<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello Panda Admin,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If you need to *<b>only</b>* filter by IP/ CONNECT domain name/SNI then you do not need to install Squid’s Root CA certificate onto your client machines. In this
case indeed there is not much sense to use ICAP as for it to work you *<b>must</b>* bump (otherwise you cannot “look into the SSL stream”).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Rafael<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Panda Admin [mailto:pandanonomous@gmail.com]
<br>
<b>Sent:</b> Tuesday, February 9, 2016 10:43 PM<br>
<b>To:</b> Rafael Akchurin <rafael.akchurin@diladele.com><br>
<b>Cc:</b> squid-users@squid-cache.org<br>
<b>Subject:</b> Re: [squid-users] Squid Crashing<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I would love to use another tool, however can your tools do ssl_bumping aka filtering of HTTPS traffic WITHOUT putting a cert on the client side? This is the only way I've been able to come up with to do both HTTPS and HTTP Content Filtering
using squid. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks for all advice:)<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Feb 9, 2016 at 3:50 PM, Rafael Akchurin <<a href="mailto:rafael.akchurin@diladele.com" target="_blank">rafael.akchurin@diladele.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello Panda Admin,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If you do not mind looking at ICAP filtering instead of only URL filtering please take a look at our
qlproxy (ICAP web filter for Squid).</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The shalla list formatted folders with categories can be used as is as third party blacklist provider
and I presume takes less time to process upon start. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Please note we currently do not support regexes in the list of domain names.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best regards,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Rafael</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>]
<b>On Behalf Of </b>Panda Admin<br>
<b>Sent:</b> Tuesday, February 9, 2016 5:01 PM<br>
<b>To:</b> Kinkie <<a href="mailto:gkinkie@gmail.com" target="_blank">gkinkie@gmail.com</a>><br>
<b>Cc:</b> <a href="mailto:squid-users@squid-cache.org" target="_blank">squid-users@squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Squid Crashing</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I see that, but that's not possible. I still have system memory available.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I just did a top while running squid, never went over 30% memory usage. It maxed out the CPU but not the memory. So, yeah...still confused.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Tue, Feb 9, 2016 at 10:55 AM, Kinkie <<a href="mailto:gkinkie@gmail.com" target="_blank">gkinkie@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi,<br>
it's all in the logs you posted:<br>
<br>
ipcCreate: fork: (12) Cannot allocate memory<br>
WARNING: Cannot run '/lib/squid3/ssl_crtd' process.<br>
...<br>
FATAL: Failed to create unlinkd subprocess<br>
<br>
You've run of system memory during startup.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br>
On Tue, Feb 9, 2016 at 4:47 PM, Panda Admin <<a href="mailto:pandanonomous@gmail.com" target="_blank">pandanonomous@gmail.com</a>> wrote:<br>
> Hello,<br>
><br>
> I am running squid 3.5.13 and it crashes with these errors:<br>
><br>
> 2016/02/09 15:43:24 kid1| Set Current Directory to /var/spool/squid3<br>
> 2016/02/09 15:43:24 kid1| Starting Squid Cache version 3.5.13 for<br>
> x86_64-pc-linux-gnu...<br>
> 2016/02/09 15:43:24 kid1| Service Name: squid<br>
> 2016/02/09 15:43:24 kid1| Process ID 7279<br>
> 2016/02/09 15:43:24 kid1| Process Roles: worker<br>
> 2016/02/09 15:43:24 kid1| With 1024 file descriptors available<br>
> 2016/02/09 15:43:24 kid1| Initializing IP Cache...<br>
> 2016/02/09 15:43:24 kid1| DNS Socket created at [::], FD 6<br>
> 2016/02/09 15:43:24 kid1| DNS Socket created at 0.0.0.0, FD 7<br>
> 2016/02/09 15:43:24 kid1| Adding nameserver 10.31.2.78 from /etc/resolv.conf<br>
> 2016/02/09 15:43:24 kid1| Adding nameserver 10.31.2.79 from /etc/resolv.conf<br>
> 2016/02/09 15:43:24 kid1| Adding domain <a href="http://nuspire.com" target="_blank">
nuspire.com</a> from /etc/resolv.conf<br>
> 2016/02/09 15:43:24 kid1| helperOpenServers: Starting 5/10 'ssl_crtd'<br>
> processes<br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> 2016/02/09 15:43:24 kid1| WARNING: Cannot run '/lib/squid3/ssl_crtd'<br>
> process.<br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> 2016/02/09 15:43:24 kid1| WARNING: Cannot run '/lib/squid3/ssl_crtd'<br>
> process.<br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> 2016/02/09 15:43:24 kid1| WARNING: Cannot run '/lib/squid3/ssl_crtd'<br>
> process.<br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> 2016/02/09 15:43:24 kid1| WARNING: Cannot run '/lib/squid3/ssl_crtd'<br>
> process.<br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> 2016/02/09 15:43:24 kid1| WARNING: Cannot run '/lib/squid3/ssl_crtd'<br>
> process.<br>
> 2016/02/09 15:43:24 kid1| helperOpenServers: Starting 0/15 'squidGuard'<br>
> processes<br>
> 2016/02/09 15:43:24 kid1| helperOpenServers: No 'squidGuard' processes<br>
> needed.<br>
> 2016/02/09 15:43:24 kid1| Logfile: opening log syslog:<a href="http://local5.info" target="_blank">local5.info</a><br>
> 2016/02/09 15:43:24 kid1| ipcCreate: fork: (12) Cannot allocate memory<br>
> FATAL: Failed to create unlinkd subprocess<br>
> Squid Cache (Version 3.5.13): Terminated abnormally.<br>
> CPU Usage: 20.041 seconds = 19.115 user + 0.926 sys<br>
> Maximum Resident Size: 4019840 KB<br>
> Page faults with physical i/o: 0<br>
><br>
><br>
> Anybody have an idea why?<br>
><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
<span style="color:#888888"><br>
<br>
<br>
--<br>
Francesco</span><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>