[squid-users] Building squid | Best Practices?

Howard Waterfall hwaterfall at gmail.com
Mon Sep 7 18:32:49 UTC 2015 

Rafael / Amos -
I got my system up and running yesterday. Thanks so much for the help. I
couldn't get some of the suggestions that Amos made to work, but they did
after running some of the commands on Rafael's wiki, so a real team effort!

After getting it up and running, I found that mac address filtering was not
working. On closer inspection I found that I was running v3.3.8. I guess
that’s the version my new Ubuntu install (14.04.03 LTS) uses with:

sudo apt-get install squid


I decided to try and build the latest version of squid from source and I
ran into some more problems I cannot solve, so some follow up questions

1) Earlier in the thread, Amos suggested I run:

apt-get build-dep squid


to install the packages needed to build squid. That’s just the dependencies
though right; I still need the squid source code? Sorry if that seems
obvious, just want to make sure I’m not missing something.

2) I downloaded squid-3.5.8.tar.xz. I captured the configure options from
my current v3.3.8 squid install using:

squid3 -v


but it led to errors when building v3.5.8, for example:

'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'.



I suppose it’s not surprising given it’s such an old version, so I went
through them all and used the ones I thought made most sense for me. I got
it to build. Here’s the squid3 -v output from my v3.5.8 build:

Squid Cache: Version 3.5.8
Service Name: squid
configure options:  '--prefix=/mysquid' '--enable-arp-acl'
'--localstatedir=/var' '--libexecdir=/lib/squid3' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-default-user=proxy'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--build=arm-linux-gnueabihf' '--includedir=/include' '--mandir=/share/man'
'--infodir=/share/info' '--srcdir=.' '--enable-basic-auth-helpers=DB'
'build_alias=arm-linux-gnueabihf'


Here are the problems:

a) I had to change the owner of /var/log/squid3 from root to proxy:

sudo chown proxy /var/log/squid3


Not a big deal I guess, but why can’t make install take care of the
permissions?

b) It doesn’t start as a service and there’s no squid file in:

/etc/init.d/


so I cannot make the DAEMON= and CONFIG= variables point at my custom
/mysquid/sbin/squid and /etc/squid3/squid.conf (I’ll change the
--sysconfdir config parameter to /mysquid/etc/squid3 in a future build)

c) There’s no error when I run:

/mysquid/sbin/squid -k parse


but when I run:

/mysquid/sbin/squid -NCd1


I get:

FATAL: Ipc::Mem::Segment::create failed to
shm_open(/squid-cf__metadata.shm): (13) Permission denied


It didn’t help to make the owner of the "squid-cf*" files to
cache_effective_user as suggested in an online post:

*-rw------- 1 proxy mysquid   8 Sep  7 09:31
/dev/shm/squid-cf__metadata.shm*

*-rw------- 1 proxy mysquid 8216 Sep  7 09:31 /dev/shm/squid-cf__queues.shm*

*-rw------- 1 proxy mysquid   44 Sep  7 09:31
/dev/shm/squid-cf__readers.shm*


d) The configuration file:

/etc/squid3/squid.conf


is a lot different! For example I cannot find:

cache_effective_user


Can you point me to the updated documentation for configuring squid?

Thanks,
Deiter



On Sun, Aug 30, 2015 at 12:15 PM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 31/08/2015 5:27 a.m., Howard Waterfall wrote:
> > Thanks again, this is valuable information!
> >
> > As you may have guessed, I'm asking about the user that should do builds
> to
> > ensure that the build outputs are created with the appropriate
> permissions
> > - I get a little concerned about security. It sounds like you are
> > suggesting that I simply create a directory for my custom builds:
> >
> > I assign the --prefix option to the folder I create, so my build output
> > goes there, and then I make sure the permissions for that folder (and
> it's
> > sub-directories) are set for the user defined by *cache_effective_user*
> (and
> > the user defined by the ./configure option --*with-default-user*). Could
> > you confirm?
>
> Ah, no.
>
> You set ownership of the /proxy folder to whoever amongst the local
> machine user accounts you want to have the ability to build and alter
> the custom Squid binaries etc. Pretty much Admin powers over Squid.
>
> The make process should install the sub-folders with correct permissions
> for the users that will be involved at run-time.
>
> Running the init script / squid as root will take care of the rest.
>
> [ "the rest" being:
>
> The init script runs as root and starts the 'master process' with root
> privileges. That process creates the run-time files and logs etc with
> correct permissions for the effective-user account to access.
>
> The effective-user account is the low-privilege one named in
> --with-default-user and can read/exec the things it needs but not write
> outside the few things the master has explicitly given it ownership of
> (ie those run-time PID file, logs).
>
> ]
>
> PS.
>  You do not need to work with both --with-default-user and
> cache_effective_user. All the ./configure option does is set the
> built-in cache_effective_user default value.
>
> The intention was that you use the ./configure option and omit the
> squid.conf option.
>
>
> NP: if you find that /proxy/var/run or /proxy/var/run/squid is missing
> (sometimes it is). Then create those with 777 permission and owner/group
> of the Admin account.
>
> >
> > Finally (I hope), I've re-installed Ubuntu (various reasons, not just
> squid
> > issues) and I successfully installed squid using:
> > *sudo apt-get install squid3*
> >
> > Squid wasn't found the first time:
> > *E: Unable to locate package squid3*
> >
> > I had to run this first:
> > *sudo apt-get update*
> >
> > However, when I try *apt-get build-dep squid,* I get:
> > *You must put some 'source' uris in your sources.list*
> >
> > I can't seem to get over this problem. I've un-commented every line in
> > */etc/apt/sources.list* that starts with deb-src.
> >
> > Could you suggest a repository that I can add to */etc/apt/sources.list*?
>
> It should be exactly the same as your normal "deb" sources.list line.
> But with "deb-src" at the front. Usually the single line directly
> underneath what you had uncommented before.
>
> Mine looks like this:
>
>   deb http://ftp.debian.org/debian unstable main contrib
>   deb-src http://ftp.debian.org/debian unstable main contrib
>
> Where I have "unstable" you would have the Ubuntu 14.04 version name
> (trusty?). And different server of course.
>
> Sorry for the vagueness there. I dont work directly with Ubuntu anymore.
>
> The Ubuntu guys did a weird transition from squid3 to squid package
> names and insisted on doing it well before the Squid-3 code could handle
> the 2.7 upgrades. So things are a bit funky IMHO.
>
> Anyhow, the source package name I think is still "squid3" which should
> build the binary packages "squid" and "squid-common"
>  (then:  dpkg --install squid-common_*.deb squid_*.deb ).
>
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150907/faa88cee/attachment-0001.html>

More information about the squid-users mailing list