process_number}
>
> # change /var/log/squid to your own log directory
> access_log /var/log/squid/backend${process_number}.access.log
> cache_log /var/log/squid/backend${process_number}.cache.log
>
> # add just enough access permissions to allow the frontend
> http_access allow localhost
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200524/350ad9b0/attachment-0001.html>

More information about the squid-users mailing list