Help: squid restarts and squidGuard die

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Help: squid restarts and squidGuard die

neok
Dear Ones, I draw on your experience in seeking help to determine whether or not it is possible to achieve the configuration I am looking for, due to a strange error I am having.

Before commenting on the bug I describe my testing environment:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with blacklists and acl default.

My problem starts when I try to use source acl using ldapusersearch in squidGuard... 

systemctl status squid:
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need help!

squidGuard.conf

dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3


src WEB_BASIC {
ldapusersearch ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}

dest BL_adv {
        domainlist adv/domains
        urllist adv/urls
        log block.log
}

dest BL_aggressive {
        domainlist aggressive/domains
        urllist aggressive/urls
        log block.log
}
dest BL_alcohol {
domainlist alcohol/domains
urllist alcohol/urls
log block.log
}
dest BL_anonvpn {
domainlist anonvpn/domains
urllist anonvpn/urls
log block.log
}
dest BL_chat {
domainlist chat/domains
urllist chat/urls
log block.log
}
dest BL_costtraps {
domainlist costtraps/domains
urllist costtraps/urls
log block.log
}
dest BL_downloads {
domainlist downloads/domains
urllist downloads/urls
log block.log
}
dest BL_drugs {
domainlist drugs/domains
urllist drugs/urls
log block.log
}
dest BL_dynamic {
domainlist dynamic/domains
log block.log
}
dest BL_fortunetelling {
domainlist fortunetelling/domains
urllist fortunetelling/urls
log block.log
}
dest BL_gamble {
domainlist gamble/domains
urllist gamble/urls
log block.log
}
dest BL_government {
domainlist government/domains
urllist government/urls
log block.log
}
dest BL_hacking {
domainlist hacking/domains
urllist hacking/urls
log block.log
}
dest BL_hobby_games-misc {
domainlist hobby/games-misc/domains
urllist hobby/games-misc/urls
log block.log
}
dest BL_hobby_games-online {
domainlist hobby/games-online/domains
urllist hobby/games-online/urls
log block.log
}
dest BL_movies {
domainlist movies/domains
urllist movies/urls
log block.log
}
dest BL_music {
domainlist music/domains
urllist music/urls
log block.log
}
dest BL_porn {
domainlist porn/domains
urllist porn/urls
log block.log
}
dest BL_radiotv {
domainlist radiotv/domains
urllist radiotv/urls
log block.log
}
dest BL_redirector {
domainlist redirector/domains
urllist redirector/urls
log block.log
}
dest BL_remotecontrol {
domainlist remotecontrol/domains
urllist remotecontrol/urls
log block.log
}
dest BL_ringtones {
domainlist ringtones/domains
urllist ringtones/urls
log block.log
}
dest BL_socialnet {
domainlist socialnet/domains
urllist socialnet/urls
log block.log
}
dest BL_spyware {
domainlist spyware/domains
urllist spyware/urls
log block.log
}
dest BL_tracker {
domainlist tracker/domains
urllist tracker/urls
log block.log
}
dest BL_updatesites {
domainlist updatesites/domains
urllist updatesites/urls
log block.log
}
dest BL_violence {
domainlist violence/domains
urllist violence/urls
log block.log
}
dest BL_warez {
domainlist warez/domains
urllist warez/urls
log block.log
}
dest BL_weapons {
domainlist weapons/domains
urllist weapons/urls
log block.log
}
dest BL_webphone {
domainlist webphone/domains
urllist webphone/urls
log block.log
}
dest BL_webradio {
domainlist webradio/domains
urllist webradio/urls
log block.log
}
dest BL_WEBTV {
domainlist webtv/domains
urllist webtv/urls
log block.log
}


dest whitelist {
domainlist whitelist/domains
log block.log
}

dest blacklist {
domainlist blacklist/domains
log block.log
}


acl {

WEB_BASIC {
pass whitelist !BL_porn !blacklist all
redirect <a href="http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&amp;clientname=%n&amp;clientuser=%i&amp;clientgroup=%s&amp;targetgroup=%t&amp;url=%u">http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}

default {
pass !blacklist all
redirect <a href="http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&amp;clientname=%n&amp;clientuser=%i&amp;clientgroup=%s&amp;targetgroup=%t&amp;url=%u">http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}

}


squidGuard.log

2018-09-17 11:13:39 [12663] New setting: dbhome: /etc/squid/db
2018-09-17 11:13:39 [12663] New setting: logdir: /var/log/squidGuard
2018-09-17 11:13:39 [12663] New setting: ldapbinddn: CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
2018-09-17 11:13:39 [12663] New setting: ldapbindpass: myULTRAsecretPASS
2018-09-17 11:13:39 [12663] New setting: ldapprotover: 3
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/adv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/adv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/adv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/adv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/aggressive/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/aggressive/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/aggressive/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/aggressive/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/alcohol/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/alcohol/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/alcohol/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/alcohol/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/anonvpn/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/anonvpn/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/anonvpn/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/anonvpn/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/chat/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/chat/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/chat/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/chat/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/costtraps/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/costtraps/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/costtraps/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/costtraps/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/downloads/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/downloads/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/downloads/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/downloads/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/drugs/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/drugs/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/drugs/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/drugs/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/dynamic/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/dynamic/domains.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/fortunetelling/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/fortunetelling/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/fortunetelling/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/fortunetelling/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/gamble/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/gamble/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/gamble/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/gamble/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/government/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/government/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/government/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/government/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/hacking/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hacking/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/hacking/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hacking/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/hobby/games-misc/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hobby/games-misc/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/hobby/games-misc/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hobby/games-misc/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/hobby/games-online/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hobby/games-online/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/hobby/games-online/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hobby/games-online/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/movies/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/movies/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/movies/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/movies/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/music/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/music/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/music/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/music/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/porn/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/porn/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/porn/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/porn/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/radiotv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/radiotv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/radiotv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/radiotv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/redirector/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/redirector/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/redirector/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/redirector/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/remotecontrol/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/remotecontrol/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/remotecontrol/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/remotecontrol/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/ringtones/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/ringtones/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/ringtones/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/ringtones/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/socialnet/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/socialnet/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/socialnet/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/socialnet/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/spyware/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/spyware/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/spyware/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/spyware/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/tracker/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/tracker/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/tracker/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/tracker/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/updatesites/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/updatesites/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/updatesites/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/updatesites/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/violence/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/violence/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/violence/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/violence/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/warez/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/warez/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/warez/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/warez/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/weapons/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/weapons/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/weapons/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/weapons/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webphone/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webphone/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webphone/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webphone/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webradio/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webradio/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webradio/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webradio/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webtv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webtv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webtv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webtv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/whitelist/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/whitelist/domains.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/blacklist/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/blacklist/domains.db
2018-09-17 11:13:39 [12663] logfile not allowed in acl other than default
2018-09-17 11:13:39 [12663] squidGuard 1.4 started (1537193619.900)
2018-09-17 11:13:39 [12663] squidGuard ready for requests (1537193619.903)

