[squid-users] HTTPS woes

Olly Lennox oliver at lennox-it.uk
Wed Apr 19 22:48:44 UTC 2017 

Raspberry Pi (3) / Stretch repository (requird to build 3.5) / Squid  3.5.23

After further investigation the problem is something to do with permissions related to ssl_crtd. I can run squid as root but using the default account (proxy?) it won't run and is giving this error in cache.log:

2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory


I've checked the file and folder permissions across all aspects of squid and everything I can see is owned by proxy:proxy so not sure where it is failing. My config is now as follows:


acl SSL_ports port 443 
acl Safe_ports port 80        # http 
acl Safe_ports port 21        # ftp 
acl Safe_ports port 443        # https 
acl Safe_ports port 70        # gopher 
acl Safe_ports port 210        # wais 
acl Safe_ports port 1025-65535    # unregistered ports 
acl Safe_ports port 280        # http-mgmt 
acl Safe_ports port 488        # gss-http 
acl Safe_ports port 591        # filemaker 
acl Safe_ports port 777        # multiling http 
acl CONNECT method CONNECT 

http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow all 

http_port 3130 

http_port 3128 intercept 
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem 

acl step1 at_step SslBump1 
ssl_bump peek step1 
ssl_bump bump all 
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE 
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS 
sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB 
sslcrtd_children 8 startup=1 idle=1 

coredump_dir /var/spool/squid 

# Add any of your own refresh_pattern entries above these. 
refresh_pattern ^ftp:        1440    20%    10080 
refresh_pattern ^gopher:    1440    0%    1440 
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0 
refresh_pattern .        0    20%    4320 

cache_dir ufs /cache 400 16 256 



oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252



________________________________
From: Eliezer Croitoru <eliezer at ngtech.co.il>
To: "'squid-users at squid-cache. org'" <squid-users at squid-cache.org> 
Cc: 'Olly Lennox' <oliver at lennox-it.uk>; 'L. P. H. van Belle' <belle at bazuin.nl>
Sent: Wednesday, 19 April 2017, 22:24
Subject: RE: [squid-users] HTTPS woes



What OS are you using?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Olly Lennox
Sent: Wednesday, April 19, 2017 7:30 PM
To: Olly Lennox <oliver at lennox-it.uk>; L. P. H. van Belle <belle at bazuin.nl>; squid-users at squid-cache. org <squid-users at squid-cache.org>
Subject: Re: [squid-users] HTTPS woes

Sorry it's back,


I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy. 

If I remove this or leave it as is then the application won't launch on subsequent reboots.

If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots.

I'm guessing this is something to do with the running processes, does anyone know what's going wrong?

Cheers,

Olly


------------




Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now


Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc           proc    defaults          0       0 
PARTUUID=0d001852-01  /boot           vfat    defaults          0       2 
PARTUUID=0d001852-02  /               ext4    defaults,noatime  0       1 
# a swapfile is not a swap partition, no line here 
#   use  dphys-swapfile swap[on|off]  for that 
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0 
none      /dev/shm        tmpfs  defaults        0 0 

could the existing tmpfs line be causing problems?

oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <belle at bazuin.nl>
To: "squid-users at squid-cache. org" <squid-users at squid-cache.org> 
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai, 


Im guess, squid is starting to soon, or there is not /dev/shm 


Check/Try adding, if not already in /etc/fstab 


none      /dev/shm        tmpfs   defaults        0 0 


And reboot the server. 



Or, i dont know and someone else can tell you. ;-) 

But on my jessie with squid 3.5.24+ssl i dont see this problem. 


A small tip about the certificates on debian or ubuntu. 

Install ca-certificates ( apt-get install ca-certificates ) 

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 




Greetz, 


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users 

> [mailto:squid-users-bounces at lists.squid-cache.org] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; squid-users at lists.squid-cache.org

> Onderwerp: Re: [squid-users] HTTPS woes

> 

> Thanks Amos, I'll install this. One last question if I may! 

> Squid is working fine now with both HTTP and HTTPS but for 

> some reason it is refusing to launch on boot. 

> 

> It works perfectly when started with "service squid start" 

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor 

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19 

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>   Process: 598 ExecStart=/etc/init.d/squid start 

> (code=exited, status=0/SUCCESS)

> 

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]: 

> Ipc::Mem::Segment::open failed to 

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or 

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent: 

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16 

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid 

> Parent: (squid-1) process 1633 exited with status 1 Apr 19 

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) 

> process 1633 will not be restarted due to repeated, frequent 

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due 

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi 

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB: 

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit 

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed 

> with result 'resources'.

> 

> Any ideas?

> 

> 

> 

> ________________________________

> From: Amos Jeffries <squid3 at treenet.co.nz>

> To: squid-users at lists.squid-cache.org

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

> 

> 

> 

> Olly,  Debian provides a ca-certificates package containing 

> the Mozilla CA list. It is updated whenever the CA set 

> changes. Though of course you should have apt connected to 

> the relevant security repository (jesse-security?) for 

> regular updates.

> 

> 

> Amos

> 

> 

> On 19/04/17 03:10, Olly Lennox wrote:

> 

> Would you mind sharing the script you use?

> > 

> >oliver at lennox-it.uk

> >lennox-it.uk

> >tel: 07900 648 252

> >

> 


_______________________________________________

squid-users mailing list

squid-users at lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list