Re: [squid-users] Squid behaviour with external_acl_type

[Amos Jeffries]

On 29/03/2015 4:55 a.m., Ashish Patil wrote:
> Hello,
> 
> I am faced with a weird situation with an external acl that I have built.
> 
> The external acl gets the acl name and the IP information, does a lookup in
> a MySQL table if that IP belongs to a group ( read: acl name ) and returns
> an output.
> 
> The situation is as follows:
>  On the first client request coming to the external helper, it performs as
> expected, and the correct action is taken. Whereas from the second request
> onwards, Squid just waits on the external acl, even though a response was
> sent by the acl, and the same was received by Squid.
> 
> My acl's are as follows:
> external_acl_type grpname ttl=10 children-startup=1 concurrency=1 %SRC %ACL
> /usr/local/squid/libexec/grpname_helper
> acl two external grpname
> acl twoext urlpath_regex
> "/usr/local/squid/etc/custom/blacklisted-two-extensions"
> deny_info http://192.168.3.11/error.html two
> http_access deny twoext two
> 

> 
> To verify Squid was getting the responses from the external acl, I ran a
> strace on the squid process. Below is the trimmed output:
> 

> write(19, "0 192.168.3.243 two\n", 20)  = 20
> read(19, "OK\n\0", 4095)= 4


Problem #1:
 Squid is using concurrency channels. The helper is not sending the
channel-ID field in the reply. Try setting concurrency=0 on squid.conf
to fix that - or better, update the helper to use concurrency properly.


Problem #2:
 The helper is sending a '\0' octet after the \n.
 The \n delimits the first and second response. So the \0 is left in the
buffer until the seond response is being handled.

When the second lookup happens its response is "\0OK" not the "OK" you
were expecting. Same thing also happens with all following lookups on
this helper.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid intercept config

[Monah Baki]

On 10.0.0.24

root@ISN-PHC-CACHE:/home/support # netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0 52 10.0.0.24.22   96.255.8.226.50911
ESTABLISHED
tcp4   0  0 *.3129 *.*LISTEN
tcp4   0  0 *.3128 *.*LISTEN
tcp4   0  0 *.81   *.*LISTEN
tcp6   0  0 *.81   *.*LISTEN
tcp4   0  0 *.22   *.*LISTEN
tcp6   0  0 *.22   *.*LISTEN
tcp6   0  0 ::1.562::1.40066
ESTABLISHED
tcp6   0  0 ::1.40066  ::1.562
ESTABLISHED
tcp6   0  0 *.561  *.*LISTEN
tcp6   0  0 *.562  *.*LISTEN
tcp4   0  0 *.199  *.*LISTEN
tcp4   0  0 *.1*.*LISTEN
udp4   0  0 *.3401 *.*
udp4   0  0 *.34985*.*
udp4   0  0 *.**.*
udp4   0  0 *.161  *.*
udp4   0  0 *.162  *.*
udp4   0  0 *.1*.*
udp4   0  0 127.0.0.1.123  *.*
udp6   0  0 fe80::1%lo0.123*.*
udp6   0  0 ::1.123*.*
udp4   0  0 10.0.0.24.123  *.*
udp6   0  0 *.123  *.*
udp4   0  0 *.123  *.*
udp4   0  0 *.514  *.*
udp6   0  0 *.514  *.*



