Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On Tue, Apr 19, 2011 at 1:05 PM, Indunil Jayasooriya induni...@gmail.com wrote: Now, we have to use divert-to instead of rdr-to in pf.conf Pls read below URL where you get the real thing in regard to it. It was replied by OpenBSD developer Reyk Floeter. http://www.mail-archive.com/misc@openbsd.org/msg101469.html Aha! so PF provides getsockname() now. That means it will require the ./configure --enable-ipfw-transparent option to Squid. Hi, sorry for the delay in replying. I changed from http_port 3129 intercept to http_port 127.0.0.1:3129 intercept in squid.conf file. Here's the rule in pf.conf pass in log on $int_if proto tcp from $lan_net to any port 80 \ divert-to 127.0.0.1 port 3129 here's config option, it is with --enable-ipfw-transparent Squid Cache: Version 3.2.0.6 configure options: '--datadir=/usr/local/share/squid' '--enable-arp-acl' '--enable-basic-auth-helpers=NCSA' '--enable-digest-auth-helpers=password' '--enable-delay-pools' '--enable-external-acl-helpers=ip_user' '--enable-forw-via-db' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-ipfw-transparent' '--enable-removal-policies=lru' '--enable-ssl' '--enable-storeio=aufs' '--with-pthreads' '--localstatedir=/var/squid' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' --enable-ltdl-convenience Now, I can access internet. But, I still get this error. 2011/04/19 17:55:18 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied then, I recompiled without --enable-ipfw-transparent ( Now it is without both --enable-pf-transparent and --enable-ipfw-transparent) still , I can access internet. But, Still I get below error. 2011/04/19 18:26:44 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied any comments are welcome from your end. thanks a lot. -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
patch -p0 /PATH/TO/bug3185_mk2.patch Exactly correct. Being in the base folder of your squid sources when running it (/root/software/squid-3.2.0.6/) DONE. performed below steps. first, did cd to /root/software/squid-3.2.0.6/compat/os backed up as follows. cp openbsd.h openbsd.h.orig then, did cd to /root/software/squid-3.2.0.6 patch -p0 /tmp/bug3185_mk2.patch Pls see the output. Hmm... Looks like a unified diff to me... The text leading up to this was: -- |=== modified file 'compat/os/openbsd.h' |--- compat/os/openbsd.h2010-11-21 04:40:05 + |+++ compat/os/openbsd.h2011-04-08 08:10:12 + -- Patching file compat/os/openbsd.h using Plan A... Hunk #1 succeeded at 30. Hmm... Ignoring the trailing garbage. done It worked didn't it? I think yes. your comments are welcome... then, # cd /root/software/squid-3.2.0.6/compat/os # diff openbsd.h openbsd.h.orig 33,40d32 /* OpenBSD requires netinet/in.h before arpa/inet.h */ #if HAVE_NETINET_IN_H #include netinet/in.h #endif #if HAVE_ARPA_INET_H #include arpa/inet.h #endif anyway , now the full contents of openbsd.h is as follows. # cat openbsd.h #ifndef SQUID_OS_OPENBSD_H #define SQUID_OS_OPENBSD_H #ifdef _SQUID_OPENBSD_ / *--* * DO *NOT* MAKE ANY CHANGES below here unless you know what you're doing...* *--* / /* * Don't allow inclusion of malloc.h */ #if HAVE_MALLOC_H #undef HAVE_MALLOC_H #endif /* * This OS has at least one version that defines these as private * kernel macros commented as being 'non-standard'. * We need to use them, much nicer than the OS-provided __u*_*[] */ //#define s6_addr8 __u6_addr.__u6_addr8 //#define s6_addr16 __u6_addr.__u6_addr16 #define s6_addr32 __u6_addr.__u6_addr32 /* OpenBSD also hide v6only socket option we need for comm layer. :-( */ #if !defined(IPV6_V6ONLY) #define IPV6_V6ONLY 27 // from OpenBSD 4.3 headers. (NP: does not match non-BSD OS values) #endif /* OpenBSD requires netinet/in.h before arpa/inet.h */ #if HAVE_NETINET_IN_H #include netinet/in.h #endif #if HAVE_ARPA_INET_H #include arpa/inet.h #endif #endif /* _SQUID_OPENBSD_ */ #endif /* SQUID_OS_OPENBSD_H */ That's all for that patch. I think U r ok. anyway. for the /dev/pf thing, I will come back with an update -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
anyway. for the /dev/pf thing, I will come back with an update As I said, below two commands NOT good at all. # chgrp _squid /dev/pf # chmod g+rw /dev/pf Now, we have to use divert-to instead of rdr-to in pf.conf Pls read below URL where you get the real thing in regard to it. It was replied by OpenBSD developer Reyk Floeter. http://www.mail-archive.com/misc@openbsd.org/msg101469.html I am home now, I am going to office on monday. then, I will do accordingly and update you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On 09/04/11 21:24, Indunil Jayasooriya wrote: anyway. for the /dev/pf thing, I will come back with an update As I said, below two commands NOT good at all. # chgrp _squid /dev/pf # chmod g+rw /dev/pf Now, we have to use divert-to instead of rdr-to in pf.conf Pls read below URL where you get the real thing in regard to it. It was replied by OpenBSD developer Reyk Floeter. http://www.mail-archive.com/misc@openbsd.org/msg101469.html Aha! so PF provides getsockname() now. That means it will require the ./configure --enable-ipfw-transparent option to Squid. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
The problem is that netinet/in.h must be included before arpa/inet.h in
include/util.h (at least for 3.1.11). Just add
#include netinet/in.h before the #include arpa/inet.h line in this
file. At least that fixed the same problem with Squid 3.1.11 on OpenBSD 4.9.