squid.conf

acl localnet src 10.10.8.0/22   # LAN net
acl dmz src 192.168.20.0/27     # DMZ net

### negotiate kerberos & ntlm authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME 
auth_param negotiate children 10 
auth_param negotiate keep_alive on

### basic authentication for not kerberos or ntlm authenticated users
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=mydomain,dc=local" -D "[hidden email]" -w " myULTRAsecretPASS  " -f sAMAccountName=%s -h dc-1.mydomain.local 
auth_param basic children 10 
auth_param basic realm Identifiquese 
auth_param basic credentialsttl 4 hours

### standard allowed ports
acl SSL_ports port 443 
acl Safe_ports port 80 # http 
acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 # https 
acl Safe_ports port 70 # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl CONNECT method CONNECT

### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

### enforce authentication
http_access allow auth 
http_access deny !auth

### standard access rules
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost manager 
http_access deny manager 
http_access allow localnet
http_access allow dmz
http_access allow localhost 
http_access deny all

### OPCIONES VARIAS ###
http_port 8080 
coredump_dir /var/spool/squid 
refresh_pattern ^ftp: 1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern .  0 20% 4320 
quick_abort_min 0 KB 
quick_abort_max 0 KB 
read_timeout 5 minutes 
request_timeout 3 minutes 
half_closed_clients off 
shutdown_lifetime 15 seconds 
log_icp_queries off 
dns_v4_first on 
ipcache_size 2048 
ipcache_low 90 
fqdncache_size 4096 
forwarded_for off 
cache_mgr [hidden email] 
visible_hostname eren 
httpd_suppress_version_string on 
uri_whitespace strip


## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off


cache.log

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.055 user + 0.015 sys
Maximum Resident Size: 68768 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2018/09/17 11:13:36 kid1| Service Name: squid
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name authenticated
2018/09/17 11:13:36 kid1| WARNING: redirector #Hlpr1 exited
FATAL: The redirector helpers are crashing too rapidly, need help!

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.086 seconds = 0.057 user + 0.029 sys
Maximum Resident Size: 68752 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name authenticated
2018/09/17 11:13:39 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2018/09/17 11:13:39 kid1| Service Name: squid

access.log

1537193586.999      0 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html
1537193587.242      0 10.10.11.154 TCP_DENIED/407 4185 CONNECT clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193587.269      0 10.10.11.154 TCP_DENIED/407 4145 CONNECT accounts.google.com:443 - HIER_NONE/- text/html
1537193587.269      0 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html
1537193613.322      0 10.10.11.154 TCP_DENIED/407 4185 CONNECT clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193616.653      1 10.10.11.154 TCP_DENIED/407 4125 CONNECT www.clarin.com:443 - HIER_NONE/- text/html
1537193616.732      0 10.10.11.154 TCP_DENIED/407 4145 CONNECT accounts.google.com:443 - HIER_NONE/- text/html
1537193616.749      1 10.10.11.154 TCP_DENIED/407 4137 CONNECT www.google.com.ar:443 - HIER_NONE/- text/html

messages

Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in libldap-2.4.so.2.10.7[7fd79b75c000+52000]
Sep 17 11:13:07 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:07 proxy squid[12549]: Squid Parent: (squid-1) process 12551 exited with status 1
Sep 17 11:13:10 proxy squid[12549]: Squid Parent: (squid-1) process 12627 started
Sep 17 11:13:33 proxy kernel: squidGuard[12628]: segfault at 1fbd2bb0 ip 00007f452b305e70 sp 00007ffda8c714b0 error 4 in libldap-2.4.so.2.10.7[7f452b2da000+52000]
Sep 17 11:13:33 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:33 proxy squid[12549]: Squid Parent: (squid-1) process 12627 exited with status 1
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643 started
Sep 17 11:13:36 proxy kernel: squidGuard[12644]: segfault at 540fdbb0 ip 00007fab84f2de70 sp 00007ffc1aa8d2a0 error 4 in libldap-2.4.so.2.10.7[7fab84f02000+52000]
Sep 17 11:13:36 proxy (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643 exited with status 1
Sep 17 11:13:39 proxy squid[12549]: Squid Parent: (squid-1) process 12658 started


If I disable src and acl WEB_BASIC I have no problem. The default acl does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am I misconfiguring my squid ?

Just in case I've checked more than ten times the URLs of LDAP queries (, %2c, etc etc)

Thank you very much for any help you can give me.
Best regards

Gabriel



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Amos Jeffries
Administrator
On 18/09/18 3:37 AM, Service MV wrote:
> Dear Ones, I draw on your experience in seeking help to determine
> whether or not it is possible to achieve the configuration I am looking
> for, due to a strange error I am having.

FYI: SquidGuard has not been maintained for many years now.

I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.

You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion.



