<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class="">hi amos thanks for revision I’m willing to do those changes latter.<br class=""><br class=""><br class="">regarding to /dev/shm<br class=""><br class="">it didn’t correct anything …..<br class=""><br class="">again <br class=""><br class="">my error is cache.log is ===> <font color="#b51a00" class="">kid2| commBind: Cannot bind socket FD 782 to [::]: (2) No such file or directory</font><br class=""><br class="">and its totally different one than the errors in the SMP wiki<br class=""><br class=""><br class="">I’m sure its something regarding to the pid squid file !!<br class=""><br class=""><br class="">also during squid is working … i don’t see the /var/run/squid file !!!<br class=""><br class="">what does that mean ?<br class=""><br class="">i still see /var/run/squid.pid with permission squid;squid<div class=""><br class=""></div><div class=""><br class=""></div><div class="">is there a method to see where is the pid file running and point squid to use it ?</div><div class="">may be changed on centos 7 ???<br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class="">cheers</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 10, 2016, at 1:55 PM, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" class="">squid3@treenet.co.nz</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 10/06/2016 9:13 p.m., --Ahmad-- wrote:<br class=""><blockquote type="cite" class="">again , if i use the same steps below on centos 6 is works fine without any issue <br class=""><br class=""></blockquote><br class="">That means nothing. CentOS is based on RHEL, whic on ly gets updated<br class="">periodically. There are about five years worth of changes across the<br class="">entire IOS and everything installed with it between v6 and v7.<br class=""><br class="">Obviously something in those changes to CentOS does not work with that<br class="">very old version of Squid and seems to work fine with the newer Squid.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">On Jun 10, 2016, at 11:54 AM, --Ahmad-- wrote:<br class=""><br class="">hi eliezer<br class="">=============================================<br class="">1- selinux is disabled<br class="">[root@localhost ~]# sestatus<br class="">SELinux status: disabled<br class="">[root@localhost ~]# <br class=""><br class="">2-<br class="">i have the PID file with permission to squid<br class="">[root@localhost ~]# ls -l /var/run/squid.pid <br class="">-rw-r--r-- 1 squid squid 5 Jun 10 04:45 /var/run/squid.pid<br class="">[root@localhost ~]# <br class=""></blockquote></blockquote><br class="">squid.pid should not exist when Squid is shutdown.<br class=""><br class="">You should delete it and ensure that Squid is started by the root user,<br class="">which already should have permission to alter the /var/run directory and<br class="">create the squid.pid file correctly.<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class="">but here i don’t see the file /var/run/squid …….i used to see file called /var/run/squid not /var/run/squid.pid<br class=""><br class=""></blockquote></blockquote><br class="">/var/run/squid should be a directory. Its where the state data gets<br class="">placed now. It may be unused in your installation or just not.<br class=""><br class="">squid.pid may be under /var/run/squid or /var/run depending on your<br class="">installation.<br class=""><br class="">/run may be used instead of /var/run if you have a new enough system.<br class=""><br class=""><br class="">** For pre-packaged Squid. Don't worry about these unless Squid<br class="">explicitly complains. Just go with what the package installation chose.<br class=""><br class=""><br class="">** For custom builds, the "make install" action should create<br class="">/var/run/squid directory. If for some reason it does not (such as newly<br class="">building an already deprecated old Squid version - which one shodul<br class="">never do anyway). You may need to create it yourself, and assign<br class="">squid:squid ownership.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">i also tried to add directive to squid.conf ==> pid_filename /var/run/squid.pid<br class=""><br class="">but i have the same errror<br class=""><br class="">3-im using kernel default for Centos 7 and it do support IPV6 , i didn’t compile any kernel <br class=""><br class=""><br class=""><br class="">agin the error that i have is :<br class="">kid2| commBind: Cannot bind<span class="Apple-tab-span" style="white-space:pre"> </span>socket FD 782 to [::]: (2) No such file or directory<br class=""><br class=""></blockquote></blockquote><br class="">As mentioned in the URL Eliezer reference you to already<br class="">(<<a href="http://wiki.squid-cache.org/Features/SmpScale#Cannot_bind_socket_FD_NN_to_.5B::.5D:_.2813.29_Permission_denied" class="">http://wiki.squid-cache.org/Features/SmpScale#Cannot_bind_socket_FD_NN_to_.5B::.5D:_.2813.29_Permission_denied</a>>)<br class="">that error is about the SMP UDS sockets.<br class="">More specifically it is about the system shared memory device (/dev/shm).<br class=""><br class="">* Some systems need the /dev/shm device to be explicitly turned on<br class="">during startup. Check if it is enabled in your system and if not, what<br class="">you have to do to fix that. Hints in the wiki.