Re: squid-users Digest, Vol 37, Issue 30

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: squid-users Digest, Vol 37, Issue 30

stylemessiah
Jesus, never seen so many messages that could have been answered by reading the basic squid docs.

Tempted to unsub....sheesh

On 12 Sep. 2017 6:19 am, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
      crashing too quickly (Rohit Sodhia)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Sep 2017 16:18:39 -0400
From: Rohit Sodhia <[hidden email]>
To: Yuri <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Need assistance debugging Squid error:
        ssl_ctrd helpers crashing too quickly
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
I'll have to learn how to compile it myself; never compiled a package
before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri <[hidden email]> wrote:

> Hardly,
>
> most probably something in repo's package. However, upgrade is always
> recommended, especially with modern functionality. It changes fast enough.
>
> 12.09.2017 2:15, Rohit Sodhia пишет:
>
> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
> problem?
>
> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <[hidden email]> wrote:
>
>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>> closed or closed.
>>
>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>> running.
>>
>> Repositories software sometimes has strange quirks, or sometimes rancid.
>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>
>> I'll try to find it, but I read a few articles/SO questions that
>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>> I'd be glad to go forward. Should I be removing the yum squid package and
>> compile my own? Is 3.5 problematic besides being old?
>>
>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:
>>
>>> Wait. Squid 3.5.20? So ancient?
>>>
>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>> I used the line from the Stack Overflow question I linked earlier.
>>>
>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:
>>>
>>>> Well. Let's check more deep.
>>>>
>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>
>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>
>>>> Unfortunately, no luck yet. Thank you again for your help before.
>>>>
>>>> I found that the user squid and group squid existed already, so I added
>>>>
>>>> cache_effective_user squid
>>>> cache_effective_group squid
>>>>
>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's
>>>> contents were set to squid:squid and restarted the service, but I'm still
>>>> getting the same error :(
>>>>
>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]>
>>>> wrote:
>>>>
>>>>> I'll try that immediately, thanks! I appreciate all your advice;
>>>>> hopefully I won't have to reach out again :p
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:
>>>>>
>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>>>>> probably it runs as nobody user.
>>>>>>
>>>>>> Ah, yes:
>>>>>>
>>>>>> #  TAG: cache_effective_user
>>>>>> #    If you start Squid as root, it will change its effective/real
>>>>>> #    UID/GID to the user specified below.  The default is to change
>>>>>> #    to UID of nobody.
>>>>>> #    see also; cache_effective_group
>>>>>> #Default:
>>>>>> # cache_effective_user nobody
>>>>>>
>>>>>> #  TAG: cache_effective_group
>>>>>> #    Squid sets the GID to the effective user's default group ID
>>>>>> #    (taken from the password file) and supplementary group list
>>>>>> #    from the groups membership.
>>>>>> #
>>>>>> #    If you want Squid to run with a specific GID regardless of
>>>>>> #    the group memberships of the effective user then set this
>>>>>> #    to the group (or GID) you want Squid to run as. When set
>>>>>> #    all other group privileges of the effective user are ignored
>>>>>> #    and only this GID is effective. If Squid is not started as
>>>>>> #    root the user starting Squid MUST be member of the specified
>>>>>> #    group.
>>>>>> #
>>>>>> #    This option is not recommended by the Squid Team.
>>>>>> #    Our preference is for administrators to configure a secure
>>>>>> #    user account for squid with UID/GID matching system policies.
>>>>>> #Default:
>>>>>> # Use system group memberships of the cache_effective_user account
>>>>>>
>>>>>> As documented. :)
>>>>>>
>>>>>> AFAIK best solution is create non-privileged group & user (like
>>>>>> squid/squid) and set both this parameters explicity.
>>>>>>
>>>>>> Then change owner recursively on SSL cache to this user.
>>>>>>
>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>>
>>>>>> Neither of those values are set in my config. Even though I'm not
>>>>>> using squid for caching, I need those values? They aren't set in the
>>>>>> default configs either.
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:
>>>>>>
>>>>>>> Most probably you squid runs as another user than squid.
>>>>>>>
>>>>>>> Check your squid.conf for cache_effective_user and
>>>>>>> cache_effective_group values.
>>>>>>>
>>>>>>> Then change SSL cache permissions to this values. Should work.
>>>>>>>
>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>>
>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried
>>>>>>> restarting squid, but still get the same errors. I thought to run the
>>>>>>> command again, but this time it says
>>>>>>>
>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>>>>>
>>>>>>> If this folder has incorrect permissions are there possibly other
>>>>>>> permission issues?
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:
>>>>>>>
>>>>>>>> Here you root of problem.
>>>>>>>>
>>>>>>>> Should be (on my setups):
>>>>>>>>
>>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>>> total 326
>>>>>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>>>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>>>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>>>>>
>>>>>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>>>>>
>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>>
>>>>>>>> total 8
>>>>>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>>>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>>>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Show output of
>>>>>>>>>
>>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>>
>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>>>
>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me
>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it
>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of
>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it.
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
>>>>>>>>>
>>>>>>>>>> It tells you what's happens.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>>>>>> > (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>>>>>> > /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> squid-users mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 37, Issue 30
*******************************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid-users Digest, Vol 37, Issue 30

