[squid-users] Debian jessie + squid 3.5.16 - Will not start.

Markey, Bruce bmarkey at steinmancommunications.com
Thu Apr 7 15:58:56 UTC 2016 

I'm running debian Jessie.
Squid 3.5.16 compiled from source with the following:

./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=${prefix}/include \
--mandir=${prefix}/share/man \
--infodir=${prefix}/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid3 \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--enable-inline \
--enable-gnuregex \
--enable-xmalloc-statistics \
--enable-useragent-log \
--enable-kill-parent-hack \
--enable-htpc \
--enable-forw-via-db \
--enable-dl-malloc \
--enable-time-hack \
--enable-err-language=English \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,smb_lm \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid3 \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--enable-wccpv2 \
--with-openssl \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CPPFLAGS=-D_FORTIFY_SOURCE=2' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

Here is my squid.conf

#Access Lists
acl internal src 192.168.200.0/21
acl wireless src 192.168.100.0/23

#Ports allowed through Squid
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl CONNECT method CONNECT

#allow/deny
http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

#Bumping
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
ssl_bump splice all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 5


logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

#access_log syslog:daemon.info mine
access_log daemon:/var/log/squid3/access.log mine

#intercept
http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-cer
tificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

#nameservers
dns_nameservers 192.168.201.1 8.8.8.8

#WCCPv2 items
wccp_version 2
wccp2_router 192.168.200.73
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=LNP1
wccp2_service dynamic 70 password=LNP1
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

-I did initialize the ssl_db
-I did create certs

I'm simply trying to start via :  sudo squid   It throws no errors nothing.  The pid lives for a sec then dies. This is the only log message I get.

Apr  7 11:51:19 LNP-Proxy (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

I tried deleting and recreating the ssl_db as I saw from a few other posts, did not work.

Other info:

Tunnel is up:

gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
wccp0: gre/ip  remote 192.168.200.73  local 192.168.201.248  dev eth3  ttl inherit

Iptables:

bruce at LNP-Proxy:/var/log$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:192.168.201.248:3128
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:192.168.201.248:3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

I'm not sure what to even check next.  I cant do a sudo squid -k debug since the process doesn't last long enough.

Thanks


Bruce Markey | Network Security Analyst
STEINMAN COMMUNICATIONS
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160407/ec6d32f1/attachment-0001.html>

More information about the squid-users mailing list