<div dir="auto">can you send the output of:<div dir="auto">squid -v</div><div dir="auto"><br></div><div dir="auto">Eliezer</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, May 24, 2020, 06:31 Joshua Bazgrim <<a href="mailto:joshuakronemeyer@gmail.com">joshuakronemeyer@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Squid 4.9</div><div>Ubuntu 18.04.03</div><div><br></div>I'm trying to implement ssl-bumping into the frontend of a squid smp setup, but I keep getting the following error:<div>FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-tls_session_cache.shm): (2) No such file or directory<br></div><div><br></div><div>shm is working correctly and generating/reading from other squid shm files, but not properly generating this file upon start-up in SMP mode.</div><div><br></div><div>My ssl-bump configuration works fine in non-smp mode.</div><div>I'm guessing it's some sort of race condition to do with improperly setup config files for ssl-bumping, but unsure of how to correct it.</div><div><br></div><div>Thanks in advance</div><div><br></div><div>########## squid.conf #########</div><div><br></div><div>debug_options ALL,3<br>#<br># Recommended minimum configuration:<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>acl localnet src <a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://100.64.0.0/10" target="_blank" rel="noreferrer">100.64.0.0/10</a> # RFC 6598 shared address space (CGN)<br>acl localhet src <a href="http://169.254.0.0/16" target="_blank" rel="noreferrer">169.254.0.0/16</a> # RFC 3927 link-local (directly plugged) machines<br>acl localnet src <a href="http://172.16.0.0/12" target="_blank" rel="noreferrer">172.16.0.0/12</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank" rel="noreferrer">192.168.0.0/16</a> # RFC 1918 local private network (LAN)<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br><br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># Only allow cachemgr access from localhost<br>#http_access allow localhost manager<br>#http_access deny manager<br><br># Set cache user<br>cache_effective_user nobody</div><div><br>workers 3<br>if ${process_number} = 1<br>include /etc/squid/frontend.conf<br>else<br>include /etc/squid/backend.conf<br>endif<br><br>http_access deny all<br><br>#<br># Add any of your own refresh_pattern entries above these.<br>#<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br></div><div><br></div><div><br></div><div>####### frontend.conf - some names changed/omitted##########</div><div># Squid normally listens to port 3128 <br>http_port 3128 ssl-bump \<br>cert=/etc/squid/ssl_cert/mycert.pem \<br>key=/etc/squid/ssl_cert/mycert.pem \<br>generate-host-certificates=on \<br>dynamic_cert_mem_cache_size=4mb<br><br># Where to look for ssl cert<br>sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB<br>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br><br># Enable URL Params<br>strip_query_terms off<br><br># add user authentication and similar options here<br>http_access allow manager localhost<br>http_access deny manager<br><br>http_access allow localnet<br>http_access allow localhost<br><br># add backends - one line for each additional worker you configured<br># NOTE how the port number matches the kid number<br>cache_peer localhost parent 4002 0 carp login=PASS name=backend-kid2<br>cache_peer localhost parent 4003 0 carp login=PASS name=backend-kid3<br><br>#you want the frontend to have a significant cache_mem<br>cache_mem 512 MB<br><br># change /tmp to your own log directory, e.g. /var/log/squid<br>access_log /var/log/squid/frontend.access.log<br>cache_log /var/log/squid/frontend.cache.log<br><br># the frontend requires a different name to the backend(s)<br>visible_hostname Squid-Test<br></div><div><br></div><div>########## backend.conf #############</div><div># each backend must listen on a unique port<br># without this the CARP algorithm would be useless<br>http_port 400${process_number}</div><div><br></div><div># TODO: Change 512 to larger after testing is done<br>cache_dir rock /var/log/squid/cacheRock 512 max-size=32768<br><br># NP: for now AUFS does not support SMP but the CARP algorithm helps reduce object duplications</div><div># TODO: Change 512 to larger after testing is done <br>cache_dir aufs /var/log/squid/cache${process_number} 512 128 128 min-size=32769<br><br># the default maximum cached object size is a bit small<br># you want the backend to be able to cache some fairly large objects<br>maximum_object_size 512 MB<br><br># you want the backend to have a small cache_mem<br>cache_mem 4 MB<br><br># the backends require a different name to frontends, but can share one<br># this prevents forwarding loops between backends while allowing<br># frontend to forward via the backend<br>visible_hostname Squid-Test${process_number}<br><br># change /var/log/squid to your own log directory<br>access_log /var/log/squid/backend${process_number}.access.log<br>cache_log /var/log/squid/backend${process_number}.cache.log<br><br># add just enough access permissions to allow the frontend<br>http_access allow localhost<br></div><div><br></div></div>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>