compile squid with tumbleweed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

compile squid with tumbleweed

Majed Zouhairy
 >Peace,
as part of self developing, we decided that turning on sslbump + splice
is a good idea, so how to install squid with ssl support on tumbleweed?

answer: it is already compiled with ssl support

but now i followed:

https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522

to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
copied the 3 files to /etc/squid/certs
sudo chown squid:squid -R /etc/squid/certs
sudo /usr/libexec/squid/security_file_certgen -c -s
/var/lib/squid/ssl_db -M 4MB
sudo chown squid:squid -R /var/lib/squid
sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der)

sudo squid -z

asks for certificate password
then


2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional
IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation.
Detected non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys
Maximum Resident Size: 62352 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys
Maximum Resident Size: 62272 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys
Maximum Resident Size: 63360 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys
Maximum Resident Size: 62992 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys
Maximum Resident Size: 62640 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03| Removing PID file (/run/squid.pid)


squid conf:

acl localnet (network/24)

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.example.vx

dns_v4_first on

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

#sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA




#acl step1 at_step SslBump1
#ssl_bump peek step1
#ssl_bump bump all

#sslcrtd_program /usr/libexec/squid/security_file_certgen -s
/var/lib/squid/ssl_db -M 4MB
#sslcrtd_children 5

ssl_bump peek all
ssl_bump splice all

#ssl_bump server-first all

sslproxy_cert_error allow all


tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS



range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1


cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9

what to change?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Eliezer Croitoru-3
Hey,

First try to use the next example:
https://github.com/elico/yt-classification-service-example/blob/master/redwood/init-local-rootca.sh

To create a rootCA key and certificate, which doesn't require you to use a password.
And I have also seen this article you have used and it has two ways to create the rootca.
One with the CA.pl script and the other one is  with the openssl tool.
As long as you don't need the CA.pl specifically I would recommend using openssl.
It's plain simple to just create a rootCA certificate.

All The Bests,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Majed Zouhairy
Sent: Thursday, April 1, 2021 1:42 PM
To: [hidden email]
Subject: [squid-users] compile squid with tumbleweed

 >Peace,
as part of self developing, we decided that turning on sslbump + splice
is a good idea, so how to install squid with ssl support on tumbleweed?

answer: it is already compiled with ssl support

but now i followed:

https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522

to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
copied the 3 files to /etc/squid/certs
sudo chown squid:squid -R /etc/squid/certs
sudo /usr/libexec/squid/security_file_certgen -c -s
/var/lib/squid/ssl_db -M 4MB
sudo chown squid:squid -R /var/lib/squid
sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der)

sudo squid -z

asks for certificate password
then


2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional
IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation.
Detected non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys
Maximum Resident Size: 62352 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys
Maximum Resident Size: 62272 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys
Maximum Resident Size: 63360 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys
Maximum Resident Size: 62992 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys
Maximum Resident Size: 62640 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03| Removing PID file (/run/squid.pid)


squid conf:

acl localnet (network/24)

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.example.vx

dns_v4_first on

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

#sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA




#acl step1 at_step SslBump1
#ssl_bump peek step1
#ssl_bump bump all

#sslcrtd_program /usr/libexec/squid/security_file_certgen -s
/var/lib/squid/ssl_db -M 4MB
#sslcrtd_children 5

ssl_bump peek all
ssl_bump splice all

#ssl_bump server-first all

sslproxy_cert_error allow all


tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS



range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1


cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9

what to change?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Amos Jeffries
Administrator
In reply to this post by Majed Zouhairy
On 1/04/21 11:41 pm, Majed Zouhairy wrote:
>
> to enable ssl bumping.
>
> specifically those commands:
>
> /usr/share/ssl/misc/CA.pl -newca
> /usr/share/ssl/misc/CA.pl -newreq
> /usr/share/ssl/misc/CA.pl -sign
> openssl x509 -in newcert.pem -outform DER -out squidTrusted.der


> sudo squid -z
>
> asks for certificate password
> then
>
> Enter PEM pass phrase:
> 2021/04/01 13:17:03| Created PID file (/run/squid.pid)
> zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation.
> Detected non-functional IPv6 loopback.
> Enter PEM pass phrase:
> 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured
> for HTTP_port 0.0.0.0:8080

That says there is no CA certificate found in the file configured for
that ports tls-cert= option. Squid requires a signing (CA) certificate
and its private key in order to perform SSL-Bump.

With "squid -k parse" Squid should tell you what it is loading from that
file.


>
> squid conf:
>
...
>
> http_port 8080 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem
> key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA
>

>
> ssl_bump peek all
> ssl_bump splice all
>
> sslproxy_cert_error allow all
>



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Majed Zouhairy
hmm, thank you both.. i regenerated new certificates using Eliazer's
method and now squid restarted but it is refusing connections..
i normally configure port 8080 as the proxy port in the browser, and i
am thinking there needs to be another port for ssl bumping?

now the configuration is like this:

....


# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

##sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump  cert=/etc/squid/certs/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB



ssl_bump peek all
ssl_bump splice all



#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
#refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80%
129600 reload-into-ims
#refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200
80% 129600 reload-into-ims



range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1



cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:                1440    20%    10080
refresh_pattern ^gopher:            1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%    0
refresh_pattern .                    0        20%    4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options
ALL,1 33,2 28,9

2.04.21 14:02, Amos Jeffries пишет:

> On 1/04/21 11:41 pm, Majed Zouhairy wrote:
>>
>> to enable ssl bumping.
>>
>> specifically those commands:
>>
>> /usr/share/ssl/misc/CA.pl -newca
>> /usr/share/ssl/misc/CA.pl -newreq
>> /usr/share/ssl/misc/CA.pl -sign
>> openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
>
>
>> sudo squid -z
>>
>> asks for certificate password
>> then
>>
>> Enter PEM pass phrase:
>> 2021/04/01 13:17:03| Created PID file (/run/squid.pid)
>> zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177
>> violation. Detected non-functional IPv6 loopback.
>> Enter PEM pass phrase:
>> 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate
>> configured for HTTP_port 0.0.0.0:8080
>
> That says there is no CA certificate found in the file configured for
> that ports tls-cert= option. Squid requires a signing (CA) certificate
> and its private key in order to perform SSL-Bump.
>
> With "squid -k parse" Squid should tell you what it is loading from
> that file.
>
>
>>
>> squid conf:
>>
> ...
>>
>> http_port 8080 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem
>> key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA
>>
>
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>> sslproxy_cert_error allow all
>>
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Amos Jeffries
Administrator
On 3/04/21 4:13 pm, Majed Zouhairy wrote:
> hmm, thank you both.. i regenerated new certificates using Eliazer's
> method and now squid restarted but it is refusing connections..

What is the error happening now?


> i normally configure port 8080 as the proxy port in the browser, and i
> am thinking there needs to be another port for ssl bumping?
>

No. SSL-Bump as you have it configured intercepts the CONNECT traffic
the browser send to normal proxy port.


> now the configuration is like this:
>
> ....
 >
> http_port 8080 ssl-bump  cert=/etc/squid/certs/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>
>
> ssl_bump peek all
> ssl_bump splice all
>



>
> # Uncomment and adjust the following to add a disk cache directory.
> # Updates: chrome and acrobat

NP: the comment above is about the cache_dir line. You can remove it.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Majed Zouhairy
the error is:

Прокси-сервер отказывается принимать соединения

translation: the proxy-server is refusing to accept connections..

might it be some setting in ufdbguard now?

4.04.21 04:51, Amos Jeffries пишет:

> On 3/04/21 4:13 pm, Majed Zouhairy wrote:
>> hmm, thank you both.. i regenerated new certificates using Eliazer's
>> method and now squid restarted but it is refusing connections..
>
> What is the error happening now?
>
>
>> i normally configure port 8080 as the proxy port in the browser, and
>> i am thinking there needs to be another port for ssl bumping?
>>
>
> No. SSL-Bump as you have it configured intercepts the CONNECT traffic
> the browser send to normal proxy port.
>
>
>> now the configuration is like this:
>>
>> ....
> >
>> http_port 8080 ssl-bump cert=/etc/squid/certs/myCA.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>
>>
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>
>
>
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> # Updates: chrome and acrobat
>
> NP: the comment above is about the cache_dir line. You can remove it.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Amos Jeffries
Administrator
On 4/04/21 5:09 pm, Majed Zouhairy wrote:
> the error is:
>
> Прокси-сервер отказывается принимать соединения
>
> translation: the proxy-server is refusing to accept connections..
>

That seems like the meaningless text modern Browsers like replacing real
error with.

Can you check the Squid logs to see what is actually going on?


> might it be some setting in ufdbguard now?
>

If that text is from the Browser it could be anything.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

L A Walsh
In reply to this post by Majed Zouhairy
On 2021/04/03 22:09, Majed Zouhairy wrote:
> the error is:
>
> Прокси-сервер отказывается принимать соединения
>
> translation: the proxy-server is refusing to accept connections..
>  
That most commonly is what I see when squid didn't start, (so it
refuses to accept connections).

Are you sure it started?  Look in the logs for any errors?

I've had problems there where the cert-gen process needed to have
it's database zeroed (among other non-starting issues), so
at boot, squid look liked it ran, but immediately exited when
one of its helpers kept dying...


