[squid-users] ssl_crtd process doesn't start with Squid 3.5.6
James Lay
jlay at slave-tothe-box.net
Sat Jul 25 00:24:33 UTC 2015
On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
> Thanks for that. Any ideas why I am experiencing that?
>
>
>
> Stan
>
>
>
>
> On Fri, Jul 24, 2015 at 7:07 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
> On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
>
> > I have a working implementation of Squid 3.5.5 with
> > ssl-bump. When 3.5.5 is started with ssl-bump enabled all
> > the squid and ssl_crtd processes start and Squid functions
> > as intended when bumping ssl sites. However, when I bump
> > Squid to 3.5.6 squid seems to start but ssl_crtd does not
> > and Squid 3.5.6 cannot successfully bump ssl.
> >
> >
> > These are the config options I use for both 3.5.5 and 3.5.6.
> >
> > --enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \
> > --enable-removal-policies="heap,lru" --enable-delay-pools
> > --libdir=/usr/lib/ \
> > --localstatedir=/var --with-dl --with-openssl
> > --enable-http-violations \
> > --with-large-files --with-libcap --disable-ipv6
> > --with-swapdir=/var/spool/squid \
> > --enable-ssl-crtd --enable-follow-x-forwarded-for
> >
> >
> >
> > This is the squid.conf file used for both versions.
> >
> > visible_hostname smoothwallu3
> >
> > # Uncomment the following to send debug info
> > to /var/log/squid/cache.log
> > debug_options ALL,1 33,2 28,9
> >
> > # ACCESS CONTROLS
> > #
> > ----------------------------------------------------------------
> > acl localhostgreen src 10.20.20.1
> > acl localnetgreen src 10.20.20.0/24
> >
> > acl SSL_ports port 445 443 441 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 81 # smoothwall http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 445 443 441 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> >
> > acl CONNECT method CONNECT
> >
> > # TAG: http_access
> > #
> > ----------------------------------------------------------------
> >
> >
> >
> > http_access allow localhost
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> >
> > http_access allow localnetgreen
> > http_access allow CONNECT localnetgreen
> >
> > http_access allow localhostgreen
> > http_access allow CONNECT localhostgreen
> >
> > # http_port and https_port
> > #----------------------------------------------------------------------------
> >
> > # For forward-proxy port. Squid uses this port to serve
> > error pages, ftp icons and communication with other proxies.
> > #----------------------------------------------------------------------------
> > http_port 3127
> >
> > http_port 10.20.20.1:800 intercept
> > https_port 10.20.20.1:808 intercept ssl-bump
> > generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
> >
> >
> > http_port 127.0.0.1:800 intercept
> >
> > sslproxy_cert_error allow all
> > sslproxy_flags DONT_VERIFY_PEER
> > sslproxy_session_cache_size 4 MB
> >
> > ssl_bump none localhostgreen
> >
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > ssl_bump peek step1
> > ssl_bump bump all
> >
> > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd
> > -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
> > sslcrtd_children 5
> >
> > http_access deny all
> >
> > cache_replacement_policy heap GDSF
> > memory_replacement_policy heap GDSF
> >
> > # CACHE OPTIONS
> > #
> > ----------------------------------------------------------------------------
> > cache_effective_user squid
> > cache_effective_group squid
> >
> > cache_swap_high 100
> > cache_swap_low 80
> >
> > cache_access_log stdio:/var/log/squid/access.log
> > cache_log /var/log/squid/cache.log
> > cache_mem 64 MB
> >
> > cache_dir diskd /var/spool/squid/cache 1024 16 256
> >
> > maximum_object_size 33 MB
> >
> > minimum_object_size 0 KB
> >
> >
> > request_body_max_size 0 KB
> >
> > # OTHER OPTIONS
> > #
> > ----------------------------------------------------------------------------
> > #via off
> > forwarded_for off
> >
> > pid_filename /var/run/squid.pid
> >
> > shutdown_lifetime 30 seconds
> > icp_port 3130
> >
> > half_closed_clients off
> > icap_enable on
> > icap_send_client_ip on
> > icap_send_client_username on
> > icap_client_username_encode off
> > icap_client_username_header X-Authenticated-User
> > icap_preview_enable on
> > icap_preview_size 1024
> > icap_service service_avi_req reqmod_precache
> > icap://localhost:1344/squidclamav bypass=off
> > adaptation_access service_avi_req allow all
> > icap_service service_avi_resp respmod_precache
> > icap://localhost:1344/squidclamav bypass=on
> > adaptation_access service_avi_resp allow all
> >
> > umask 022
> >
> > logfile_rotate 0
> >
> > strip_query_terms off
> >
> > redirect_program /usr/sbin/squidGuard
> > url_rewrite_children 5
> >
> >
> > And the cache.log file when starting 3.5.6 with debug
> > options on in squid.conf
> >
> > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
> > adaptation_access
> > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
> > adaptation_access
> > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
> > 2015/07/24 17:15:06 kid1| Current Directory is /
> > 2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6
> > for i586-pc-linux-gnu...
