[squid-users] Squid on Freebsd
Hello i try to use squid (6.10) with opnsense 24.x on freebsd 13-2-Release-p11. It produces a "segmentation fault" at start and restart but the process runs. The "segmentation fault" occurs even with squid -k parse. A "service squid reload" runs OK, but a "service squid restart" produces this Segmentation fault. The problem did not exist with opnsense 23.x and an older squid. How can I debug this error probably in the parse part? yours Anton Kornexl ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid on Freebsd
On Mon, Jul 22, 2024 at 12:12 PM Anton Kornexl wrote: > Hello > > i try to use squid (6.10) with opnsense 24.x on freebsd 13-2-Release-p11. > > It produces a "segmentation fault" at start and restart but the process > runs. > > The "segmentation fault" occurs even with squid -k parse. > > A "service squid reload" runs OK, but a "service squid restart" produces > this Segmentation fault. > > The problem did not exist with opnsense 23.x and an older squid. > > How can I debug this error probably in the parse part? > Squid used to write info into cache.log, IIRC. I think it still does. It's been long since I last managed a squid install. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Hello, Jonathan, > curl http://localhost:3128/squid-internal-mgr/info > Where would I place the password? I use the following configuration: http_access allow localhost manager cachemgr_passwd redacted config The command to read the current running config is: curl localhost:3128/squid-internal-mgr/config -u :redacted Kind regards, Ankor. чт, 18 июл. 2024 г. в 17:07, Alex Rousskov : > On 2024-07-18 00:55, Jonathan Lee wrote: > > > curl http://localhost:3128/squid-internal-mgr/info > > > > Where would I place the password? > > See "man curl" or online manual pages for curl. They will point you to > two relevant options: --user and --proxy-user. AFAICT, your particular > cache manager requests are sent _to_ the proxy (as if it were an origin > server) rather than _through_ the proxy. Thus, you should use --user. > > As I keep saying on this thread, due to Squid complications related to > Bug 5283, specifying seemingly correct client parameters may not be > enough to convince Squid to accept the cache manager request. I > recommend the following procedure: > > 1. List the corresponding http_port directive first, before any other > http_port, https_port, and ftp_port directives. Do not use interception > of any kind for this cache manager port. > > 2. Use curl with absolute squid-internal-mgr URLs with http scheme (like > you show above). Do _not_ use "curl --proxy" or similar. Do not use > https scheme. > > 3. In that absolute mgr URL, use the host name that matches > visible_hostname in squid.conf. If you do not have visible_hostname in > squid.conf, add it. This is not required, but, due to Squid bugs, it is > often much easier to get this to work with visible_hostname than without > it. > > 4. Make (passwordless) mgr:info use case working first, before trying to > get password-protected pages working. > > 5. When you do specify a username and a password, remember that you are > sending this request to an (equivalent of) a service running on an > origin server, _not_ a proxy (hence --user rather than --proxy-user). > > > If you cannot figure it out despite carefully going through the above > steps, share (privately if needed) a pointer to compressed ALL,9 > cache.log while reproducing the problem with throw-away credentials on > an idle Squid with a single curl request. Mention which step you got > stuck on. > > > HTH, > > Alex. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid on Freebsd
Hello, I have tested the two installations further Opnsense 23.x with squid 6.6 on freebsd 13.2-Release-p9 produces the same segmentation fault, but it does not popup as red window in the dashboard. I have set "debug_options ALL,5" in squid.conf: I have found the following lines in cache.log (grep _suid cache.log) 2024/07/22 17:26:52.186 kid1| 21,3| tools.cc(625) enter_suid: enter_suid: PID 29145 taking root privileges 2024/07/22 17:26:52.186 kid1| 21,31 tools.cc(629) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted 2024/07/22 17:26:52.186 kid1| 21,3| tools.cc(561) leave suid: leave suid: PID 29145 called 2024/07/22 17:26:52.187 kid1| 21,31 tools.cc(625) enter_suid: enter_suid: PID 29145 taking root privileges 2024/07/22 17:26:52.187 kid1| 21,3| tools.cc(629) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted 2024/07/22 17:26:52.187 kid1| 21,31 