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Majed Zouhairy
In reply to this post by Amos Jeffries
yes, from the browser..

squid cache last showed:

2021/04/02 15:52:47 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2021/04/02 15:52:47 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2021/04/02 15:52:47 kid1| Unlinkd pipe opened on FD 40
2021/04/02 15:52:47 kid1| Local cache digest enabled; rebuild/rewrite
every 3600/3600 sec
2021/04/02 15:52:47 kid1| Store logging disabled
2021/04/02 15:52:47 kid1| Swap maxSize 3072000 + 1048576 KB, estimated
316967 objects
2021/04/02 15:52:47 kid1| Target number of buckets: 15848
2021/04/02 15:52:47 kid1| Using 16384 Store buckets
2021/04/02 15:52:47 kid1| Max Mem  size: 1048576 KB
2021/04/02 15:52:47 kid1| Max Swap size: 3072000 KB
2021/04/02 15:52:47 kid1| Rebuilding storage in /var/cache/squid (clean log)
2021/04/02 15:52:47 kid1| Using Least Load store dir selection
2021/04/02 15:52:47 kid1| Set Current Directory to /var/cache/squid
2021/04/02 15:52:47 kid1| Finished loading MIME types and icons.
2021/04/02 15:52:47 kid1| HTCP Disabled.
2021/04/02 15:52:47 kid1| Pinger socket opened on FD 45
2021/04/02 15:52:47 kid1| Squid plugin modules loaded: 0
2021/04/02 15:52:47 kid1| Adaptation support is off.
2021/04/02 15:52:47 kid1| Accepting SSL bumped HTTP Socket connections
at local=0.0.0.0:8080 remote=[::] FD 43 flags=9
2021/04/02 15:52:47| WARNING: BCP 177 violation. Detected non-functional
IPv6 loopback.
2021/04/02 15:52:47| pinger: Initialising ICMP pinger ...
2021/04/02 15:52:47| pinger: ICMP socket opened.
2021/04/02 15:52:47| pinger: ICMPv6 socket opened
2021/04/02 15:52:47 kid1| Store rebuilding is 19.99% complete
2021/04/02 15:52:47 kid1| Done reading /var/cache/squid swaplog (20010
entries)
2021/04/02 15:52:47 kid1| Finished rebuilding storage from disk.
2021/04/02 15:52:47 kid1|     20010 Entries scanned
2021/04/02 15:52:47 kid1|         0 Invalid entries.
2021/04/02 15:52:47 kid1|         0 With invalid flags.
2021/04/02 15:52:47 kid1|     20010 Objects loaded.
2021/04/02 15:52:47 kid1|         0 Objects expired.
2021/04/02 15:52:47 kid1|         0 Objects cancelled.
2021/04/02 15:52:47 kid1|         0 Duplicate URLs purged.
2021/04/02 15:52:47 kid1|         0 Swapfile clashes avoided.
2021/04/02 15:52:47 kid1|   Took 0.26 seconds (76538.52 objects/sec).
2021/04/02 15:52:47 kid1| Beginning Validation Procedure
2021/04/02 15:52:47 kid1|   Completed Validation Procedure
2021/04/02 15:52:47 kid1|   Validated 20010 Entries
2021/04/02 15:52:47 kid1|   store_swap_size = 1355568.00 KB
2021/04/02 15:52:47 kid1| WARNING:
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M
4MB #Hlpr1 exited
2021/04/02 15:52:47 kid1| Too few
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M
4MB processes are running (need 1/32)
2021/04/02 15:52:47 kid1| Closing HTTP(S) port 0.0.0.0:8080
2021/04/02 15:52:47 kid1| storeDirWriteCleanLogs: Starting...
2021/04/02 15:52:47 kid1|   Finished.  Wrote 20010 entries.
2021/04/02 15:52:47 kid1|   Took 0.01 seconds (3978131.21 entries/sec).
2021/04/02 15:52:47 kid1| FATAL: The
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M
4MB helpers are crashing too rapidly, need help!

squid log last showed:


1617367631.100    868 10.0.28.26 TCP_REFRESH_MODIFIED_ABORTED/200 13935
GET http://spastv.ru/ - HIER_DIRECT/84.201.153.140 text/html
1617367725.880      0 10.0.28.26 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- -
1617367845.916      0 10.0.28.26 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- -

which is an every minute check


sudo systemctl status squid
● squid.service - Squid caching proxy
      Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled;
vendor preset: disabled)
      Active: failed (Result: exit-code) since Sun 2021-04-04 21:58:13
+03; 5s ago
        Docs: man:squid(8)
     Process: 28198
ExecStartPre=/usr/libexec/squid/initialize_cache_if_needed.sh
(code=exited, status=0/SUCCESS)
     Process: 28202 ExecStart=/usr/sbin/squid -FC (code=exited,
status=0/SUCCESS)
    Main PID: 28203 (code=exited, status=1/FAILURE)

Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process
28355 started
Apr 04 21:58:12 proxy (squid-1)[28355]: FATAL: The
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: squid-1 process 28355
exited with status 1
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process
28405 started
Apr 04 21:58:13 proxy (squid-1)[28405]: FATAL: The
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405
exited with status 1
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405
will not be restarted for 3600 seconds due to repea>
Apr 04 21:58:13 proxy squid[28203]: Exiting due to repeated, frequent
failures
Apr 04 21:58:13 proxy systemd[1]: squid.service: Main process exited,
code=exited, status=1/FAILURE
Apr 04 21:58:13 proxy systemd[1]: squid.service: Failed with result
'exit-code'.