> > 2015/07/24 17:15:06 kid1| Service Name: squid
> > 2015/07/24 17:15:06 kid1| Process ID 2907
> > 2015/07/24 17:15:06 kid1| Process Roles: worker
> > 2015/07/24 17:15:06 kid1| With 1024 file descriptors
> > available
> > 2015/07/24 17:15:06 kid1| Initializing IP Cache...
> > 2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD
> > 8
> > 2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1
> > from /etc/resolv.conf
> > 2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5
> > 'squidGuard' processes
> > 2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard'
> > processes needed.
> > 2015/07/24 17:15:06 kid1| Logfile: opening log
> > stdio:/var/log/squid/access.log
> > 2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15
> > 2015/07/24 17:15:06 kid1| Store logging disabled
> > 2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB,
> > estimated 85700 objects
> > 2015/07/24 17:15:06 kid1| Target number of buckets: 4285
> > 2015/07/24 17:15:06 kid1| Using 8192 Store buckets
> > 2015/07/24 17:15:06 kid1| Max Mem size: 65536 KB
> > 2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB
> > 2015/07/24 17:15:06 kid1| Rebuilding storage
> > in /var/spool/squid/cache (dirty log)
> > 2015/07/24 17:15:06 kid1| Using Least Load store dir
> > selection
> > 2015/07/24 17:15:06 kid1| Current Directory is /
> > 2015/07/24 17:15:06 kid1| Finished loading MIME types and
> > icons.
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall:
> > The AsyncCall clientListenerConnectionOpened constructed,
> > this=0x946d218 [call5]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> > StartListening.cc(59) will call
> > clientListenerConnectionOpened(local=0.0.0.0:3127
> > remote=[::] FD 20 flags=9, err=0, HTTP Socket
> > port=0x946d24c) [call5]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall:
> > The AsyncCall clientListenerConnectionOpened constructed,
> > this=0x946d3a8 [call7]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> > StartListening.cc(59) will call
> > clientListenerConnectionOpened(local=10.20.20.1:800
> > remote=[::] FD 21 flags=41, err=0, HTTP Socket
> > port=0x946d3dc) [call7]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall:
> > The AsyncCall clientListenerConnectionOpened constructed,
> > this=0x946d510 [call9]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> > StartListening.cc(59) will call
> > clientListenerConnectionOpened(local=127.0.0.1:800
> > remote=[::] FD 22 flags=41, err=0, HTTP Socket
> > port=0x946d544) [call9]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall:
> > The AsyncCall clientListenerConnectionOpened constructed,
> > this=0x946d6b0 [call11]
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
> > StartListening.cc(59) will call
> > clientListenerConnectionOpened(local=10.20.20.1:808
> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket
> > port=0x946d6e4) [call11]
> > 2015/07/24 17:15:06.578 kid1| HTCP Disabled.