On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket opens.
>
> 05.03.15 23:10, Monah Baki пишет:
> > How can I confirm, I have access only to the BSD box
> >
> > Thanks
> >
> > On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov 
> > wrote:
> >
> > Does 80 port outside BSD-box listens?
> >
> > 05.03.15 21:25, Monah Baki пишет:
>  root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i
>  pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned
>  tcpdump: verbose output suppressed, use -v or -vv for full
>  protocol decode listening on pflog0, link-type PFLOG (OpenBSD
>  pflog file), capture size 65535 bytes capability mode sandbox
>  enabled 00:00:00.00 rule 0..16777216/0(match): pass in on
>  bge0: 10.0.0.106.5678
> > 255.255.255.255.5678: UDP, length 88
>  00:00:08.342860 rule 0..16777216/0(match): pass in on bge0:
>  10.0.0.14.54264
> > 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options
> > [mss
>  1460,nop,wscale 2,nop,nop,sackOK], length 0
> 
> 
> 
>  On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov
>   wrote:
> 
>  Hm. No.
> 
>  We not checked only OS.
> 
>  Does your BSD really loads PF module?
> 
>  05.03.15 21:16, Monah Baki пишет:
> >>> Not sure why the client is running old hard/soft ware,
> >>> could it be cause of the hardware? Is FreeBSD an issue,
> >>> should I switch to linux?
> >>>
> >>> On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov
> >>>  wrote:
> >>>
> >>> Wow, 7600!
> >>>
> >>> But why is so antique iOS?! Current is 15.4
> >>>
> >>> 05.03.15 21:09, Monah Baki пишет:
> >> PORT   STATE SERVICE VERSION 23/tcp open  telnet
> >> Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81
> >> (Cisco) Device type: router Running: Cisco IOS
> >> 12.X OS CPE: cpe:/h:cisco:7600_router
> >> cpe:/o:cisco:ios:12.2 OS details: Cisco 7600
> >> router (IOS 12.2) Network Distance: 1 hop TCP
> >> Sequence Prediction: Difficulty=258 (Good luck!)
> >> IP ID Sequence Generation: Randomized Service
> >> Info: OS: IOS; Device: switch; CPE:
> >> cpe:/o:cisco:ios
> >>
> >>
> >> On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov
> >>  wrote:
> >>
> >> What is Cisco model and iOS version?
> >>
> >> 05.03.15 20:25, Monah Baki пишет:
> > Yes, correct
> >
> > On Thu, Mar 5, 2015 at 9:23 AM, Yuri
> > Voinov  wrote:
> >
> > 10.0.0.23 is your host? And 10.0.0.24 is
> > proxy box?
> >
> > 05.03.15 20:15, Monah Baki пишет:
>  '--prefix=/cache/squid'
>  '--enable-follow-x-forwarded-for'
>  '--with-large-files' '--enable-ssl'
>  '--disable-ipv6' '--enable-esi'
>  '--enable-kill-parent-hack'
>  '--enable-snmp' '--with-pthreads'
>  '--with-filedescriptors=65535'
> 

Re: [squid-users] Fwd: squid intercept config

[Monah Baki]

Windows Client - 10.0.0.23 MAC (9d:3a:96)

root@ISN-PHC-CACHE:/home/support # arp -a
 (10.0.0.9) at 00:00:0c:07:ac:01 on bge0 THIS IS THE PHYSICAL INTERFACE ON
THE ROUTER
 (10.0.0.10) at 88:5a:92:63:77:81 on bge0  THIS IS THE GATEWAY IP ON THE
DESKTOP AND SQUID SERVER
 (10.0.0.24) at a0:d3:c1:06:a5:c4 on bge0 THIS IS THE SQUID SERVER


Frame 8 and 9 is where I get my access denied.

No. TimeSourceDestination   Protocol
Length Info
  7 0.50804168.71.212.158 10.0.0.23 TCP
3902   80→42794 [PSH, ACK] Seq=412 Ack=401 Win=65664 Len=1460

Frame 7: 3902 bytes on wire (31216 bits), 1500 bytes captured (12000 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.453922000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.453922000 seconds
[Time delta from previous captured frame: 0.000118000 seconds]
[Time delta from previous displayed frame: 0.000118000 seconds]
[Time since reference or first frame: 0.508041000 seconds]
Frame Number: 7
Frame Length: 3902 bytes (31216 bits)
Capture Length: 1500 bytes (12000 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4), Dst:
CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Destination: CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Source: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 68.71.212.158 (68.71.212.158), Dst:
10.0.0.23 (10.0.0.23)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
Total Length: 1500
Identification: 0x (8738)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x [validation disabled]
Source: 68.71.212.158 (68.71.212.158)
Destination: 10.0.0.23 (10.0.0.23)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 42794 (42794),
Seq: 412, Ack: 401, Len: 1460

No. TimeSourceDestination   Protocol
Length Info
  8 0.50807368.71.212.158 10.0.0.23 TCP
170[TCP Previous segment not captured] [TCP segment of a reassembled
PDU]