>
> Before commenting on the bug I describe my testing environment:
> - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
> - My VM is attached to my domain W2012R2 (following this post
> https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
> to achieve kerberos authentication transparent to the user. SElinux
> disabled. Owner permissions to user squid in all folders/files involved.
> - squid 3.5.20 installed and working great with kerberos, NTLM and basic
> authentication. All authentication mechanisms tested and working great.
> - SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
> blacklists and acl default.
>
> My problem starts when I try to use source acl using ldapusersearch in
> squidGuard... 
>
> systemctl status squid:
> (squid-1)[12627]: The redirector helpers are crashing too rapidly, need
> help!
>
> *squidGuard.conf*
>
> dbhome /etc/squid/db
> logdir /var/log/squidGuard
> ldapbinddn
> CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
> ldapbindpass myULTRAsecretPASS
> ldapprotover 3
>
>
> src WEB_BASIC {
> ldapusersearch
> ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
> log block.log
> }
>
...

>
> acl {
>
> WEB_BASIC{
> pass whitelist !BL_porn !blacklist all
> redirect
> <a href="http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u">http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
> log block.log
> }
>
...


> *squid.conf*
>
> acl localnet src 10.10.8.0/22 # LAN net
> acl dmz src 192.168.20.0/27   # DMZ net

These ACLs are never used dues to what you are doing with the "auth" ACL.

...
>
> ### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
> acl auth proxy_auth REQUIRED
>
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS

These have nothing to do with redirects and are never used.

>
> ### enforce authentication
> http_access allow auth 
> http_access deny !auth
>

All possible traffic will match either "auth" or "!auth" above.

That means no http_access rules following this point do anything.


> ### standard access rules
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> http_access allow localhost manager 
> http_access deny manager

Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.


> http_access allow localnet
> http_access allow dmz
> http_access allow localhost 
> http_access deny all
>

...
> visible_hostname eren

The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.

FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.


> httpd_suppress_version_string on 
> uri_whitespace strip
>
>
> ## squidGuard ##
> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 10 startup=5 idle=1 concurrency=0
> url_rewrite_bypass off
>
>

Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
this config line:

 url_rewrite_access deny CONNECT


.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.

>
> *messages*
>
> Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
> ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
> libldap-2.4.so.2.10.7[7fdbf2027000+52000]
> Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
> ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
> libldap-2.4.so.2.10.7[7fd79b75c000+52000]

...

>
> If I disable src and acl WEB_BASIC I have no problem. The default acl
> does its thing without problems.
> But when I enable src and acl WEB_BASIC squidGuard explodes and squid
> restarts so I get to notice.
> I see an error in a libldap library... Will it be a library error? Or am
> I misconfiguring my squid ?
>

It is not a Squid error. It is something in SquidGuard and/or the library.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Enrico Heine
Just want to add, I use SquidGuard in two High load setups and never ran into issues. I didnt integrate it as url rewrite helper but as external acl helper and it works great with 800 Users..

Am 17. September 2018 20:38:06 MESZ schrieb Amos Jeffries <[hidden email]>:
On 18/09/18 3:37 AM, Service MV wrote:
Dear Ones, I draw on your experience in seeking help to determine
whether or not it is possible to achieve the configuration I am looking
for, due to a strange error I am having.

FYI: SquidGuard has not been maintained for many years now.

I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.

You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion.




Before commenting on the bug I describe my testing environment:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic
authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
blacklists and acl default.

My problem starts when I try to use source acl using ldapusersearch in
squidGuard... 

systemctl status squid:
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need
help!

*squidGuard.conf*

dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3


src WEB_BASIC {
ldapusersearch
ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}

...

acl {

WEB_BASIC{
pass whitelist !BL_porn !blacklist all
redirect
<a href="http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a">http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}

...


*squid.conf*

acl localnet src 10.10.8.0/22 # LAN net
acl dmz src 192.168.20.0/27 # DMZ net

These ACLs are never used dues to what you are doing with the "auth" ACL.

...

### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

These have nothing to do with redirects and are never used.


### enforce authentication
http_access allow auth 
http_access deny !auth


All possible traffic will match either "auth" or "!auth" above.

That means no http_access rules following this point do anything.


### standard access rules
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost manager 
http_access deny manager

Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.


http_access allow localnet
http_access allow dmz
http_access allow localhost 
http_access deny all


...
visible_hostname eren

The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.

FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.


httpd_suppress_version_string on 
uri_whitespace strip


## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off



Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
this config line:

url_rewrite_access deny CONNECT


.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.


*messages*

Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
libldap-2.4.so.2.10.7[7fd79b75c000+52000]

...


If I disable src and acl WEB_BASIC I have no problem. The default acl
does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid
restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am
I misconfiguring my squid ?


It is not a Squid error. It is something in SquidGuard and/or the library.

Amos


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

neok
In reply to this post by Amos Jeffries
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Amos Jeffries
Administrator
On 19/09/18 1:54 AM, neok wrote:
> Thank you very much Amos for putting me in the right direction.
> I successfully carried out the modifications you indicated to me.
> Regarding ufdbGuard, if I understood correctly, what you recommend is to use
> the ufdbConvertDB tool to convert my blacklists in plain text to the
> ufdbGuard database format? And then use that/those databases in normal squid
> ACL's?

No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.

You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Enrico Heine
Thank you for this information Amos! :) I had ufdbguard as possible replacement in my list, your info about it beeing a fork, is the reason that I will switch to it soon. Thanks :)

Am 19. September 2018 04:03:39 MESZ schrieb Amos Jeffries <[hidden email]>:
On 19/09/18 1:54 AM, neok wrote:
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?

No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.

You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.

Amos


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Marcus Kool
In reply to this post by Amos Jeffries


On 18/09/18 23:03, Amos Jeffries wrote:

> On 19/09/18 1:54 AM, neok wrote:
>> Thank you very much Amos for putting me in the right direction.
>> I successfully carried out the modifications you indicated to me.
>> Regarding ufdbGuard, if I understood correctly, what you recommend is to use
>> the ufdbConvertDB tool to convert my blacklists in plain text to the
>> ufdbGuard database format? And then use that/those databases in normal squid
>> ACL's?
>
> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
> replacement which works better while you improve your config.
>
> You should work towards less complexity. Squid / squid.conf is where
> HTTP access control takes place. The helper is about re-writing the URL
> (only) - which is a complex and destructive process.

ufdbGuard is a simple tool that has the same syntax in its configuration file as squidGuard has.
It is far from complex, has a great Reference Manual, exmaple config file and a responsive support desk.
Amos, I have never seen you calling a URL writer being a complex and destructive process.  What do you mean?