Eliezer Croitoru
I do not care if someone asks even if the docs are answering.
The docs of squid-cache are not something anyone should be able to remember by heart or even browse and just "find" a solution or a direction.
We(at least me) are here to try and help even for the cases which the docs already cover.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Adrian Miller
Sent: Monday, September 11, 2017 23:31
To: [hidden email]
Subject: Re: [squid-users] squid-users Digest, Vol 37, Issue 30

Jesus, never seen so many messages that could have been answered by reading the basic squid docs.

Tempted to unsub....sheesh

On 12 Sep. 2017 6:19 am, <mailto:[hidden email]> wrote:
Send squid-users mailing list submissions to
        mailto:[hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        mailto:[hidden email]

You can reach the person managing the list at
        mailto:[hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
      crashing too quickly (Rohit Sodhia)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Sep 2017 16:18:39 -0400
From: Rohit Sodhia <mailto:[hidden email]>
To: Yuri <mailto:[hidden email]>
Cc: mailto:[hidden email]
Subject: Re: [squid-users] Need assistance debugging Squid error:
        ssl_ctrd helpers crashing too quickly
Message-ID:
        <mailto:CAN1w9tfQt3Mivwpyo%[hidden email]>
Content-Type: text/plain; charset="utf-8"

Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
I'll have to learn how to compile it myself; never compiled a package
before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri <mailto:[hidden email]> wrote:

> Hardly,
>
> most probably something in repo's package. However, upgrade is always
> recommended, especially with modern functionality. It changes fast enough.
>
> 12.09.2017 2:15, Rohit Sodhia пишет:
>
> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
> problem?
>
> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <mailto:[hidden email]> wrote:
>
>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>> closed or closed.
>>
>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>> running.
>>
>> Repositories software sometimes has strange quirks, or sometimes rancid.
>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>
>> I'll try to find it, but I read a few articles/SO questions that
>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>> I'd be glad to go forward. Should I be removing the yum squid package and
>> compile my own? Is 3.5 problematic besides being old?
>>
>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <mailto:[hidden email]> wrote:
>>
>>> Wait. Squid 3.5.20? So ancient?
>>>
>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>> I used the line from the Stack Overflow question I linked earlier.
>>>
>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <mailto:[hidden email]> wrote:
>>>
>>>> Well. Let's check more deep.
>>>>
>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>
>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>
>>>> Unfortunately, no luck yet. Thank you again for your help before.
>>>>
>>>> I found that the user squid and group squid existed already, so I added
>>>>
>>>> cache_effective_user squid
>>>> cache_effective_group squid
>>>>
>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's
>>>> contents were set to squid:squid and restarted the service, but I'm still
>>>> getting the same error :(
>>>>
>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <mailto:[hidden email]>
>>>> wrote:
>>>>
>>>>> I'll try that immediately, thanks! I appreciate all your advice;
>>>>> hopefully I won't have to reach out again :p
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>
>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>>>>> probably it runs as nobody user.
>>>>>>
>>>>>> Ah, yes:
>>>>>>
>>>>>> #  TAG: cache_effective_user
>>>>>> #    If you start Squid as root, it will change its effective/real
>>>>>> #    UID/GID to the user specified below.  The default is to change
>>>>>> #    to UID of nobody.
>>>>>> #    see also; cache_effective_group
>>>>>> #Default:
>>>>>> # cache_effective_user nobody
>>>>>>
>>>>>> #  TAG: cache_effective_group
>>>>>> #    Squid sets the GID to the effective user's default group ID
>>>>>> #    (taken from the password file) and supplementary group list
>>>>>> #    from the groups membership.
>>>>>> #
>>>>>> #    If you want Squid to run with a specific GID regardless of
>>>>>> #    the group memberships of the effective user then set this
>>>>>> #    to the group (or GID) you want Squid to run as. When set
>>>>>> #    all other group privileges of the effective user are ignored
>>>>>> #    and only this GID is effective. If Squid is not started as
>>>>>> #    root the user starting Squid MUST be member of the specified
>>>>>> #    group.
>>>>>> #
>>>>>> #    This option is not recommended by the Squid Team.
>>>>>> #    Our preference is for administrators to configure a secure
>>>>>> #    user account for squid with UID/GID matching system policies.
>>>>>> #Default:
>>>>>> # Use system group memberships of the cache_effective_user account
>>>>>>
>>>>>> As documented. :)
>>>>>>
>>>>>> AFAIK best solution is create non-privileged group & user (like
>>>>>> squid/squid) and set both this parameters explicity.
>>>>>>
>>>>>> Then change owner recursively on SSL cache to this user.
>>>>>>
>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>>
>>>>>> Neither of those values are set in my config. Even though I'm not
>>>>>> using squid for caching, I need those values? They aren't set in the
>>>>>> default configs either.
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>
>>>>>>> Most probably you squid runs as another user than squid.
>>>>>>>
>>>>>>> Check your squid.conf for cache_effective_user and
>>>>>>> cache_effective_group values.
>>>>>>>
>>>>>>> Then change SSL cache permissions to this values. Should work.
>>>>>>>
>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>>
>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried
>>>>>>> restarting squid, but still get the same errors. I thought to run the
>>>>>>> command again, but this time it says
>>>>>>>
>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>>>>>
>>>>>>> If this folder has incorrect permissions are there possibly other
>>>>>>> permission issues?
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>
>>>>>>>> Here you root of problem.
>>>>>>>>
>>>>>>>> Should be (on my setups):
>>>>>>>>
>>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>>> total 326
>>>>>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>>>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>>>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>>>>>
>>>>>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>>>>>
>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>>
>>>>>>>> total 8
>>>>>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>>>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>>>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Show output of
>>>>>>>>>
>>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>>
>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>>>
>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me
>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it
>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of
>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it.
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>>>
>>>>>>>>>> It tells you what's happens.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>>>>>> > (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>>>>>> > /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> squid-users mailing list
>>>>>>>>>> mailto:[hidden email]
>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 37, Issue 30
*******************************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid-users Digest, Vol 37, Issue 30

