[squid-users] squid-users Digest, Vol 37, Issue 30

Yuri yvoinov at gmail.com
Wed Sep 13 20:03:30 UTC 2017


For a change, I agree with Eliezer. And about the documentation of
OpenSource is best mournfully silent.


14.09.2017 0:02, Eliezer Croitoru пишет:
> I do not care if someone asks even if the docs are answering.
> The docs of squid-cache are not something anyone should be able to remember by heart or even browse and just "find" a solution or a direction.
> We(at least me) are here to try and help even for the cases which the docs already cover.
>
> All The Bests,
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Adrian Miller
> Sent: Monday, September 11, 2017 23:31
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid-users Digest, Vol 37, Issue 30
>
> Jesus, never seen so many messages that could have been answered by reading the basic squid docs.
>
> Tempted to unsub....sheesh
>
> On 12 Sep. 2017 6:19 am, <mailto:squid-users-request at lists.squid-cache.org> wrote:
> Send squid-users mailing list submissions to
>         mailto:squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         mailto:squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         mailto:squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
>       crashing too quickly (Rohit Sodhia)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Sep 2017 16:18:39 -0400
> From: Rohit Sodhia <mailto:sodhia.rohit at gmail.com>
> To: Yuri <mailto:yvoinov at gmail.com>
> Cc: mailto:squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Need assistance debugging Squid error:
>         ssl_ctrd helpers crashing too quickly
> Message-ID:
>         <mailto:CAN1w9tfQt3Mivwpyo%2Bu3Qp0agQ8pOgz2MGo2Wvb5AdGU3zbkjw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
> I'll have to learn how to compile it myself; never compiled a package
> before.
>
> On Mon, Sep 11, 2017 at 4:17 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>
>> Hardly,
>>
>> most probably something in repo's package. However, upgrade is always
>> recommended, especially with modern functionality. It changes fast enough.
>>
>> 12.09.2017 2:15, Rohit Sodhia пишет:
>>
>> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
>> problem?
>>
>> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>
>>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>>> closed or closed.
>>>
>>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>>> running.
>>>
>>> Repositories software sometimes has strange quirks, or sometimes rancid.
>>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>>
>>> I'll try to find it, but I read a few articles/SO questions that
>>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>>> I'd be glad to go forward. Should I be removing the yum squid package and
>>> compile my own? Is 3.5 problematic besides being old?
>>>
>>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>
>>>> Wait. Squid 3.5.20? So ancient?
>>>>
>>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>>
>>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>
>>>> I used the line from the Stack Overflow question I linked earlier.
>>>>
>>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>
>>>>> Well. Let's check more deep.
>>>>>
>>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>>
>>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>>
>>>>> Unfortunately, no luck yet. Thank you again for your help before.
>>>>>
>>>>> I found that the user squid and group squid existed already, so I added
>>>>>
>>>>> cache_effective_user squid
>>>>> cache_effective_group squid
>>>>>
>>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's
>>>>> contents were set to squid:squid and restarted the service, but I'm still
>>>>> getting the same error :(
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <mailto:sodhia.rohit at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I'll try that immediately, thanks! I appreciate all your advice;
>>>>>> hopefully I won't have to reach out again :p
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>>>
>>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>>>>>> probably it runs as nobody user.
>>>>>>>
>>>>>>> Ah, yes:
>>>>>>>
>>>>>>> #  TAG: cache_effective_user
>>>>>>> #    If you start Squid as root, it will change its effective/real
>>>>>>> #    UID/GID to the user specified below.  The default is to change
>>>>>>> #    to UID of nobody.
>>>>>>> #    see also; cache_effective_group
>>>>>>> #Default:
>>>>>>> # cache_effective_user nobody
>>>>>>>
>>>>>>> #  TAG: cache_effective_group
>>>>>>> #    Squid sets the GID to the effective user's default group ID
>>>>>>> #    (taken from the password file) and supplementary group list
>>>>>>> #    from the groups membership.
>>>>>>> #
>>>>>>> #    If you want Squid to run with a specific GID regardless of
>>>>>>> #    the group memberships of the effective user then set this
>>>>>>> #    to the group (or GID) you want Squid to run as. When set
>>>>>>> #    all other group privileges of the effective user are ignored
>>>>>>> #    and only this GID is effective. If Squid is not started as
>>>>>>> #    root the user starting Squid MUST be member of the specified
>>>>>>> #    group.
>>>>>>> #
>>>>>>> #    This option is not recommended by the Squid Team.
>>>>>>> #    Our preference is for administrators to configure a secure
>>>>>>> #    user account for squid with UID/GID matching system policies.
>>>>>>> #Default:
>>>>>>> # Use system group memberships of the cache_effective_user account
>>>>>>>
>>>>>>> As documented. :)
>>>>>>>
>>>>>>> AFAIK best solution is create non-privileged group & user (like
>>>>>>> squid/squid) and set both this parameters explicity.
>>>>>>>
>>>>>>> Then change owner recursively on SSL cache to this user.
>>>>>>>
>>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>>>
>>>>>>> Neither of those values are set in my config. Even though I'm not
>>>>>>> using squid for caching, I need those values? They aren't set in the
>>>>>>> default configs either.
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>>>>
>>>>>>>> Most probably you squid runs as another user than squid.
>>>>>>>>
>>>>>>>> Check your squid.conf for cache_effective_user and
>>>>>>>> cache_effective_group values.
>>>>>>>>
>>>>>>>> Then change SSL cache permissions to this values. Should work.
>>>>>>>>
>>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>>>
>>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
>>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried
>>>>>>>> restarting squid, but still get the same errors. I thought to run the
>>>>>>>> command again, but this time it says
>>>>>>>>
>>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>>>>>>
>>>>>>>> If this folder has incorrect permissions are there possibly other
>>>>>>>> permission issues?
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Here you root of problem.
>>>>>>>>>
>>>>>>>>> Should be (on my setups):
>>>>>>>>>
>>>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>>>> total 326
>>>>>>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>>>>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>>>>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>>>>>>
>>>>>>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>>>>>>
>>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>>>
>>>>>>>>> total 8
>>>>>>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>>>>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>>>>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Show output of
>>>>>>>>>>
>>>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>>>
>>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>>>>
>>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me
>>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it
>>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of
>>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it.
>>>>>>>>>>
>>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <mailto:yvoinov at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> It tells you what's happens.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>>>>>>>> (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>>>>>>>> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> squid-users mailing list
>>>>>>>>>>> mailto:squid-users at lists.squid-cache.org
>>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> mailto:squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 37, Issue 30
> *******************************************
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170914/2560e115/attachment.sig>


More information about the squid-users mailing list