4.04.21 13:24, Amos Jeffries пишет:

> On 4/04/21 5:09 pm, Majed Zouhairy wrote:
>> the error is:
>>
>> Прокси-сервер отказывается принимать соединения
>>
>> translation: the proxy-server is refusing to accept connections..
>>
>
> That seems like the meaningless text modern Browsers like replacing
> real error with.
>
> Can you check the Squid logs to see what is actually going on?
>
>
>> might it be some setting in ufdbguard now?
>>
>
> If that text is from the Browser it could be anything.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

L A Walsh
In reply to this post by L A Walsh
On 2021/04/04 20:07, Majed Zouhairy wrote:
> you are right, it's not running..
>
>  >cert-gen process needed to have
> it's database zeroed
>
>
> how to do that?
---
        Well that was *my* issue of why it wasn't running -- I
had to explore the logs and try to run the demon interactively
to direct its error messages to the console -- I had to lookup
how to do that in the man pages, and the products "--help" switch
among other things.  

At this point you just know it isn't running, but you don't know
its the same problem as I had -- if it is, the error message
that tells you that such is the problem also tells you "how to do that"
(i.e. how to fix it).  But first you need to look into why it is
failing.

BTW, please 'Cc' the list so someone else who might better know
about a problem like yours can chime in.  I only related a similar
failure case causing a symptom like that -- but there are lots
of ways to not have squid launch right.

Try building squid from the suse rpm, if you haven't already -- then
you can try adding in a specific squid-tar-version that can better
suit you than the suse version, if that's your intent...

Squid is of moderate difficulty to build -- be sure you can do so from
suse's source rpm's, as they'll work for your system, then change things
starting from there...


>
> 4.04.21 23:36, L A Walsh пишет:
>> On 2021/04/03 22:09, Majed Zouhairy wrote:
>>> the error is:
>>>
>>> Прокси-сервер отказывается принимать соединения
>>>
>>> translation: the proxy-server is refusing to accept connections..
>> That most commonly is what I see when squid didn't start, (so it
>> refuses to accept connections).
>>
>> Are you sure it started?  Look in the logs for any errors?
>>
>> I've had problems there where the cert-gen process needed to have
>> it's database zeroed (among other non-starting issues), so
>> at boot, squid look liked it ran, but immediately exited when
>> one of its helpers kept dying...
>>
>>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: compile squid with tumbleweed

Majed Zouhairy
In reply to this post by Amos Jeffries
i solved the problem..

since this was in the squid status:
FATAL: The /usr/libexec/squid/security_file_certgen -s
/var/cache/squid/ssl_db -M 4MB helpers

and i was creating a dirctory in /var/lib/squid/ssl_db

so instead, i ran:

sudo /usr/libexec/squid/security_file_certgen -c -s
/var/cache/squid/ssl_db -M 8MB

restarted squid and now it works!

On 4/2/21 2:02 PM, Amos Jeffries wrote:

> On 1/04/21 11:41 pm, Majed Zouhairy wrote:
>>
>> to enable ssl bumping.
>>
>> specifically those commands:
>>
>> /usr/share/ssl/misc/CA.pl -newca
>> /usr/share/ssl/misc/CA.pl -newreq
>> /usr/share/ssl/misc/CA.pl -sign
>> openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
>
>
>> sudo squid -z
>>
>> asks for certificate password
>> then
>>
>> Enter PEM pass phrase:
>> 2021/04/01 13:17:03| Created PID file (/run/squid.pid)
>> zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177
>> violation. Detected non-functional IPv6 loopback.
>> Enter PEM pass phrase:
>> 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate
>> configured for HTTP_port 0.0.0.0:8080
>
> That says there is no CA certificate found in the file configured for
> that ports tls-cert= option. Squid requires a signing (CA) certificate
> and its private key in order to perform SSL-Bump.
>
> With "squid -k parse" Squid should tell you what it is loading from that
> file.
>
>
>>
>> squid conf:
>>
> ...
>>
>> http_port 8080 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem
>> key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA
>>
>
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>> sslproxy_cert_error allow all
>>
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users