tools.cc(561) leave_suid: leave suid: PID 29145 called 2024/07/22 17:26:52.187 kid1| 21,31 tools.cc(625) enter_suid: enter_suid: PID 29145 taking root privileges 2024/07/22 17:26:52.187 kid1l 21,31 tools.cc(629) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted 2024/07/22 17:26:52.187 kid1| 21,31 tools.cc(561) leave_suid: leave suid: PID 29145 called 2024/07/22 17:26:52.187 kid1l 21,31 tools.cc(561) leave_suid: leave_suid: PID 29648 called 2024/07/22 17:26:52.187 kid1l 21,31 tools.cc(651) no_suid: no_suid: PID 29648 giving up root privileges forever maybe this is the cause of the "segmentation fault". The difference between the installations 23.x and 24.x is the alerting of this segmentaion fault in the dashboard of opnsense. But what ist the cause of this "Operation not permitted" yours Anton Kornexl Am 22.07.2024 um 11:03 schrieb Anton Kornexl: Hello i try to use squid (6.10) with opnsense 24.x on freebsd 13-2-Release-p11. It produces a "segmentation fault" at start and restart but the process runs. The "segmentation fault" occurs even with squid -k parse. A "service squid reload" runs OK, but a "service squid restart" produces this Segmentation fault. The problem did not exist with opnsense 23.x and an older squid. How can I debug this error probably in the parse part? yours Anton Kornexl ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Thanks for the info I tried it and this also failed. Dang Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:-- 94325 http://www.w3.org/TR/html4/strict.dtd";> ERROR: The requested URL could not be retrieved
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Also I have tested curl 127.0.0.1:3128/squid-internal-mgr -u :redacted curl localhost:3128/squid-internal-mgr -u :redacted curl hostname_here:3128/squid-internal-mgr -u :redacted (per bug notes use hostname in place of localhost) and testing with no password same commands lock up the system with no response and if I do them outside of the host with a web browser I get the errors below seen they are new.. > HTTP/1.1 Expect: feature is being asked from an HTTP/1.0 software. > > On Jul 22, 2024, at 09:01, Jonathan Lee wrote: > > Thanks for the info > > I tried it and this also failed. Dang > > Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted > % Total% Received % Xferd Average Speed TimeTime Time > Current > Dload Upload Total SpentLeft Speed > > 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 > 100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:-- 94325 > "http://www.w3.org/TR/html4/strict.dtd";> > > > > ERROR: The requested URL could not be retrieved >
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Can you try supplying a username to curl? It's also common practice to
put flags ('-u user:redacted') before arguments (the URL)
On Mon, Jul 22, 2024 at 5:12 PM Jonathan Lee wrote:
>
> Thanks for the info
>
> I tried it and this also failed. Dang
>
> Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted
>
> % Total% Received % Xferd Average Speed TimeTime Time
> Current
> Dload Upload Total SpentLeft Speed
>
> 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
> 100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:-- 94325
> "http://www.w3.org/TR/html4/strict.dtd";>
>
>
>
> ERROR: The requested URL could not be retrieved
>
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
That would require a username for the cachemgr_password account right? I have
no usernames set up for this.
How does one add a username for this directive ?
> On Jul 22, 2024, at 11:13, Francesco Chemolli wrote:
>
> Can you try supplying a username to curl? It's also common practice to
> put flags ('-u user:redacted') before arguments (the URL)
>
> On Mon, Jul 22, 2024 at 5:12 PM Jonathan Lee wrote:
>>
>> Thanks for the info
>>
>> I tried it and this also failed. Dang
>>
>> Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted
>>
>> % Total% Received % Xferd Average Speed TimeTime Time
>> Current
>> Dload Upload Total SpentLeft Speed
>>
>> 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
>> 100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:--
>> 94325
>> > "http://www.w3.org/TR/html4/strict.dtd";>
>>
>>
>>
>> ERROR: The requested URL could not be retrieved
>>
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Not really, no. Username is not considered, it's just to make sure
that curl sends all the data
On Mon, Jul 22, 2024 at 7:21 PM Jonathan Lee wrote:
>
> That would require a username for the cachemgr_password account right? I have
> no usernames set up for this.
