[squid-users] HTTPS woes
Alex Rousskov
rousskov at measurement-factory.com
Wed Apr 19 23:13:33 UTC 2017
On 04/19/2017 04:48 PM, Olly Lennox wrote:
> After further investigation the problem is something to do with permissions related to ssl_crtd.
No, it is not (or at least not yet).
> I can run squid as root but using the default account (proxy?) it
> won't run and is giving this error in cache.log:
> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
The FATAL line is unrelated to the ssl_crtd line above it (this is one
of several problems with FATAL error handling in Squid).
> I've checked the file and folder permissions across all aspects of
> squid and everything I can see is owned by proxy:proxy so not sure
> where it is failing.
Squid is failing when trying to open a shared memory segment used for
storing SSL sessions. This probably means two things:
1. Your OS environment is not compatible with Squid shared memory needs
(e.g., missing /dev/shm/ or equivalent). More info at
http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory
2. There is a bug in Squid: Squid should not create shared memory
segments when running in non-SMP mode. Please consider reporting this
bug if it has not been reported already. At the expense of losing SSL
session resumption capabilities, you should be able to work around this
bug by disabling the session cache:
http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/
HTH,
Alex.
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
>
> http_port 3130
>
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> coredump_dir /var/spool/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_dir ufs /cache 400 16 256
More information about the squid-users
mailing list