URL rewriters have been used for decades for HTTP access control but you state "squid.conf is where HTTP access control takes place".
Are you saying that you want it is the _only_ place for HTTP access control?

Marcus


> Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Donald Muller
In reply to this post by Amos Jeffries
Amos,

So instead of using squidguard are you saying  you should use something like the following?

acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"

http_access deny ads
http_access deny adult

Do the lists need to be sorted in alphabetical order?

Don

> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf
> Of Amos Jeffries
> Sent: Tuesday, September 18, 2018 10:04 PM
> To: [hidden email]
> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
>
> On 19/09/18 1:54 AM, neok wrote:
> > Thank you very much Amos for putting me in the right direction.
> > I successfully carried out the modifications you indicated to me.
> > Regarding ufdbGuard, if I understood correctly, what you recommend is
> > to use the ufdbConvertDB tool to convert my blacklists in plain text
> > to the ufdbGuard database format? And then use that/those databases in
> > normal squid ACL's?
>
> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
> replacement which works better while you improve your config.
>
> You should work towards less complexity. Squid / squid.conf is where HTTP
> access control takes place. The helper is about re-writing the URL
> (only) - which is a complex and destructive process.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Matus UHLAR - fantomas
On 19.09.18 20:47, Donald Muller wrote:
>So instead of using squidguard are you saying  you should use something like the following?
>
>acl ads dstdomain -i "/etc/squid/squid-ads.acl"
>acl adult dstdomain -i "/etc/squid/squid-adult.acl"
>
>http_access deny ads
>http_access deny adult
>
>Do the lists need to be sorted in alphabetical order?

I don't think so - the lists are parsed to in -memory format for faster
processing.

The case where sw like ufdbguard is important is where you use regular
expressions like url_regex (but srcdom_regex and dstdom_regex may neet it
too).

Processing of those is very inefficient inside of squid.


>> -----Original Message-----
>> From: squid-users <[hidden email]> On Behalf
>> Of Amos Jeffries
>> Sent: Tuesday, September 18, 2018 10:04 PM
>> To: [hidden email]
>> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
>>
>> On 19/09/18 1:54 AM, neok wrote:
>> > Thank you very much Amos for putting me in the right direction.
>> > I successfully carried out the modifications you indicated to me.
>> > Regarding ufdbGuard, if I understood correctly, what you recommend is
>> > to use the ufdbConvertDB tool to convert my blacklists in plain text
>> > to the ufdbGuard database format? And then use that/those databases in
>> > normal squid ACL's?
>>
>> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
>> replacement which works better while you improve your config.
>>
>> You should work towards less complexity. Squid / squid.conf is where HTTP
>> access control takes place. The helper is about re-writing the URL
>> (only) - which is a complex and destructive process.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Amos Jeffries
Administrator
In reply to this post by Marcus Kool
On 19/09/18 11:49 PM, Marcus Kool wrote:

>
> On 18/09/18 23:03, Amos Jeffries wrote:
>> On 19/09/18 1:54 AM, neok wrote:
>>> Thank you very much Amos for putting me in the right direction.
>>> I successfully carried out the modifications you indicated to me.
>>> Regarding ufdbGuard, if I understood correctly, what you recommend is
>>> to use
>>> the ufdbConvertDB tool to convert my blacklists in plain text to the
>>> ufdbGuard database format? And then use that/those databases in
>>> normal squid
>>> ACL's?
>>
>> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
>> replacement which works better while you improve your config.
>>
>> You should work towards less complexity. Squid / squid.conf is where
>> HTTP access control takes place. The helper is about re-writing the URL
>> (only) - which is a complex and destructive process.
>
> ufdbGuard is a simple tool that has the same syntax in its configuration
> file as squidGuard has.
> It is far from complex, has a great Reference Manual, exmaple config
> file and a responsive support desk.
> Amos, I have never seen you calling a URL writer being a complex and
> destructive process.  What do you mean?

Re-writing requires Squid to:
 * fork external helpers, and
 * maintain queues of lookups to those helpers, and
 * maintain cache of helper responses, and
 * maintain a whole extra copy of HTTP-request state, and
 * copy some (not all) of that state info between the two "client" requests.

 ... lots of complexity, memory, CPU time, traffic latency, etc.

Also when used for access control (re-write to an "error" URL) the
re-write helper needs extra complexity in itself to act as the altered
origin server for error pages, or have some fourth-party web server.


>
> URL rewriters have been used for decades for HTTP access control but you
> state "squid.conf is where HTTP access control takes place".

Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
lacked external_acl_type and modular ACLs.

That persisted for the first decade or so of Squid's life, with only the
re-write API for admin to use for complicated permissions.

Then one day about 2 decades or so ago, external ACL was added and the
ACLs were also made much easier to implement and plug in new checks.
Today we have hundreds of native ACLs and even a selection of custom ACL
helpers. Making the need for these abuses of the poor re-writers.

Old habits and online tutorials however are hard to get rid of.


> Are you saying that you want it is the _only_ place for HTTP access
> control?


I'm saying the purpose of the url_rewrite_* API in Squid is to tell
Squid whether the URL (only) needs some mangling in order for the
server/origin to understand it.
 It can re-write transparently with all the problems that causes to
security scopes and URL sync between the endpoints. Or redirect the
client to the "correct" URL.