Yuri Voinov
For a change, I agree with Eliezer. And about the documentation of
OpenSource is best mournfully silent.


14.09.2017 0:02, Eliezer Croitoru пишет:

> I do not care if someone asks even if the docs are answering.
> The docs of squid-cache are not something anyone should be able to remember by heart or even browse and just "find" a solution or a direction.
> We(at least me) are here to try and help even for the cases which the docs already cover.
>
> All The Bests,
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> From: squid-users [mailto:[hidden email]] On Behalf Of Adrian Miller
> Sent: Monday, September 11, 2017 23:31
> To: [hidden email]
> Subject: Re: [squid-users] squid-users Digest, Vol 37, Issue 30
>
> Jesus, never seen so many messages that could have been answered by reading the basic squid docs.
>
> Tempted to unsub....sheesh
>
> On 12 Sep. 2017 6:19 am, <mailto:[hidden email]> wrote:
> Send squid-users mailing list submissions to
>         mailto:[hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         mailto:[hidden email]
>
> You can reach the person managing the list at
>         mailto:[hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
>       crashing too quickly (Rohit Sodhia)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Sep 2017 16:18:39 -0400
> From: Rohit Sodhia <mailto:[hidden email]>
> To: Yuri <mailto:[hidden email]>
> Cc: mailto:[hidden email]
> Subject: Re: [squid-users] Need assistance debugging Squid error:
>         ssl_ctrd helpers crashing too quickly
> Message-ID:
>         <mailto:CAN1w9tfQt3Mivwpyo%[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
> I'll have to learn how to compile it myself; never compiled a package
> before.
>
> On Mon, Sep 11, 2017 at 4:17 PM, Yuri <mailto:[hidden email]> wrote:
>
>> Hardly,
>>
>> most probably something in repo's package. However, upgrade is always
>> recommended, especially with modern functionality. It changes fast enough.
>>
>> 12.09.2017 2:15, Rohit Sodhia пишет:
>>
>> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
>> problem?
>>
>> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <mailto:[hidden email]> wrote:
>>
>>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>>> closed or closed.
>>>
>>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>>> running.
>>>
>>> Repositories software sometimes has strange quirks, or sometimes rancid.
>>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>>
>>> I'll try to find it, but I read a few articles/SO questions that
>>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>>> I'd be glad to go forward. Should I be removing the yum squid package and
>>> compile my own? Is 3.5 problematic besides being old?
>>>
>>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <mailto:[hidden email]> wrote:
>>>
>>>> Wait. Squid 3.5.20? So ancient?
>>>>
>>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>>
>>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>
>>>> I used the line from the Stack Overflow question I linked earlier.
>>>>
>>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <mailto:[hidden email]> wrote:
>>>>
>>>>> Well. Let's check more deep.
>>>>>
>>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>>
>>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>>
>>>>> Unfortunately, no luck yet. Thank you again for your help before.
>>>>>
>>>>> I found that the user squid and group squid existed already, so I added
>>>>>
>>>>> cache_effective_user squid
>>>>> cache_effective_group squid
>>>>>
>>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's
>>>>> contents were set to squid:squid and restarted the service, but I'm still
>>>>> getting the same error :(
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <mailto:[hidden email]>
>>>>> wrote:
>>>>>
>>>>>> I'll try that immediately, thanks! I appreciate all your advice;
>>>>>> hopefully I won't have to reach out again :p
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>
>>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>>>>>> probably it runs as nobody user.
>>>>>>>
>>>>>>> Ah, yes:
>>>>>>>
>>>>>>> #  TAG: cache_effective_user
>>>>>>> #    If you start Squid as root, it will change its effective/real