> > 2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0
> > 2015/07/24 17:15:06.578 kid1| Adaptation support is on
> > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55)
> > fireNext: entering
> > clientListenerConnectionOpened(local=0.0.0.0:3127
> > remote=[::] FD 20 flags=9, err=0, HTTP Socket
> > port=0x946d24c)
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make
> > call clientListenerConnectionOpened [call5]
> > 2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket
> > connections at local=0.0.0.0:3127 remote=[::] FD 20 flags=9
> > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57)
> > fireNext: leaving
> > clientListenerConnectionOpened(local=0.0.0.0:3127
> > remote=[::] FD 20 flags=9, err=0, HTTP Socket
> > port=0x946d24c)
> > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55)
> > fireNext: entering
> > clientListenerConnectionOpened(local=10.20.20.1:800
> > remote=[::] FD 21 flags=41, err=0, HTTP Socket
> > port=0x946d3dc)
> > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make
> > call clientListenerConnectionOpened [call7]
> > 2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP
> > Socket connections at local=10.20.20.1:800 remote=[::] FD 21
> > flags=41
> > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57)
> > fireNext: leaving
> > clientListenerConnectionOpened(local=10.20.20.1:800
> > remote=[::] FD 21 flags=41, err=0, HTTP Socket
> > port=0x946d3dc)
> > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55)
> > fireNext: entering
> > clientListenerConnectionOpened(local=127.0.0.1:800
> > remote=[::] FD 22 flags=41, err=0, HTTP Socket
> > port=0x946d544)
> > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make
> > call clientListenerConnectionOpened [call9]
> > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP
> > Socket connections at local=127.0.0.1:800 remote=[::] FD 22
> > flags=41
> > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57)
> > fireNext: leaving
> > clientListenerConnectionOpened(local=127.0.0.1:800
> > remote=[::] FD 22 flags=41, err=0, HTTP Socket
> > port=0x946d544)
> > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55)
> > fireNext: entering
> > clientListenerConnectionOpened(local=10.20.20.1:808
> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket
> > port=0x946d6e4)
> > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make
> > call clientListenerConnectionOpened [call11]
> > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL
> > bumped HTTPS Socket connections at local=10.20.20.1:808
> > remote=[::] FD 23 flags=41
> > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57)
> > fireNext: leaving
> > clientListenerConnectionOpened(local=10.20.20.1:808
> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket
> > port=0x946d6e4)
> > 2015/07/24 17:15:06.579 kid1| Accepting ICP messages on
> > 0.0.0.0:3130
> > 2015/07/24 17:15:06.579 kid1| Sending ICP messages from
> > 0.0.0.0:3130
> > 2015/07/24 17:15:06.579 kid1| Done
> > reading /var/spool/squid/cache swaplog (12 entries)
> > 2015/07/24 17:15:06.579 kid1| Finished rebuilding storage
> > from disk.
> > 2015/07/24 17:15:06.579 kid1| 12 Entries scanned
> > 2015/07/24 17:15:06.579 kid1| 0 Invalid entries.
> > 2015/07/24 17:15:06.579 kid1| 0 With invalid flags.
> > 2015/07/24 17:15:06.579 kid1| 12 Objects loaded.
> > 2015/07/24 17:15:06.579 kid1| 0 Objects expired.
> > 2015/07/24 17:15:06.579 kid1| 0 Objects cancelled.
> > 2015/07/24 17:15:06.579 kid1| 0 Duplicate URLs
> > purged.
> > 2015/07/24 17:15:06.579 kid1| 0 Swapfile clashes
> > avoided.
> > 2015/07/24 17:15:06.579 kid1| Took 0.06 seconds (210.47
> > objects/sec).
> > 2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure
> > 2015/07/24 17:15:06.579 kid1| Completed Validation
> > Procedure
> > 2015/07/24 17:15:06.579 kid1| Validated 12 Entries
> > 2015/07/24 17:15:06.579 kid1| store_swap_size = 1444.00 KB
> > 2015/07/24 17:15:07 kid1| storeLateRelease: released 0
> > objects
> >
> >
> >
> > Any help or suggestions greatly appreciated.
> >
> >
> > Regards
> >
> >
> > Stan
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> I do not experience this issue:
>
> [18:04:56 jlay:~/nobackup/build$] ps aux | egrep "ssl|squid"
> root 3173 0.0 0.0 18840 372 ? Ss Jul23
> 0:00 /opt/sbin/squid
> nobody 3175 0.0 1.2 52856 39744 ? S Jul23
> 0:47 (squid-1)
> nobody 3177 0.0 0.0 5916 2040 ? S Jul23
> 0:05 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody 3178 0.0 0.0 5828 1840 ? S Jul23
> 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody 3179 0.0 0.0 5828 1708 ? S Jul23
> 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody 3180 0.0 0.0 5648 912 ? S Jul23
> 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
> nobody 3181 0.0 0.0 5648 912 ? S Jul23
> 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096
>
> my config line:
> ./configure --prefix=/opt --with-openssl --enable-ssl
> --enable-ssl-crtd --enable-linux-netfilter
> --enable-follow-x-forwarded-for --with-large-files
> --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none
>
> Squid Cache: Version 3.5.6
>
> James
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
I recall when just starting out with ssl_crtd and had issue until I set
the user running as squid on my ssl_db dir:
drwxr-xr-x 3 nobody root 4096 May 30 17:22 ssl_db
My ssl_crtd lines:
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5
Hope it helps.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150724/f9f9baf8/attachment-0001.html>
More information about the squid-users
mailing list