The Squid http_access and similar *access controls* are the place for
access control - hint is in the naming. With external ACL type for
anything Squid does not support natively or well. As Flashdown mentioned
even calls to SquidGuard etc. can be wrapped and used as external ACLs.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Enrico Heine
> I'm saying the purpose of the url_rewrite_* API in Squid is to tell
> Squid whether the URL (only) needs some mangling in order for the
> server/origin to understand it.
>  It can re-write transparently with all the problems that causes to
> security scopes and URL sync between the endpoints. Or redirect the
> client to the "correct" URL.
>
>
> The Squid http_access and similar *access controls* are the place for
> access control - hint is in the naming. With external ACL type for
> anything Squid does not support natively or well. As Flashdown
> mentioned
> even calls to SquidGuard etc. can be wrapped and used as external ACLs.
>

Just want to add, in the beginning I thought about using a wrapper or
writing one but as I found out during testing during these time,
SquidGuard gives back the right responses to Squid, so a wrapper was not
needed, and the rewrite adding in such a respone is simply ignored by
Squid and it works like a charm, hope ufdbguard can be used as external
acl helper natively as well. My config line:
external_acl_type squidguard ipv4 concurrency=0 children-max=XXX
children-startup=XX ttl=60 %URI %SRC %{-} %un %METHOD
/usr/bin/squidGuard

Taken out from my internal documentation:

"Manual testing:

echo "website.com 10.0.0.1/ - - GET" | squidGuard

Explaination of Responses:

     ERR tells us: The access was not denied by Squidguard, so wether its
not part of the blacklists or it is listed in the whitelist
     BH message=“squidGuard error parsing squid line” tells us: there was
an error when checking your input, may you had a syntax error or there
is an issue in SquidGuard, the message param gives more insight.
     OK rewrite-url=“https://127.0.0.1/” tells us: the item was found on
the blacklists and is blocked. BTW Squid only sees the OK and ignores
the rewrite command, since we didn't integrate it as an URL-rewrite
program which would have many disadvantages.

PS: This is just how an external ACL Helper for Squid must work/respond.
So Squid only takes ERR and BH including the message and OK. Thats why I
was able to implement it this way without writing a wrapper for it. "

Hope it helps and hope I can do the same with ufdbguard, the SquidGuard
Version I use is the latest one from the official Debian Repositories.



---
Best regards,
Flashdown
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Donald Muller
In reply to this post by Matus UHLAR - fantomas


> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf
> Of Matus UHLAR - fantomas
> Sent: Thursday, September 20, 2018 7:16 AM
> To: [hidden email]
> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
>
> On 19.09.18 20:47, Donald Muller wrote:
> >So instead of using squidguard are you saying  you should use something
> like the following?
> >
> >acl ads dstdomain -i "/etc/squid/squid-ads.acl"
> >acl adult dstdomain -i "/etc/squid/squid-adult.acl"
> >
> >http_access deny ads
> >http_access deny adult
> >
> >Do the lists need to be sorted in alphabetical order?
>
> I don't think so - the lists are parsed to in -memory format for faster
> processing.
>

Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?

> The case where sw like ufdbguard is important is where you use regular
> expressions like url_regex (but srcdom_regex and dstdom_regex may neet it
> too).
>
> Processing of those is very inefficient inside of squid.
>
>
> >> -----Original Message-----
> >> From: squid-users <[hidden email]> On
> >> Behalf Of Amos Jeffries
> >> Sent: Tuesday, September 18, 2018 10:04 PM
> >> To: [hidden email]
> >> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
> >>
> >> On 19/09/18 1:54 AM, neok wrote:
> >> > Thank you very much Amos for putting me in the right direction.
> >> > I successfully carried out the modifications you indicated to me.
> >> > Regarding ufdbGuard, if I understood correctly, what you recommend
> >> > is to use the ufdbConvertDB tool to convert my blacklists in plain
> >> > text to the ufdbGuard database format? And then use that/those
> >> > databases in normal squid ACL's?
> >>
> >> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
> >> replacement which works better while you improve your config.
> >>
> >> You should work towards less complexity. Squid / squid.conf is where
> >> HTTP access control takes place. The helper is about re-writing the
> >> URL
> >> (only) - which is a complex and destructive process.
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux is like a teepee: no Windows, no Gates and an apache inside...
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Marcus Kool
In reply to this post by Amos Jeffries


On 20/09/18 08:46, Amos Jeffries wrote:

> On 19/09/18 11:49 PM, Marcus Kool wrote:
>>
>> On 18/09/18 23:03, Amos Jeffries wrote:
>>> On 19/09/18 1:54 AM, neok wrote:
>>>> Thank you very much Amos for putting me in the right direction.
>>>> I successfully carried out the modifications you indicated to me.
>>>> Regarding ufdbGuard, if I understood correctly, what you recommend is
>>>> to use
>>>> the ufdbConvertDB tool to convert my blacklists in plain text to the
>>>> ufdbGuard database format? And then use that/those databases in
>>>> normal squid
>>>> ACL's?
>>>
>>> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
>>> replacement which works better while you improve your config.
>>>
>>> You should work towards less complexity. Squid / squid.conf is where
>>> HTTP access control takes place. The helper is about re-writing the URL
>>> (only) - which is a complex and destructive process.
>>
>> ufdbGuard is a simple tool that has the same syntax in its configuration
>> file as squidGuard has.
>> It is far from complex, has a great Reference Manual, exmaple config
>> file and a responsive support desk.
>> Amos, I have never seen you calling a URL writer being a complex and
>> destructive process.  What do you mean?
>
> Re-writing requires Squid to:
>   * fork external helpers, and
>   * maintain queues of lookups to those helpers, and
>   * maintain cache of helper responses, and
>   * maintain a whole extra copy of HTTP-request state, and
>   * copy some (not all) of that state info between the two "client" requests.
>
>   ... lots of complexity, memory, CPU time, traffic latency, etc.

Squid itself is complex and for any feature of Squid one can make a list like above to say that it is complex.
The fact that one can make such a list does not mean much to me.
One can make the same or a similar list for external acl helpers and even native acls.

> Also when used for access control (re-write to an "error" URL) the
> re-write helper needs extra complexity in itself to act as the altered
> origin server for error pages, or have some fourth-party web server.

