[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri yvoinov at gmail.com
Mon Sep 11 18:39:21 UTC 2017 

I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
> Neither of those values are set in my config. Even though I'm not
> using squid for caching, I need those values? They aren't set in the
> default configs either.
>
> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com>> wrote:
>
>     Most probably you squid runs as another user than squid.
>
>     Check your squid.conf for cache_effective_user and
>     cache_effective_group values.
>
>     Then change SSL cache permissions to this values. Should work.
>
>
>     12.09.2017 0:30, Rohit Sodhia пишет:
>>     Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and
>>     it set it up like that. I changed the owner and group to
>>     squid:squid and tried restarting squid, but still get the same
>>     errors. I thought to run the command again, but this time it says
>>
>>     /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>
>>     If this folder has incorrect permissions are there possibly other
>>     permission issues?
>>
>>     On Mon, Sep 11, 2017 at 2:25 PM, Yuri <yvoinov at gmail.com
>>     <mailto:yvoinov at gmail.com>> wrote:
>>
>>         Here you root of problem.
>>
>>         Should be (on my setups):
>>
>>         # ls -al /var/lib/ssl_db
>>         total 326
>>         drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>         drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>         drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>         -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>         -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>
>>         I.e. Squid has no access to SSL cache dir structures.
>>
>>
>>         12.09.2017 0:23, Rohit Sodhia пишет:
>>>         total 8
>>>         drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>         drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>         drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>         -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>         -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>
>>>
>>>         On Mon, Sep 11, 2017 at 2:22 PM, Yuri <yvoinov at gmail.com
>>>         <mailto:yvoinov at gmail.com>> wrote:
>>>
>>>             Show output of
>>>
>>>             ls -al /var/lib/ssl_db
>>>
>>>
>>>             12.09.2017 0:21, Rohit Sodhia пишет:
>>>>             Yes, but telling me it's crashing unfortunately doesn't
>>>>             help me figure out why or how to fix it. I've run the
>>>>             command it suggests but it doesn't help. I'm
>>>>             unfortunately not an ops guy familiar with this kind of
>>>>             stuff; I don't see anything on how to figure out what
>>>>             to do about it.
>>>>
>>>>             On Mon, Sep 11, 2017 at 2:17 PM, Yuri
>>>>             <yvoinov at gmail.com <mailto:yvoinov at gmail.com>> wrote:
>>>>
>>>>                 It tells you what's happens.
>>>>
>>>>
>>>>                 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>                 > (ssl_crtd): Uninitialized SSL certificate
>>>>                 database directory:
>>>>                 > /var/lib/ssl_db. To initialize, run "ssl_crtd -c
>>>>                 -s /var/lib/ssl_db".
>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 squid-users mailing list
>>>>                 squid-users at lists.squid-cache.org
>>>>                 <mailto:squid-users at lists.squid-cache.org>
>>>>                 http://lists.squid-cache.org/listinfo/squid-users
>>>>                 <http://lists.squid-cache.org/listinfo/squid-users>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/fb170f19/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/fb170f19/attachment-0001.sig>

More information about the squid-users mailing list