<br class=""><br class="">* Check that /dev/shm path is owned by root. Only the OS itself should<br class="">be doing things in there. Programs like Squid use kernel syscalls to<br class="">make changes.<br class=""><br class="">* Older Squid like yours could leave UDS sockets after a crash or broken<br class="">config abort. Check that /dev/shm/ does not contain any "files" starting<br class="">with "squid-" or owned by Squid when Squid is shutdown.<br class=""> If some exist use 'rm' to remove them and try restarting Squid.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class="">not <br class="">kid2| commBind: Cannot bind<span class="Apple-tab-span" style="white-space:pre"> </span>socket FD 782 to [::]: permission denied<br class=""><br class=""><br class="">here is again compile options :<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Squid Cache: Version 3.5.2<br class="">Service Name: squid<br class="">configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'<br class=""></blockquote></blockquote>'--enable-cachemgr-hostname=Ahmad-Allzaeem'<br class=""></blockquote></blockquote><br class="">... unusual URL for accessing management reports:<br class=""> <a href="http://ahmad-allzaeem/squid-internal-mgr/" class="">http://Ahmad-Allzaeem/squid-internal-mgr/</a><br class=""><br class="">'cachemgr' means the Squid cache management API, specifically the<br class="">cachemgr.cgi tool. Not an administrators name.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">'--localstatedir=/var' '--libexecdir=/lib/squid' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '' '--with-large-files' '--with-default-user=squid' --with-openssl' '--enable-snmp' '--with-included-ltdl' '--disable-arch-native'<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">[root@localhost ~]# <br class=""></blockquote></blockquote><br class=""><br class="">and here is squid.conf <br class=""><br class="">[root@localhost ~]# cat /etc/squid/squid.conf | less<br class="">cache deny all<br class="">#################<br class="">#pid_filename /var/run/squid.pid<br class="">####################<br class="">visible_hostname squid<br class="">cache_effective_user squid<br class="">cache_effective_group squid<br class=""></blockquote></blockquote><br class="">You should not need to use cache_effective_group. Particularly if you<br class="">are wanting to use NTLM or Kerberos related functionality with Squid.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">####################################<br class="">#workers 2<br class="">########################################################################<br class=""># Lockdown Procedures<br class="">auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user<br class="">acl ncsa_users proxy_auth REQUIRED<br class="">http_access allow ncsa_users<br class="">############################<br class="">f<br class=""></blockquote></blockquote><br class="">Please move the auth and http_access lines down to below where it says:<br class="">"<br class=""> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br class="">"<br class=""><br class="">Doing complex things like auth up here at the top of the config your<br class="">proxy is made more vulnerable than it should be to various DoS and<br class="">traffic smuggling attacks.<br class=""><br class=""><br class=""><snip><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">#<br class=""># Recommended minimum Access Permission configuration:<br class="">#<br class=""># Deny requests to certain unsafe ports<br class="">http_access deny !Safe_ports<br class=""><br class=""># Deny CONNECT to other than secure SSL ports<br class="">http_access deny CONNECT !SSL_ports<br class=""><br class=""># Only allow cachemgr access from localhost<br class="">http_access allow localhost manager<br class="">http_access deny manager<br class=""><br class=""># We strongly recommend the following be uncommented to protect innocent<br class=""># web applications running on the proxy server who think the only<br class=""># one who can access services on "localhost" is a local user<br class="">#http_access deny to_localhost<br class=""><br class="">#<br class=""># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br class="">#<br class=""><br class=""># Example rule allowing access from your local networks.<br class=""># Adapt localnet in the ACL section to list your (internal) IP networks<br class=""># from where browsing should be allowed<br class="">http_access allow localnet<br class="">http_access allow localhost<br class=""><br class=""># And finally deny all other access to this proxy<br class="">http_access deny all<br class=""><br class=""># Squid normally listens to port 3128<br class="">http_port 1234<br class=""></blockquote></blockquote><br class="">Why 1234? 3128 has been formally registered for Squid use.<br class=""><br class=""><br class="">Amos<br class="">_______________________________________________<br class="">squid-users mailing list<br class=""><a href="mailto:squid-users@lists.squid-cache.org" class="">squid-users@lists.squid-cache.org</a><br class="">http://lists.squid-cache.org/listinfo/squid-users<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>