Squid cannot do everything that a URL writer, and specifically ufdbGuard, can.
For example, Squid must restart and break all open connections when a tiny detail of the configuration changes.  With ufdbGuard this does not happen.
ufdbGuard supports dynamic lists of users, domains and source ip addresses which are updated every X minutes without any service interruption.
When other parameters change, ufdbGuard resets itself with zero service interruption for Squid and its users.
ufdbGuard can decide to probe a site to make a decision, and hence detect Skype, Teamviewer and other types of sites that an admin might want to block.  Squid cannot.
ufdbGuard can decide to do a lookup of a reverse IP lookup to make a decision.  Squid cannot.
ufdbGuard supports complex time restrictions for access. Squid support simple time restrictions.
ufdbGuard supports flat file domain/url lists and a commercial URL database.  Squid does not.
And the list goes on.

So when you state on the mailing list that users should unconditionally stop using a URL writer in favor of using Squid acls, you may be causing troubles for admins who do not know the implications of
your advice.


>> URL rewriters have been used for decades for HTTP access control but you
>> state "squid.conf is where HTTP access control takes place".
>
> Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
> lacked external_acl_type and modular ACLs.
>
> That persisted for the first decade or so of Squid's life, with only the
> re-write API for admin to use for complicated permissions.
>
> Then one day about 2 decades or so ago, external ACL was added and the
> ACLs were also made much easier to implement and plug in new checks.
> Today we have hundreds of native ACLs and even a selection of custom ACL
> helpers. Making the need for these abuses of the poor re-writers.
>
> Old habits and online tutorials however are hard to get rid of.

If you want to get rid of habits that in your view are old/obsolete, then why not start a discussion?
And in the event that at the end of the discussion, the decision is made that a particular interface should be removed, why not phase it out ?

>> Are you saying that you want it is the _only_ place for HTTP access
>> control?
>
>
> I'm saying the purpose of the url_rewrite_* API in Squid is to tell
> Squid whether the URL (only) needs some mangling in order for the
> server/origin to understand it.
>   It can re-write transparently with all the problems that causes to
> security scopes and URL sync between the endpoints. Or redirect the
> client to the "correct" URL.
>
>
> The Squid http_access and similar *access controls* are the place for
> access control - hint is in the naming. With external ACL type for
> anything Squid does not support natively or well. As Flashdown mentioned
> even calls to SquidGuard etc. can be wrapped and used as external ACLs.

Wrapping and externals ACLs adds the same complexity, memory, CPU time, traffic latency, etc that you use as an argument against a URL writer.
Is it only because of the name, 'external acl helper' vs 'url rewriter helper', that you dislike the url rewriter?

Marcus

>
> Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Amos Jeffries
Administrator
In reply to this post by Donald Muller
On 21/09/18 3:46 AM, Donald Muller wrote:

>
>> -----Original Message-----
>> From: Matus UHLAR - fantomas
>> Sent: Thursday, September 20, 2018 7:16 AM
>>
>> On 19.09.18 20:47, Donald Muller wrote:
>>> So instead of using squidguard are you saying  you should use something
>> like the following?
>>>
>>> acl ads dstdomain -i "/etc/squid/squid-ads.acl"
>>> acl adult dstdomain -i "/etc/squid/squid-adult.acl"
>>>
>>> http_access deny ads
>>> http_access deny adult
>>>
>>> Do the lists need to be sorted in alphabetical order?
>>
>> I don't think so - the lists are parsed to in -memory format for faster
>> processing.
>>
>
> Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?
>

Not currently. I'm looking for a nice portable way to do file watching.

The Linux inotify system can apparently be used to send the -k
reconfigure command on FS changes in the config directory. Though I've
yet to see any working example and have not had the time myself to
experiment on it.

Patches and/or info welcome. This might be a good starter project if
anyone wants to dip their fingers into the Squid code.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Amos Jeffries
Administrator
In reply to this post by Marcus Kool
On 21/09/18 3:46 AM, Marcus Kool wrote:

>
> On 20/09/18 08:46, Amos Jeffries wrote:
>> On 19/09/18 11:49 PM, Marcus Kool wrote:
>>>
>>> On 18/09/18 23:03, Amos Jeffries wrote:
>>>> On 19/09/18 1:54 AM, neok wrote:
>>>>> Thank you very much Amos for putting me in the right direction.
>>>>> I successfully carried out the modifications you indicated to me.
>>>>> Regarding ufdbGuard, if I understood correctly, what you recommend is
>>>>> to use
>>>>> the ufdbConvertDB tool to convert my blacklists in plain text to the
>>>>> ufdbGuard database format? And then use that/those databases in
>>>>> normal squid
>>>>> ACL's?
>>>>
>>>> No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
>>>> replacement which works better while you improve your config.
>>>>
>>>> You should work towards less complexity. Squid / squid.conf is where
>>>> HTTP access control takes place. The helper is about re-writing the URL
>>>> (only) - which is a complex and destructive process.
>>>
>>> ufdbGuard is a simple tool that has the same syntax in its configuration
>>> file as squidGuard has.
>>> It is far from complex, has a great Reference Manual, exmaple config
>>> file and a responsive support desk.
>>> Amos, I have never seen you calling a URL writer being a complex and
>>> destructive process.  What do you mean?
>>
>> Re-writing requires Squid to:
>>   * fork external helpers, and
>>   * maintain queues of lookups to those helpers, and
>>   * maintain cache of helper responses, and
>>   * maintain a whole extra copy of HTTP-request state, and
>>   * copy some (not all) of that state info between the two "client"
>> requests.
>>
>>   ... lots of complexity, memory, CPU time, traffic latency, etc.
>
> Squid itself is complex and for any feature of Squid one can make a list
> like above to say that it is complex.
> The fact that one can make such a list does not mean much to me.
> One can make the same or a similar list for external acl helpers and
> even native acls.
>
>> Also when used for access control (re-write to an "error" URL) the
>> re-write helper needs extra complexity in itself to act as the altered
>> origin server for error pages, or have some fourth-party web server.
>
> Squid cannot do everything that a URL writer, and specifically
> ufdbGuard, can.
> For example, Squid must restart and break all open connections when a
> tiny detail of the configuration changes.  With ufdbGuard this does not
> happen.