>>>>>>> #    UID/GID to the user specified below.  The default is to change
>>>>>>> #    to UID of nobody.
>>>>>>> #    see also; cache_effective_group
>>>>>>> #Default:
>>>>>>> # cache_effective_user nobody
>>>>>>>
>>>>>>> #  TAG: cache_effective_group
>>>>>>> #    Squid sets the GID to the effective user's default group ID
>>>>>>> #    (taken from the password file) and supplementary group list
>>>>>>> #    from the groups membership.
>>>>>>> #
>>>>>>> #    If you want Squid to run with a specific GID regardless of
>>>>>>> #    the group memberships of the effective user then set this
>>>>>>> #    to the group (or GID) you want Squid to run as. When set
>>>>>>> #    all other group privileges of the effective user are ignored
>>>>>>> #    and only this GID is effective. If Squid is not started as
>>>>>>> #    root the user starting Squid MUST be member of the specified
>>>>>>> #    group.
>>>>>>> #
>>>>>>> #    This option is not recommended by the Squid Team.
>>>>>>> #    Our preference is for administrators to configure a secure
>>>>>>> #    user account for squid with UID/GID matching system policies.
>>>>>>> #Default:
>>>>>>> # Use system group memberships of the cache_effective_user account
>>>>>>>
>>>>>>> As documented. :)
>>>>>>>
>>>>>>> AFAIK best solution is create non-privileged group & user (like
>>>>>>> squid/squid) and set both this parameters explicity.
>>>>>>>
>>>>>>> Then change owner recursively on SSL cache to this user.
>>>>>>>
>>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>>>
>>>>>>> Neither of those values are set in my config. Even though I'm not
>>>>>>> using squid for caching, I need those values? They aren't set in the
>>>>>>> default configs either.
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>
>>>>>>>> Most probably you squid runs as another user than squid.
>>>>>>>>
>>>>>>>> Check your squid.conf for cache_effective_user and
>>>>>>>> cache_effective_group values.
>>>>>>>>
>>>>>>>> Then change SSL cache permissions to this values. Should work.
>>>>>>>>
>>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>>>
>>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
>>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried
>>>>>>>> restarting squid, but still get the same errors. I thought to run the
>>>>>>>> command again, but this time it says
>>>>>>>>
>>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>>>>>>
>>>>>>>> If this folder has incorrect permissions are there possibly other
>>>>>>>> permission issues?
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Here you root of problem.
>>>>>>>>>
>>>>>>>>> Should be (on my setups):
>>>>>>>>>
>>>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>>>> total 326
>>>>>>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>>>>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>>>>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>>>>>>
>>>>>>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>>>>>>
>>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>>>
>>>>>>>>> total 8
>>>>>>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>>>>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>>>>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>>>
>>>>>>>>>> Show output of
>>>>>>>>>>
>>>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>>>
>>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>>>>
>>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me
>>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it
>>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of
>>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it.
>>>>>>>>>>
>>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <mailto:[hidden email]> wrote:
>>>>>>>>>>
>>>>>>>>>>> It tells you what's happens.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>>>>>>>> (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>>>>>>>> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> squid-users mailing list
>>>>>>>>>>> mailto:[hidden email]
>>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> mailto:[hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 37, Issue 30
> *******************************************
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment