>Peace,
as part of self developing, we decided that turning on sslbump + splice is a good idea, so how to install squid with ssl support on tumbleweed? answer: it is already compiled with ssl support but now i followed: https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522 to enable ssl bumping. specifically those commands: /usr/share/ssl/misc/CA.pl -newca /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -sign openssl x509 -in newcert.pem -outform DER -out squidTrusted.der copied the 3 files to /etc/squid/certs sudo chown squid:squid -R /etc/squid/certs sudo /usr/libexec/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB sudo chown squid:squid -R /var/lib/squid sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der) sudo squid -z asks for certificate password then 2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03| Created PID file (/run/squid.pid) zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys Maximum Resident Size: 62352 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys Maximum Resident Size: 62272 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys Maximum Resident Size: 63360 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys Maximum Resident Size: 62992 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys Maximum Resident Size: 62640 KB Page faults with physical i/o: 0 2021/04/01 13:17:03| Removing PID file (/run/squid.pid) squid conf: acl localnet (network/24) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl" http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost visible_hostname proxy.example.vx dns_v4_first on http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 #http_port 8080 #sslproxy_capath /home/zouhairy/demoCA http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA #acl step1 at_step SslBump1 #ssl_bump peek step1 #ssl_bump bump all #sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB #sslcrtd_children 5 ssl_bump peek all ssl_bump splice all #ssl_bump server-first all sslproxy_cert_error allow all tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 cache_dir ufs /var/cache/squid 3000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid cache_mem 1024 MB netdb_filename none # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/ url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options ALL,1 33,2 28,9 what to change? _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Hey,
First try to use the next example: https://github.com/elico/yt-classification-service-example/blob/master/redwood/init-local-rootca.sh To create a rootCA key and certificate, which doesn't require you to use a password. And I have also seen this article you have used and it has two ways to create the rootca. One with the CA.pl script and the other one is with the openssl tool. As long as you don't need the CA.pl specifically I would recommend using openssl. It's plain simple to just create a rootCA certificate. All The Bests, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: [hidden email] Zoom: Coming soon -----Original Message----- From: squid-users <[hidden email]> On Behalf Of Majed Zouhairy Sent: Thursday, April 1, 2021 1:42 PM To: [hidden email] Subject: [squid-users] compile squid with tumbleweed >Peace, as part of self developing, we decided that turning on sslbump + splice is a good idea, so how to install squid with ssl support on tumbleweed? answer: it is already compiled with ssl support but now i followed: https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522 to enable ssl bumping. specifically those commands: /usr/share/ssl/misc/CA.pl -newca /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -sign openssl x509 -in newcert.pem -outform DER -out squidTrusted.der copied the 3 files to /etc/squid/certs sudo chown squid:squid -R /etc/squid/certs sudo /usr/libexec/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB sudo chown squid:squid -R /var/lib/squid sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der) sudo squid -z asks for certificate password then 2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03| Created PID file (/run/squid.pid) zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys Maximum Resident Size: 62352 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys Maximum Resident Size: 62272 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys Maximum Resident Size: 63360 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys Maximum Resident Size: 62992 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys Maximum Resident Size: 62640 KB Page faults with physical i/o: 0 2021/04/01 13:17:03| Removing PID file (/run/squid.pid) squid conf: acl localnet (network/24) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl" http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost visible_hostname proxy.example.vx dns_v4_first on http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 #http_port 8080 #sslproxy_capath /home/zouhairy/demoCA http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA #acl step1 at_step SslBump1 #ssl_bump peek step1 #ssl_bump bump all #sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB #sslcrtd_children 5 ssl_bump peek all ssl_bump splice all #ssl_bump server-first all sslproxy_cert_error allow all tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 cache_dir ufs /var/cache/squid 3000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid cache_mem 1024 MB netdb_filename none # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/ url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options ALL,1 33,2 28,9 what to change? _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Administrator
|
In reply to this post by Majed Zouhairy
On 1/04/21 11:41 pm, Majed Zouhairy wrote:
> > to enable ssl bumping. > > specifically those commands: > > /usr/share/ssl/misc/CA.pl -newca > /usr/share/ssl/misc/CA.pl -newreq > /usr/share/ssl/misc/CA.pl -sign > openssl x509 -in newcert.pem -outform DER -out squidTrusted.der > sudo squid -z > > asks for certificate password > then > > Enter PEM pass phrase: > 2021/04/01 13:17:03| Created PID file (/run/squid.pid) > zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. > Detected non-functional IPv6 loopback. > Enter PEM pass phrase: > 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured > for HTTP_port 0.0.0.0:8080 That says there is no CA certificate found in the file configured for that ports tls-cert= option. Squid requires a signing (CA) certificate and its private key in order to perform SSL-Bump. With "squid -k parse" Squid should tell you what it is loading from that file. > > squid conf: > ... > > http_port 8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem > key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA > > > ssl_bump peek all > ssl_bump splice all > > sslproxy_cert_error allow all > Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
hmm, thank you both.. i regenerated new certificates using Eliazer's
method and now squid restarted but it is refusing connections.. i normally configure port 8080 as the proxy port in the browser, and i am thinking there needs to be another port for ssl bumping? now the configuration is like this: .... # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 #http_port 8080 ##sslproxy_capath /home/zouhairy/demoCA http_port 8080 ssl-bump cert=/etc/squid/certs/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump peek all ssl_bump splice all #tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # Uncomment and adjust the following to add a disk cache directory. # Updates: chrome and acrobat #refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 129600 reload-into-ims #refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 129600 reload-into-ims range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 cache_dir ufs /var/cache/squid 3000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid cache_mem 1024 MB netdb_filename none # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/ url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options ALL,1 33,2 28,9 2.04.21 14:02, Amos Jeffries пишет: > On 1/04/21 11:41 pm, Majed Zouhairy wrote: >> >> to enable ssl bumping. >> >> specifically those commands: >> >> /usr/share/ssl/misc/CA.pl -newca >> /usr/share/ssl/misc/CA.pl -newreq >> /usr/share/ssl/misc/CA.pl -sign >> openssl x509 -in newcert.pem -outform DER -out squidTrusted.der > > >> sudo squid -z >> >> asks for certificate password >> then >> >> Enter PEM pass phrase: >> 2021/04/01 13:17:03| Created PID file (/run/squid.pid) >> zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 >> violation. Detected non-functional IPv6 loopback. >> Enter PEM pass phrase: >> 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate >> configured for HTTP_port 0.0.0.0:8080 > > That says there is no CA certificate found in the file configured for > that ports tls-cert= option. Squid requires a signing (CA) certificate > and its private key in order to perform SSL-Bump. > > With "squid -k parse" Squid should tell you what it is loading from > that file. > > >> >> squid conf: >> > ... >> >> http_port 8080 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem >> key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA >> > >> >> ssl_bump peek all >> ssl_bump splice all >> >> sslproxy_cert_error allow all >> > > > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Administrator
|
On 3/04/21 4:13 pm, Majed Zouhairy wrote:
> hmm, thank you both.. i regenerated new certificates using Eliazer's > method and now squid restarted but it is refusing connections.. What is the error happening now? > i normally configure port 8080 as the proxy port in the browser, and i > am thinking there needs to be another port for ssl bumping? > No. SSL-Bump as you have it configured intercepts the CONNECT traffic the browser send to normal proxy port. > now the configuration is like this: > > .... > > http_port 8080 ssl-bump cert=/etc/squid/certs/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > ssl_bump peek all > ssl_bump splice all > > > # Uncomment and adjust the following to add a disk cache directory. > # Updates: chrome and acrobat NP: the comment above is about the cache_dir line. You can remove it. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
the error is:
Прокси-сервер отказывается принимать соединения translation: the proxy-server is refusing to accept connections.. might it be some setting in ufdbguard now? 4.04.21 04:51, Amos Jeffries пишет: > On 3/04/21 4:13 pm, Majed Zouhairy wrote: >> hmm, thank you both.. i regenerated new certificates using Eliazer's >> method and now squid restarted but it is refusing connections.. > > What is the error happening now? > > >> i normally configure port 8080 as the proxy port in the browser, and >> i am thinking there needs to be another port for ssl bumping? >> > > No. SSL-Bump as you have it configured intercepts the CONNECT traffic > the browser send to normal proxy port. > > >> now the configuration is like this: >> >> .... > > >> http_port 8080 ssl-bump cert=/etc/squid/certs/myCA.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >> >> >> ssl_bump peek all >> ssl_bump splice all >> > > > >> >> # Uncomment and adjust the following to add a disk cache directory. >> # Updates: chrome and acrobat > > NP: the comment above is about the cache_dir line. You can remove it. > > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Administrator
|
On 4/04/21 5:09 pm, Majed Zouhairy wrote:
> the error is: > > Прокси-сервер отказывается принимать соединения > > translation: the proxy-server is refusing to accept connections.. > That seems like the meaningless text modern Browsers like replacing real error with. Can you check the Squid logs to see what is actually going on? > might it be some setting in ufdbguard now? > If that text is from the Browser it could be anything. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
In reply to this post by Majed Zouhairy
On 2021/04/03 22:09, Majed Zouhairy wrote:
> the error is: > > Прокси-сервер отказывается принимать соединения > > translation: the proxy-server is refusing to accept connections.. > That most commonly is what I see when squid didn't start, (so it refuses to accept connections). Are you sure it started? Look in the logs for any errors? I've had problems there where the cert-gen process needed to have it's database zeroed (among other non-starting issues), so at boot, squid look liked it ran, but immediately exited when one of its helpers kept dying... _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
In reply to this post by Amos Jeffries
yes, from the browser..
squid cache last showed: 2021/04/02 15:52:47 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2021/04/02 15:52:47 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2021/04/02 15:52:47 kid1| Unlinkd pipe opened on FD 40 2021/04/02 15:52:47 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2021/04/02 15:52:47 kid1| Store logging disabled 2021/04/02 15:52:47 kid1| Swap maxSize 3072000 + 1048576 KB, estimated 316967 objects 2021/04/02 15:52:47 kid1| Target number of buckets: 15848 2021/04/02 15:52:47 kid1| Using 16384 Store buckets 2021/04/02 15:52:47 kid1| Max Mem size: 1048576 KB 2021/04/02 15:52:47 kid1| Max Swap size: 3072000 KB 2021/04/02 15:52:47 kid1| Rebuilding storage in /var/cache/squid (clean log) 2021/04/02 15:52:47 kid1| Using Least Load store dir selection 2021/04/02 15:52:47 kid1| Set Current Directory to /var/cache/squid 2021/04/02 15:52:47 kid1| Finished loading MIME types and icons. 2021/04/02 15:52:47 kid1| HTCP Disabled. 2021/04/02 15:52:47 kid1| Pinger socket opened on FD 45 2021/04/02 15:52:47 kid1| Squid plugin modules loaded: 0 2021/04/02 15:52:47 kid1| Adaptation support is off. 2021/04/02 15:52:47 kid1| Accepting SSL bumped HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 43 flags=9 2021/04/02 15:52:47| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. 2021/04/02 15:52:47| pinger: Initialising ICMP pinger ... 2021/04/02 15:52:47| pinger: ICMP socket opened. 2021/04/02 15:52:47| pinger: ICMPv6 socket opened 2021/04/02 15:52:47 kid1| Store rebuilding is 19.99% complete 2021/04/02 15:52:47 kid1| Done reading /var/cache/squid swaplog (20010 entries) 2021/04/02 15:52:47 kid1| Finished rebuilding storage from disk. 2021/04/02 15:52:47 kid1| 20010 Entries scanned 2021/04/02 15:52:47 kid1| 0 Invalid entries. 2021/04/02 15:52:47 kid1| 0 With invalid flags. 2021/04/02 15:52:47 kid1| 20010 Objects loaded. 2021/04/02 15:52:47 kid1| 0 Objects expired. 2021/04/02 15:52:47 kid1| 0 Objects cancelled. 2021/04/02 15:52:47 kid1| 0 Duplicate URLs purged. 2021/04/02 15:52:47 kid1| 0 Swapfile clashes avoided. 2021/04/02 15:52:47 kid1| Took 0.26 seconds (76538.52 objects/sec). 2021/04/02 15:52:47 kid1| Beginning Validation Procedure 2021/04/02 15:52:47 kid1| Completed Validation Procedure 2021/04/02 15:52:47 kid1| Validated 20010 Entries 2021/04/02 15:52:47 kid1| store_swap_size = 1355568.00 KB 2021/04/02 15:52:47 kid1| WARNING: /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB #Hlpr1 exited 2021/04/02 15:52:47 kid1| Too few /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB processes are running (need 1/32) 2021/04/02 15:52:47 kid1| Closing HTTP(S) port 0.0.0.0:8080 2021/04/02 15:52:47 kid1| storeDirWriteCleanLogs: Starting... 2021/04/02 15:52:47 kid1| Finished. Wrote 20010 entries. 2021/04/02 15:52:47 kid1| Took 0.01 seconds (3978131.21 entries/sec). 2021/04/02 15:52:47 kid1| FATAL: The /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB helpers are crashing too rapidly, need help! squid log last showed: 1617367631.100 868 10.0.28.26 TCP_REFRESH_MODIFIED_ABORTED/200 13935 GET http://spastv.ru/ - HIER_DIRECT/84.201.153.140 text/html 1617367725.880 0 10.0.28.26 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - 1617367845.916 0 10.0.28.26 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - which is an every minute check sudo systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sun 2021-04-04 21:58:13 +03; 5s ago Docs: man:squid(8) Process: 28198 ExecStartPre=/usr/libexec/squid/initialize_cache_if_needed.sh (code=exited, status=0/SUCCESS) Process: 28202 ExecStart=/usr/sbin/squid -FC (code=exited, status=0/SUCCESS) Main PID: 28203 (code=exited, status=1/FAILURE) Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 28355 started Apr 04 21:58:12 proxy (squid-1)[28355]: FATAL: The /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4> Apr 04 21:58:12 proxy squid[28203]: Squid Parent: squid-1 process 28355 exited with status 1 Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 28405 started Apr 04 21:58:13 proxy (squid-1)[28405]: FATAL: The /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4> Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 exited with status 1 Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 will not be restarted for 3600 seconds due to repea> Apr 04 21:58:13 proxy squid[28203]: Exiting due to repeated, frequent failures Apr 04 21:58:13 proxy systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE Apr 04 21:58:13 proxy systemd[1]: squid.service: Failed with result 'exit-code'. 4.04.21 13:24, Amos Jeffries пишет: > On 4/04/21 5:09 pm, Majed Zouhairy wrote: >> the error is: >> >> Прокси-сервер отказывается принимать соединения >> >> translation: the proxy-server is refusing to accept connections.. >> > > That seems like the meaningless text modern Browsers like replacing > real error with. > > Can you check the Squid logs to see what is actually going on? > > >> might it be some setting in ufdbguard now? >> > > If that text is from the Browser it could be anything. > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
In reply to this post by L A Walsh
On 2021/04/04 20:07, Majed Zouhairy wrote:
> you are right, it's not running.. > > >cert-gen process needed to have > it's database zeroed > > > how to do that? --- Well that was *my* issue of why it wasn't running -- I had to explore the logs and try to run the demon interactively to direct its error messages to the console -- I had to lookup how to do that in the man pages, and the products "--help" switch among other things. At this point you just know it isn't running, but you don't know its the same problem as I had -- if it is, the error message that tells you that such is the problem also tells you "how to do that" (i.e. how to fix it). But first you need to look into why it is failing. BTW, please 'Cc' the list so someone else who might better know about a problem like yours can chime in. I only related a similar failure case causing a symptom like that -- but there are lots of ways to not have squid launch right. Try building squid from the suse rpm, if you haven't already -- then you can try adding in a specific squid-tar-version that can better suit you than the suse version, if that's your intent... Squid is of moderate difficulty to build -- be sure you can do so from suse's source rpm's, as they'll work for your system, then change things starting from there... > > 4.04.21 23:36, L A Walsh пишет: >> On 2021/04/03 22:09, Majed Zouhairy wrote: >>> the error is: >>> >>> Прокси-сервер отказывается принимать соединения >>> >>> translation: the proxy-server is refusing to accept connections.. >> That most commonly is what I see when squid didn't start, (so it >> refuses to accept connections). >> >> Are you sure it started? Look in the logs for any errors? >> >> I've had problems there where the cert-gen process needed to have >> it's database zeroed (among other non-starting issues), so >> at boot, squid look liked it ran, but immediately exited when >> one of its helpers kept dying... >> >> _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
In reply to this post by Amos Jeffries
i solved the problem..
since this was in the squid status: FATAL: The /usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB helpers and i was creating a dirctory in /var/lib/squid/ssl_db so instead, i ran: sudo /usr/libexec/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 8MB restarted squid and now it works! On 4/2/21 2:02 PM, Amos Jeffries wrote: > On 1/04/21 11:41 pm, Majed Zouhairy wrote: >> >> to enable ssl bumping. >> >> specifically those commands: >> >> /usr/share/ssl/misc/CA.pl -newca >> /usr/share/ssl/misc/CA.pl -newreq >> /usr/share/ssl/misc/CA.pl -sign >> openssl x509 -in newcert.pem -outform DER -out squidTrusted.der > > >> sudo squid -z >> >> asks for certificate password >> then >> >> Enter PEM pass phrase: >> 2021/04/01 13:17:03| Created PID file (/run/squid.pid) >> zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 >> violation. Detected non-functional IPv6 loopback. >> Enter PEM pass phrase: >> 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate >> configured for HTTP_port 0.0.0.0:8080 > > That says there is no CA certificate found in the file configured for > that ports tls-cert= option. Squid requires a signing (CA) certificate > and its private key in order to perform SSL-Bump. > > With "squid -k parse" Squid should tell you what it is loading from that > file. > > >> >> squid conf: >> > ... >> >> http_port 8080 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem >> key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA >> > >> >> ssl_bump peek all >> ssl_bump splice all >> >> sslproxy_cert_error allow all >> > > > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Free forum by Nabble | Edit this page |