Thanks for your help. Sorry for the delay in replying.
As said, I added the below 2 lines to include/util.h file
#include netinet/in.h
#include arpa/inet.h
then. configure with below options
Squid Cache: Version 3.2.0.6
configure options: '--datadir=/usr/local/share/squid'
'--enable-arp-acl' '--enable-basic-auth-helpers=NCSA'
'--enable-digest-auth-helpers=password' '--enable-delay-pools'
'--enable-external-acl-helpers=ip_user' '--enable-forw-via-db'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-pf-transparent' '--enable-removal-policies=lru'
'--enable-ssl' '--enable-storeio=aufs' '--with-pthreads'
'--localstatedir=/var/squid' '--prefix=/usr/local'
'--sysconfdir=/etc/squid' '--mandir=/usr/local/man'
'--infodir=/usr/local/info' --enable-ltdl-convenience
then, did make and make install. it went fine.
I added below line to squid.conf file
http_port 3129 intercept
cache_mem 256 MB
cache_effective_user_squid
cache_effective_group _squid
# Define the access log format
logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt
# Log client request activities ('squid' is the name of the log format to use)
access_log /var/squid/logs/access.log squid
# Log information about the cache's behavior
cache_log/var/squid/logs/cache.log
# Log the activities of the storage manager
cache_store_log /var/squid/logs/store.log
We can access with squid. But , I get the below error
# tail -f /var/squid/logs/cache.log
2011/04/08 18:07:26 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 18:07:35 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 18:07:35 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
any idea? shall we solve ?
permision of /dev/pf
crw--- 1 root wheel 73, 0 Apr 1 19:30 /dev/pf
--
Thank you
Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On 08/04/11 19:13, Indunil Jayasooriya wrote:
The problem is that netinet/in.h must be included before arpa/inet.h in
include/util.h (at least for 3.1.11). Just add
#includenetinet/in.h before the #includearpa/inet.h line in this
file. At least that fixed the same problem with Squid 3.1.11 on OpenBSD 4.9.
Thanks for your help. Sorry for the delay in replying.
As said, I added the below 2 lines to include/util.h file
#includenetinet/in.h
#includearpa/inet.h
Thank you. This is being tracked in
http://bugs.squid-cache.org/show_bug.cgi?id=3185
Can you test the patch I've added there please?
I added below line to squid.conf file
http_port 3129 intercept
cache_mem 256 MB
cache_effective_user_squid
Can be replaced by a configure option:
--with-default-user=_squid
cache_effective_group _squid
Remove cache_effective_group.
Assign user _squid to group _squid instead (must be done anyways).
# Define the access log format
logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt
3.2 should be complaining about that alteration to the default ... is it?
# Log client request activities ('squid' is the name of the log format to use)
access_log /var/squid/logs/access.log squid
# Log information about the cache's behavior
cache_log/var/squid/logs/cache.log
# Log the activities of the storage manager
cache_store_log /var/squid/logs/store.log
We can access with squid. But , I get the below error
# tail -f /var/squid/logs/cache.log
2011/04/08 18:07:26 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 18:07:35 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 18:07:35 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
any idea? shall we solve ?
permision of /dev/pf
crw--- 1 root wheel 73, 0 Apr 1 19:30 /dev/pf
Is wheel the usual group for /dev/pf?
I would expect some other less privileged group has read access to
/dev/pf. You then add the _squid user as a member of that low-privilege
group.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On 06/04/11 04:09, Silamael wrote: On 04/05/2011 12:05 PM, Indunil Jayasooriya wrote: Hi ALL, I downloaded squid-3.2.0.6 from below URL http://www.squid-cache.org/Versions/v3/3.2/squid-3.2.0.6.tar.gz I ran (this is on OpenBSD 4.8 - 64 bit) ./configure It went fine. Then, ran make stoped at below error /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 589 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 708 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6 (line 433 of Makefile). Hi Indunil, The problem is that netinet/in.h must be included before arpa/inet.h in include/util.h (at least for 3.1.11). Just add #includenetinet/in.h before the #includearpa/inet.h line in this file. At least that fixed the same problem with Squid 3.1.11 on OpenBSD 4.9. -- Matthias For the record this is now tracked in http://bugs.squid-cache.org/show_bug.cgi?id=3185 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
Thank you. This is being tracked in http://bugs.squid-cache.org/show_bug.cgi?id=3185 Can you test the patch I've added there please? I downloaded the file. is it bug3185_mk2.patch isn't it? This is the PATH of the file include/util.h /root/software/squid-3.2.0.6/include/util.h May I ask how can I patch it? is it something like patch -p0 /PATH/TO/bug3185_mk2.patch or another way? I want to try. Pls help me to go ahead. cache_effective_user _squid Can be replaced by a configure option: --with-default-user=_squid ok, I will configure and try again... cache_effective_group _squid Remove cache_effective_group. Assign user _squid to group _squid instead (must be done anyways). i have already like this .. # id _squid uid=515(_squid) gid=515(_squid) groups=515(_squid) further, if u need. my /etc/passwd _squid:*:515:515:SquidAccount:/nonexistent:/sbin/nologin my /etc/group _squid:*:515: what else? Welcome your comments. # Define the access log format logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt below was my first log format line logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt pls see %03Hs , then. I got below complain 2011/04/08 16:25:54 kid1| WARNING: The Hs formatting code is deprecated. Use the Hs instead. then, I changed %03Hs to %03Hs. Then, no complain. is %03Hs ok? 3.2 should be complaining about that alteration to the default ... is it? yes. pls see , That's what i mentioned before. 2011/04/08 16:25:54 kid1| WARNING: The Hs formatting code is deprecated. Use the Hs instead. permision of /dev/pf crw--- 1 root wheel 73, 0 Apr 1 19:30 /dev/pf Is wheel the usual group for /dev/pf? yes. the same on my other OpenBSD box running squid 2.7.9. Pls see if u need. # squid -v Squid Cache: Version 2.7.STABLE9 # ls -al /dev/pf crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf # tail -f /var/squid/logs/cache.log 2011/04/08 14:26:24| 0 Objects expired. 2011/04/08 14:26:24| 351 Objects cancelled. 2011/04/08 14:26:24| 0 Duplicate URLs purged. 2011/04/08 14:26:24| 0 Swapfile clashes avoided. 2011/04/08 14:26:24| Took 1.2 seconds (5811.2 objects/sec). 2011/04/08 14:26:24| Beginning Validation Procedure 2011/04/08 14:26:24| Completed Validation Procedure 2011/04/08 14:26:24| Validated 6608 Entries 2011/04/08 14:26:24| store_swap_size = 92128k 2011/04/08 14:26:25| storeLateRelease: released 0 objects no problem at all with squid 2.7.9 I would expect some other less privileged group has read access to /dev/pf. You then add the _squid user as a member of that low-privilege group. I did below steps. I think I will have to look in to it. I think I should discuss with OpenBSD mailing list in regard to this as they are secure by default. I love their Philosophy very much. # chgrp _squid /dev/pf # chmod g+rw /dev/pf after this , pls see cache.log , no complain in regard to pf as before. # tail -f /var/squid/logs/cache.log 2011/04/08 20:30:04 kid1| 0 Objects expired. 2011/04/08 20:30:04 kid1| 7 Objects cancelled. 2011/04/08 20:30:04 kid1| 0 Duplicate URLs purged. 2011/04/08 20:30:04 kid1| 0 Swapfile clashes avoided. 2011/04/08 20:30:04 kid1| Took 0.04 seconds (25798.56 objects/sec). 2011/04/08 20:30:04 kid1| Beginning Validation Procedure 2011/04/08 20:30:04 kid1| Completed Validation Procedure 2011/04/08 20:30:04 kid1| Validated 2117 Entries 2011/04/08 20:30:04 kid1| store_swap_size = 8998 2011/04/08 20:30:05 kid1| storeLateRelease: released 0 objects That's all I can tell you. sorry for the long mail. I think step by step info may be very helpful. anyway, Pls let me know how to patch. I love it, then, for next releases on OpenBSD, I can try. hope 2 hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On 08/04/11 21:41, Indunil Jayasooriya wrote: Thank you. This is being tracked in http://bugs.squid-cache.org/show_bug.cgi?id=3185 Can you test the patch I've added there please? I downloaded the file. is it bug3185_mk2.patch isn't it? This is the PATH of the file include/util.h /root/software/squid-3.2.0.6/include/util.h May I ask how can I patch it? is it something like patch -p0 /PATH/TO/bug3185_mk2.patch Exactly correct. Being in the base folder of your squid sources when running it (/root/software/squid-3.2.0.6/) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On 04/05/2011 12:05 PM, Indunil Jayasooriya wrote: Hi ALL, I downloaded squid-3.2.0.6 from below URL http://www.squid-cache.org/Versions/v3/3.2/squid-3.2.0.6.tar.gz I ran (this is on OpenBSD 4.8 - 64 bit) ./configure It went fine. Then, ran make stoped at below error /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 589 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 708 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6 (line 433 of Makefile). Hi Indunil, The problem is that netinet/in.h must be included before arpa/inet.h in include/util.h (at least for 3.1.11). Just add #include netinet/in.h before the #include arpa/inet.h line in this file. At least that fixed the same problem with Squid 3.1.11 on OpenBSD 4.9. -- Matthias