Frame 8: 170 bytes on wire (1360 bits), 170 bytes captured (1360 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.453954000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.453954000 seconds
[Time delta from previous captured frame: 0.32000 seconds]
[Time delta from previous displayed frame: 0.32000 seconds]
[Time since reference or first frame: 0.508073000 seconds]
Frame Number: 8
Frame Length: 170 bytes (1360 bits)
Capture Length: 170 bytes (1360 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags &&
!tcp.analysis.window_update]
Ethernet II, Src: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4), Dst:
CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Destination: CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Source: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 68.71.212.158 (68.71.212.158), Dst:
10.0.0.23 (10.0.0.23)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
Total Length: 156
Identification: 0x2223 (8739)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x [validation disabled]
Source: 68.71.212.158 (68.71.212.158)
Destination: 10.0.0.23 (10.0.0.23)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 42794 (42794),
Seq: 4260, Ack: 401, Len: 116

No. TimeSourceDestination   Protocol
Length Info
  9 0.50883510.0.0.23 68.71.212.158 TCP
60 [TCP ACKed unseen segment] 42794→80 [ACK] Seq=401 Ack=3332 Win=65536
Len=0

Frame 9: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.454716000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.454716000 seconds
[Time delta from previous captured frame: 0.000762000 seconds]
[Time delta from previous displayed frame: 0.000762000 seconds]
[Time since reference or first frame: 0.508835000 seconds]
Frame Number: 9
 

Re: [squid-users] Editing Makefile.am to include static libraries

[Priya Agarwal]

Hi,

I am now linking the libraries during ./configure with LDFLAGS, LIBS and
CXXFLAGS options (Makefile.am is same as it was)  Compile is failing
presently.

main.o: In function `of_init':
/media/NewVolume/yocto/build_t4240qds_release/tmp/sysroots/t4240qds/usr/include/usdpaa/of.h:52:
undefined reference to `of_init_path(char const*)'
collect2: error: ld returned 1 exit status
powerpc-fsl_networking-linux-libtool: link: rm -f ".libs/squidS.o"

Does it mean I haven't linked the the library that has of_init() [But I
think I have done that as ./configure passed and libraries are even visible
in log]
Or I need to link something else?

Here are the flags passed to ./configure:
EXTRA_OECONF_append = "LDFLAGS="-L=/usr/lib/" \
LIBS="-lusdpaa_dma -lusdpaa_dma_mem -lusdpaa_of -lusdpaa_fman
-lusdpaa_qbman -lusdpaa_syscfg" \
CXXFLAGS="-I=/usr/include/""

Attached the logfile too.



On Fri, Mar 13, 2015 at 5:29 PM, Amos Jeffries  wrote:

> On 14/03/2015 12:28 a.m., Priya Agarwal wrote:
> > I tried what you advised. Getting the same error for both methods
> > (./configure LDFLAGS=-L<../tmp/../lib CXXFLAGS=-I<.../tmp../include or
> > editing Makefile.am appropriately). autoreconf is failing.
>
> I see "<" characters in your paths. That is invalid. As is the -I paths
> segments "..." and "tmp.." looks like you are missing '/' somewhere.
>
>
> > And also I am getting many such warnings:
> >
> > | src/Common.am:16: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS'
> > (or '*_CPPFLAGS')
> > | compat/Makefile.am:5:   'src/Common.am' included from here
> > | src/Common.am:16: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS'
> > (or '*_CPPFLAGS')
> > | helpers/basic_auth/DB/Makefile.am:1:   'src/Common.am' included from
> here
> > | src/Common.am:16: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS'
> > (or '*_CPPFLAGS')
> > | helpers/basic_auth/LDAP/Makefile.am:1:   'src/Common.am' included from
> > here
> > | src/Common.am:16: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS'
> > (or '*_CPPFLAGS')
> > | helpers/basic_auth/MSNT-multi-domain/Makefile.am:1:   'src/Common.am'
> > included from here
> > | src/Common.am:16: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS'
> > (or '*_CPPFLAGS')
> >
>
> Those are just warnings because you are working with an old Squid
> version and autotools have changed their requirements since. The current
> release dont have quite so many warnings (some remain). Those can be
> ignore.
>
> I does mean that what I wrote as AM_CPPFLAGS needs to instead be written
> as INCLUDES in your Squid versions Makefile.am.
>
>
> > Final error:
> > | autoreconf: automake failed with exit status: 1
> > | ERROR: autoreconf execution failed.
> >
> > So is something wrong with the path?
>
> I see "<" characters in what you
>
> >
> > I have attached the logfile as well which shows the detailed output.
> >
>
> Buried in the warnings I see this:
>
> src/Makefile.am:661: error: '#' comment at start of rule is unportable
>
>
> automake syntax has two forms of comment.
>  ## comments are autoreconf comments and ignored
>  # comments are copied through as-is to the final Makefile
>
> If you are using multi-line wrapped lists of things, that can cause
> issues. Its easier to just never use comments inside the wrapped lines.
>
>
> Other things to watch out for auth makefiles:
>
> * indentation for rules needs to be one tab, not spaces. This needs
> checking after each copy-paste you do.
>
> * multi-line rules and lists use '\' character ending to explicitly
> define the wrapping.
>   Be careful that lists of libraries etc use them on each line up to,
> but not on, the final line of the list.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


log.do_compile.10426
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Refresh ACL list only

[Samuel Anderson]

This is my config file. It takes about 30 seconds to reload when using the
command (sudo squid3 -k reconfigure)



http_port 3128
visible_hostname squid.##.local
error_directory /etc/squid3/errors/en

# Recommended minimum configuration:
#
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/22 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS


#Kerberos and NTLM authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=### --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 30
auth_param negotiate keep_alive off

# LDAP authentication
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
"DC=#,DC=local" -D "CN=SQUID,OU=# Service
Accounts,DC=#,DC=local" -w "#" -f sAMAccountName=%s -h
###
auth_param basic children 150
auth_param basic realm Please enter your Domain credentials to continue
auth_param basic credentialsttl 1 hour

# AD group membership commands
external_acl_type ldap_group ttl=60 children-startup=10 children-max=50
children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
"DC=##,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=#,DC=local" -w
"#" -f "(&(objectclass=person)
(sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL
Groups,DC=#,DC=local))" -h ##


#

acl auth proxy_auth REQUIRED

# Individual Allow Groups LDAP #

acl ALLOW-ABORTION external ldap_group INTERNET-ALLOW-ABORTION
acl ALLOW-ANTISPYWARE external ldap_group INTERNET-ALLOW-ANTISPYWARE
acl ALLOW-AUDIO-VIDEO external ldap_group INTERNET-ALLOW-AUDIO-VIDEO
acl ALLOW-BLOG external ldap_group INTERNET-ALLOW-BLOG
acl ALLOW-CELLPHONES external ldap_group INTERNET-ALLOW-CELLPHONES
acl ALLOW-CHAT external ldap_group INTERNET-ALLOW-CHAT
acl ALLOW-CHILDCARE external ldap_group INTERNET-ALLOW-CHILDCARE
acl ALLOW-CLEANING external ldap_group INTERNET-ALLOW-CLEANING
acl ALLOW-CLOTHING external ldap_group INTERNET-ALLOW-CLOTHING
acl ALLOW-CONTRACEPTION external ldap_group INTERNET-ALLOW-CONTRACEPTION
acl ALLOW-CULINARY external ldap_group INTERNET-ALLOW-CULINARY
acl ALLOW-DATING external ldap_group INTERNET-ALLOW-DATING
acl ALLOW-DRUGS external ldap_group INTERNET-ALLOW-DRUGS
acl ALLOW-ECOMMERCE external ldap_group INTERNET-ALLOW-ECOMMERCE
acl ALLOW-ENTERTAINMENT external ldap_group INTERNET-ALLOW-ENTERTAINMENT
acl ALLOW-FILEHOSTING external ldap_group INTERNET-ALLOW-FILEHOSTING
acl ALLOW-FRENCHEDUCATION external ldap_group INTERNET-ALLOW-FRENCHEDUCATION
acl ALLOW-GAMES external ldap_group INTERNET-ALLOW-GAMES
acl ALLOW-GARDENING external ldap_group INTERNET-ALLOW-GARDENING
acl ALLOW-GUNS external ldap_group INTERNET-ALLOW-GUNS
acl ALLOW-HACKING external ldap_group INTERNET-ALLOW-HACKING
acl ALLOW-HOMEREPAIR external ldap_group INTERNET-ALLOW-HOMEREPAIR
acl ALLOW-HYGIENE external ldap_group INTERNET-ALLOW-HYGIENE
acl ALLOW-INSTANTMESSAGING external ldap_group
INTERNET-ALLOW-INSTANTMESSAGING
acl ALLOW-JEWELRY external ldap_group INTERNET-ALLOW-JEWELRY
acl ALLOW-JOBSEARCH external ldap_group INTERNET-ALLOW-JOBSEARCH
acl ALLOW-MARKETINGWARE external ldap_group INTERNET-ALLOW-MARKETINGWARE
acl ALLOW-MEDICAL external ldap_group INTERNET-ALLOW-MEDICAL
acl ALLOW-MOBILE-PHONE external ldap_group INTERNET-ALLOW-MOBILE-PHONE
acl ALLOW-NEWS external ldap_group INTERNET-ALLOW-NEWS
acl ALLOW-ONLINEAUCTIONS external ldap_group INTERNET-ALLOW-ONLINEAUCTIONS
acl ALLOW-ONLINEGAMES external ldap_group INTERNET-ALLOW-ONLINEGAMES
acl ALLOW-ONLINEPAYMENT external ldap_group INTERNET-ALLOW-ONLINEPAYMENT
acl ALLOW-PERSONA

[squid-users] [squid-announce] OpenSSL Advisory 2015-03-19

[Amos Jeffries]

As you may be aware a number of security vulnerabilities have just been
announced regarding OpenSSL.
 

Several of these potentially impact Squid with Denial of Service and
connection failure side effects when using HTTPS or the SSL-Bump feature
set.

All users of Squid HTTPS and SSL features are advised to restart Squid
after upgrading their OpenSSL library to a fixed version.


There will be no direct Squid advisory regarding this since the
vulnerability is in OpenSSL itself, not Squid.


Amos Jeffries
Squid Software Foundation
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.2 ssl_crtd kids causing abnormal termination of startup

[Stanford Prescott]

I'm still pulling my hair out trying to figure out why Squid 3.5.2 with SSL
caching enabled will only start after the /var/spool/squid/cache is
emptied. This is the debug info I am getting when starting Squid when the
cache is not emptied.

*2015/03/29 10:27:56.896| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.900| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.900| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.900| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.900| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56 kid1| Current Directory is /*
*2015/03/29 10:27:56 kid1| Creating missing swap directories*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache exists*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/00 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/00*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/01 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/01*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/02 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/02*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/03 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/03*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/04 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/04*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/05 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/05*
*2015/03/29 10:27:56.928| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.928| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56.929| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/06 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/06*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/07 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/07*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/08 exists*
*2015/03/29 10:27:56 kid1| Making directories in /var/spool/squid/cache/08*
*2015/03/29 10:27:56 kid1| /var/spool/squid/cache/09 exists*
*2015/03/29 10:27:56 kid1| Making directories

[squid-users] [squid-announce] Squid 3.5.3 is available

[Amos Jeffries]

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.3 release!


This release is a bug fix release resolving several issues found in
the prior Squid releases.


The major changes to be aware of:


* Regression Bug #4206: connection close on Expect:100-continue

It was found that large POST and PUT requests using Expect:100-continue
to a Squid-3.5.1 or 3.5.2 would reset the TCP connection instead of
allowing the upload to proceed. The working Squid-3.4 behaviour has now
been restored.


* Regression Bug #4213: negotiate_kerberos_auth segmentation faults

After Squid-3.5.2 updates to the Kerberos support it was found that this
helper was frequently, but not always, encountering a segmentation
fault. That is now fully resolved.

Also fixed in this release is support for the latest Heimdal libraries
and some unused Kerberos related code is no longer built.


* Bug #2907: high CPU usage on CONNECT when using Delay Pools

When Delay Pools was enabled Squid CONNECT handling tunnel code could
quickly empty the available pool bandwidth and would then also not wait
for it to be replenished, but repeatedly attempt to keep sending. While
this is not quite an "infinite loop" problem it is very similar in
effect, with CPU consumption reaching 100% and service through the proxy
slowing down dramatically.

While this is very old bug, it is starting to make itself felt more as
the quantity of HTTPS CONNECT requests increases.


* Bug #3805: support shared memory on MacOS X

This bug completely prevented using SMP support on MacOS X. As of this
release it should now be possible to use workers, shared memory cache
and rock storage on MacOS X.


* Bug #4204: ./configure abort when required helpers cannot be built

Previously the Squid ./configure script would treat a user-supplied list
of helpers as an optional list to attempt building, ignoring helpers
that were available but not listed. Being an optional list it would also
only warn if some of the list entries could not be built.

It is now treated as a list of required helpers - with a hard failure if
any cannot be built. This prevents automated build systems going through
a long build process only to find missing binaries at the install phase.


* basic_nis_auth and basic_getpwnam_auth updated

Other software has recently been awarded CVE allocation for bad handling
of crypt() system call failures resulting in Denial of Service. These
two Squid helpers were performing very similar operations and might
encounter the same failures. Fortunately these Squid helpers are fairly
isolated and Basic auth in Squid contains mechanisms that make it very
difficult to affect more than one client.

This is a proactive security update to prevent any future issues that
could appear as a result.



 All users of Squid-3.5 with SMP features are urged to upgrade to this
release as soon as possible.

 All users of Delay Pools are urged to upgrade to this release as soon
as possible.

 All users of basic_nis_auth or basic_getpwnam_auth are urged to upgrade
to this release as soon as possible.

 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] assertion failed: ../src/ipc/AtomicWord.h:88: "Enabled()"

[Dan Charlesworth]

Hey Amos

This error's still happening on the 3.5.3 RPM I just built. I know nothing 
about “atomics”, mind you.  I’m all ears if you have any other suggestions :-)

Squid Cache: Version 3.5.3
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' 
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' 
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' 
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' 
'--enable-auth-negotiate=kerberos,wrapper' 
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group' 
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' 
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' 
'--with-openssl' '--enable-ssl-crtd' '--enable-storeio=aufs,ufs,rock' 
'--with-aio' '--enable-wccpv2' '--enable-esi' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-maxfd=65535' '--with-dl' 
'--with-pthreads' '--with-included-ltdl' '--disable-arch-native' 
'--without-nettle' '--disable-optimizations' 
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience


> On 28 Mar 2015, at 3:11 am, Dan Charlesworth  wrote:
> 
> Roger—thanks for heads up Amos.
> 
>  
> 
> 
> On Fri, Mar 27, 2015 at 9:50 PM, Amos Jeffries  > wrote:
> 
> Hi Dan,
> This appears by a breakage in the 3.5 snapshots' GNU atomics detection.
> Though we are still not sure why the error occurs yet with atomics disabled.
> 
> Snapshots labelled r13783 or later available in a few hrs should be fixed.
> 
> Cheers
> Amos
> 
> 
> On 27/03/2015 11:47 a.m., Dan Charlesworth wrote:
> > Bumping this because I think it might have gone into the black hole the 
> > other night.
> > 
> >> On 23 Mar 2015, at 5:44 pm, Dan Charlesworth  wrote:
> >>
> >> Turns out it’s also shitting the bed whenever I go to an SSL site now that 
> >> I’ve added --enable-storeio=rock:
> >>
> >> 2015/03/23 17:40:13 kid1| assertion failed: ../src/ipc/AtomicWord.h:71: 
> >> "Enabled()"
> >> 2015/03/23 17:42:02 kid1| assertion failed: ../src/ipc/AtomicWord.h:74: 
> >> "Enabled()"
> >>
> >> I feel like I’m definitely missing a dependency or something :-/
> >>
> >>> On 23 Mar 2015, at 5:28 pm, Dan Charlesworth  >>> > wrote:
> >>>
> >>> Hey!
> >>>
> >>> Sorry for all the threads lately, folks -
> >>>
> >>> I just recompiled by 3.5 EL6 (64-bit) RPM (using 
> >>> squid-3.5.2-20150321-r13782).
> >>>
> >>> I decided to add rock to my `—enable-storeio` option, so I could try SMP 
> >>> and stuff, which was fine. But when I went to squid -z it, I got this 
> >>> crash:
> >>> assertion failed: ../src/ipc/AtomicWord.h:88: "Enabled()"
> >>>
> >>> Just using:
> >>> cache_dir rock /var/spool/squid 2
> >>> workers 2
> >>>
> >>> I’m hoping, for a change, this is some obvious thing I’ve missed and not 
> >>> something I need to dig out backtraces for :-)
> >>>
> >>> Thanks, y'all
> >>
> > 
> > 
> > 
> > 
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.2 ssl_crtd kids causing abnormal termination of startup

[Amos Jeffries]

The relevant bits of all patches that might be affecting this are now
included in 3.5.3.

Also, someone pointed out recently that /dev/shm needed to be explicitly
mounted on their OS.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users