Squid does not close or break any client connections when reconfigured.
Squid pauses active transactions, reconfigures then continues with the
new config.

Are you perhapse mistaking the fact that Squid shuts down the
*rewriters* on reconfigure for a full Squid shutdown?

(hmm, there is another downside to placing all the access control in a
helper - waiting for the helpers to restart on config changes. Though as
you say ufdbguard does it efficiently, others do not).



> ufdbGuard supports dynamic lists of users, domains and source ip
> addresses which are updated every X minutes without any service
> interruption.

So does Squid, via external ACL and/or authentication.


> When other parameters change, ufdbGuard resets itself with zero service
> interruption for Squid and its users.

This is not always true. If the helper pauses even for some milliseconds
it is holding up Squid and clients. Particularly if it is a bottleneck
process like URL-rewrite interface where the helper lookup queue limits
total traffic capacity of the entire proxy.

I think you mean that the helper has threading to do a load in the
background and swap in the config. Correct?

Squid is working (very slowly) towards that model and the SMP features
already reconfigure one worker at a time sequentially so effectively
there should always be a helper with either old or new config answering
incoming traffic while one "resets itself".


> ufdbGuard can decide to probe a site to make a decision, and hence
> detect Skype, Teamviewer and other types of sites that an admin might
> want to block.  Squid cannot.

Squid can, via external ACL. IIRC, Eliezer wrote an ICAP system that did
that too.

Also, the URL-rewrite helper cannot do anything if Squid cannot pass it
a URL. By nature of what the interface is designed to do.


> ufdbGuard can decide to do a lookup of a reverse IP lookup to make a
> decision.  Squid cannot.

Squid can via external ACL.

We have not had much (any?) requests for an ACL doing that. Patches welcome.


> ufdbGuard supports complex time restrictions for access. Squid support
> simple time restrictions.

Such as?

Squid supports complex time points and/or ranges. The time ACL is a
bitmap extending at 1 second intervals across an entire week. Further
extension is done with external ACL, note ACL and/or allof ACL.


> ufdbGuard supports flat file domain/url lists and a commercial URL
> database.  Squid does not.
> And the list goes on.

I am still looking for a feature Squid does not actually support in one
way or another.

As you can see from Flashdown posts "external ACL" can mean SquidGuard /
ufdbguard running on that other interface. So really *anything* they can
do so can Squid external ACL - if not one of the other mechanisms.
At no point is the URL-rewrite API _necessary_ for access control in a
modern Squid.


>
> So when you state on the mailing list that users should unconditionally
> stop using a URL writer in favor of using Squid acls, you may be causing
> troubles for admins who do not know the implications of your advice.


Understood. I shall try harder to remember the disclaimers usually
added. Thank you for pointing out the omission.


>
>>> URL rewriters have been used for decades for HTTP access control but you
>>> state "squid.conf is where HTTP access control takes place".
>>
>> Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
>> lacked external_acl_type and modular ACLs.
>>
>> That persisted for the first decade or so of Squid's life, with only the
>> re-write API for admin to use for complicated permissions.
>>
>> Then one day about 2 decades or so ago, external ACL was added and the
>> ACLs were also made much easier to implement and plug in new checks.
>> Today we have hundreds of native ACLs and even a selection of custom ACL
>> helpers. Making the need for these abuses of the poor re-writers.
>>
>> Old habits and online tutorials however are hard to get rid of.
>
> If you want to get rid of habits that in your view are old/obsolete,
> then why not start a discussion?

I have. This appears to be the latest one.


> And in the event that at the end of the discussion, the decision is made
> that a particular interface should be removed, why not phase it out ?

It still has uses as a URL-rewrite/redirect interface for actions not
related directly to access control.

>
>>> Are you saying that you want it is the _only_ place for HTTP access
>>> control?
>>
>>
>> I'm saying the purpose of the url_rewrite_* API in Squid is to tell
>> Squid whether the URL (only) needs some mangling in order for the
>> server/origin to understand it.
>>   It can re-write transparently with all the problems that causes to
>> security scopes and URL sync between the endpoints. Or redirect the
>> client to the "correct" URL.
>>
>>
>> The Squid http_access and similar *access controls* are the place for
>> access control - hint is in the naming. With external ACL type for
>> anything Squid does not support natively or well. As Flashdown mentioned
>> even calls to SquidGuard etc. can be wrapped and used as external ACLs.
>
> Wrapping and externals ACLs adds the same complexity, memory, CPU time,
> traffic latency, etc that you use as an argument against a URL writer.
> Is it only because of the name, 'external acl helper' vs 'url rewriter
> helper', that you dislike the url rewriter?


The external ACL usage is better because it is run at times when Squid
is making decisions about access to the proxy and/or features supplied
by the proxy. The admin can decide exactly when in Squid processing it
is tested - limiting the delays and reducing the lookups to only when
necessary.
 eg. you cannot decide whether a transaction is allowed to be sent to
ICAP or not with a re-writer. Or decide whether ssl_bump is going to
splice vs bump with a URL re-writer.


URL-rewrite API requires access control to *prevent* it being used, and
runs *after* access control - so Squid has to actively allow the traffic
through its own access controls first in order to use the URL-rewrite
API. This leads to a lot of the "http_access allow all" type config issues.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: About SSL peek-n-splice/bump configurations

Amos Jeffries
Administrator
In reply to this post by Donald Muller
On 20/09/18 9:35 AM, Donald Muller wrote:
> Amos,
>
> So instead of using squidguard are you saying  you should use something like the following?
>
> acl ads dstdomain -i "/etc/squid/squid-ads.acl"
> acl adult dstdomain -i "/etc/squid/squid-adult.acl"
>

*If* those lists contain dstdomain format names. Otherwise, no some
other ACL may be better (dstdom_regex?).