>
> How does one add a username for this directive ?
>
> > On Jul 22, 2024, at 11:13, Francesco Chemolli wrote:
> >
> > Can you try supplying a username to curl? It's also common practice to
> > put flags ('-u user:redacted') before arguments (the URL)
> >
> > On Mon, Jul 22, 2024 at 5:12 PM Jonathan Lee
> > wrote:
> >>
> >> Thanks for the info
> >>
> >> I tried it and this also failed. Dang
> >>
> >> Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted
> >>
> >> % Total% Received % Xferd Average Speed TimeTime Time
> >> Current
> >> Dload Upload Total SpentLeft
> >> Speed
> >>
> >> 0 00 00 0 0 0 --:--:-- --:--:-- --:--:--
> >> 0
> >> 100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:--
> >> 94325
> >> >> "http://www.w3.org/TR/html4/strict.dtd";>
> >>
> >>
> >>
> >> ERROR: The requested URL could not be retrieved
> >>
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Ok thanks let me boot that environment and test again, my concern is that is
looks like it is attempting it from my WAN side address that is my wan address
and not the loopback
> On Jul 22, 2024, at 11:22, Francesco Chemolli wrote:
>
> Not really, no. Username is not considered, it's just to make sure
> that curl sends all the data
>
> On Mon, Jul 22, 2024 at 7:21 PM Jonathan Lee wrote:
>>
>> That would require a username for the cachemgr_password account right? I
>> have no usernames set up for this.
>>
>> How does one add a username for this directive ?
>>
>>> On Jul 22, 2024, at 11:13, Francesco Chemolli wrote:
>>>
>>> Can you try supplying a username to curl? It's also common practice to
>>> put flags ('-u user:redacted') before arguments (the URL)
>>>
>>> On Mon, Jul 22, 2024 at 5:12 PM Jonathan Lee
>>> wrote:
Thanks for the info
I tried it and this also failed. Dang
Shell Output - curl localhost:3128/squid-internal-mgr/info -u :redacted
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 3773 100 37730 0 90756 0 --:--:-- --:--:-- --:--:--
94325
>>> "http://www.w3.org/TR/html4/strict.dtd";>
ERROR: The requested URL could not be retrieved
Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Tested thanks for the reply and idea access denied and tested with a firewall rule to approve everything to port 80 same result with or without mgr_passord configured, it is like the page is missing in Squid 6.6 or something Shell Output - curl localhost:3128/squid-internal-mgr/info -u admin:redacted % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 3783 100 37830 0 111k 0 --:--:-- --:--:-- --:--:-- 115k http://www.w3.org/TR/html4/strict.dtd";> ERROR: The requested URL could not be retrieved
Re: [squid-users] squid "make check" error
On 20/07/24 03:19, Alex Rousskov wrote: On 2024-07-19 09:20, Rafał Stanilewicz wrote: Thank you. It worked. Glad to hear that! Seconded. I incorrectly assumed all dependencies would be captured by aptitude build-dep squid and ./configure. AFAIK that is a correct assumption for Debian based packages. The only additional dependencies needed should be for features *not* enabled in the package. This failure is quite a surprise to me. That said, I test the Debian "squid" package with "apt" not "aptitude" and there are some unexpected algorithm differences at times. Should "squid" package build dependencies accommodate "make check"? The Debian/Ubuntu packages should since the package creation runs "make check". The "apt build-dep squid" should pull in everything necessary to build the relevant squid_*.deb package (except some few essential OS packages which should exist everywhere). libcppunit-dev has been listed as a squid dependency for many years. So I would not be surprised if some ancient Ubuntu (circa 2010 or such) showed this behaviour, but certainly not the one you have. Cheers Amos ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