NP: The -i should not be necessary on dstdomain since domain comparsions
are case insensitive and regex are not correct syntax for dstdomain.

Also, as Matus reminded me. I should have said up front this is
something to consider doing - you may decide no to for reasons. One of
which is if those lists are very large the helper can be faster.


> http_access deny ads
> http_access deny adult
>
> Do the lists need to be sorted in alphabetical order?
>
> Don

No. Squid does that. For dstdomain they do need to be reduced so you are
not adding a subdomain like "www.example.com" which overlaps a wildcard
domain like ".example.com" elsewhere in the list.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Alex Rousskov
In reply to this post by Amos Jeffries
On 09/20/2018 01:50 PM, Amos Jeffries wrote:
> On 21/09/18 3:46 AM, Donald Muller wrote:


>> Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?


> Not currently. I'm looking for a nice portable way to do file watching.

> Patches and/or info welcome. This might be a good starter project if
> anyone wants to dip their fingers into the Squid code.

... but please start with an RFC on squid-dev before writing any Squid
code. Implementing correct file watching support in Squid is not
trivial, and the feature itself may not be such a good idea. Please
discuss your plans before spending time on modifying Squid.


Thank you,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Alex Rousskov
In reply to this post by Amos Jeffries
On 09/20/2018 02:41 PM, Amos Jeffries wrote:

> Squid does not close or break any client connections when reconfigured.

IIRC, this statement is inaccurate (unfortunately): Reconfiguring Squid
may break client connections that Squid has not started processing yet.
The connections already being processed by Squid are not closed, but the
new/arriving ones may be rejected for a short time period. Such
rejections may affect clients in some environments. This is a bug, so I
hope it will get fixed.

This correction does not affect the rewriter-vs-ACLs comparison, but I
wanted to make it in case that statement is used outside its context.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Donald Muller
In reply to this post by Amos Jeffries


> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf
> Of Amos Jeffries
> Sent: Thursday, September 20, 2018 3:50 PM
> To: [hidden email]
> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
>
> On 21/09/18 3:46 AM, Donald Muller wrote:
> >
> >> -----Original Message-----
> >> From: Matus UHLAR - fantomas
> >> Sent: Thursday, September 20, 2018 7:16 AM
> >>
> >> On 19.09.18 20:47, Donald Muller wrote:
> >>> So instead of using squidguard are you saying  you should use
> >>> something
> >> like the following?
> >>>
> >>> acl ads dstdomain -i "/etc/squid/squid-ads.acl"
> >>> acl adult dstdomain -i "/etc/squid/squid-adult.acl"
> >>>
> >>> http_access deny ads
> >>> http_access deny adult
> >>>
> >>> Do the lists need to be sorted in alphabetical order?
> >>
> >> I don't think so - the lists are parsed to in -memory format for
> >> faster processing.
> >>
> >
> > Does Squid monitor dstdomain files for changes and reload them or does a
> '-k reconfigure' need to be issued?
> >
>
> Not currently. I'm looking for a nice portable way to do file watching.
>
> The Linux inotify system can apparently be used to send the -k reconfigure
> command on FS changes in the config directory. Though I've yet to see any
> working example and have not had the time myself to experiment on it.
>
> Patches and/or info welcome. This might be a good starter project if anyone
> wants to dip their fingers into the Squid code.
>

I will be downloading the blacklists from the internet and I'm sure that there will be sites that I want to whitelist via

acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist

What logging do I need to enable to capture when a domain is blacklisted?


> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help: squid restarts and squidGuard die

Donald Muller
I will be downloading the blacklists from the internet and I'm sure that there
will be sites that I want to whitelist via

acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist

What logging do I need to enable to capture when a site I am trying to access is blacklisted so I can add it to the whitelist?

Thanks

> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf
> Of Donald Muller
> Sent: Friday, September 21, 2018 1:18 PM
> To: Amos Jeffries <[hidden email]>; [hidden email]-
> cache.org
> Subject: Re: [squid-users] Help: squid restarts and squidGuard die
>
>
>
> > -----Original Message-----
> > From: squid-users <[hidden email]> On
> > Behalf Of Amos Jeffries
> > Sent: Thursday, September 20, 2018 3:50 PM
> > To: [hidden email]
> > Subject: Re: [squid-users] Help: squid restarts and squidGuard die
> >
> > On 21/09/18 3:46 AM, Donald Muller wrote:
> > >
> > >> -----Original Message-----
> > >> From: Matus UHLAR - fantomas
> > >> Sent: Thursday, September 20, 2018 7:16 AM
> > >>
> > >> On 19.09.18 20:47, Donald Muller wrote:
> > >>> So instead of using squidguard are you saying  you should use
> > >>> something
> > >> like the following?
> > >>>
> > >>> acl ads dstdomain -i "/etc/squid/squid-ads.acl"
> > >>> acl adult dstdomain -i "/etc/squid/squid-adult.acl"
> > >>>
> > >>> http_access deny ads
> > >>> http_access deny adult
> > >>>
> > >>> Do the lists need to be sorted in alphabetical order?
> > >>
> > >> I don't think so - the lists are parsed to in -memory format for
> > >> faster processing.
> > >>
> > >
> > > Does Squid monitor dstdomain files for changes and reload them or
> > > does a
> > '-k reconfigure' need to be issued?
> > >
> >
> > Not currently. I'm looking for a nice portable way to do file watching.
> >
> > The Linux inotify system can apparently be used to send the -k
> > reconfigure command on FS changes in the config directory. Though I've
> > yet to see any working example and have not had the time myself to
> experiment on it.
> >
> > Patches and/or info welcome. This might be a good starter project if
> > anyone wants to dip their fingers into the Squid code.
> >
>
> I will be downloading the blacklists from the internet and I'm sure that there
> will be sites that I want to whitelist via
>
> acl whitelist dstdomain "/some folder path/whitelist.acl"
> http_access allow whitelist
>
> What logging do I need to enable to capture when a domain is blacklisted?
>
>
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
12