On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote: > Thanks for that. Any ideas why I am experiencing that? > > > > Stan > > > > > On Fri, Jul 24, 2015 at 7:07 PM, James Lay <j...@slave-tothe-box.net> > wrote: > > On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote: > > > I have a working implementation of Squid 3.5.5 with > > ssl-bump. When 3.5.5 is started with ssl-bump enabled all > > the squid and ssl_crtd processes start and Squid functions > > as intended when bumping ssl sites. However, when I bump > > Squid to 3.5.6 squid seems to start but ssl_crtd does not > > and Squid 3.5.6 cannot successfully bump ssl. > > > > > > These are the config options I use for both 3.5.5 and 3.5.6. > > > > --enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \ > > --enable-removal-policies="heap,lru" --enable-delay-pools > > --libdir=/usr/lib/ \ > > --localstatedir=/var --with-dl --with-openssl > > --enable-http-violations \ > > --with-large-files --with-libcap --disable-ipv6 > > --with-swapdir=/var/spool/squid \ > > --enable-ssl-crtd --enable-follow-x-forwarded-for > > > > > > > > This is the squid.conf file used for both versions. > > > > visible_hostname smoothwallu3 > > > > # Uncomment the following to send debug info > > to /var/log/squid/cache.log > > debug_options ALL,1 33,2 28,9 > > > > # ACCESS CONTROLS > > # > > ---------------------------------------------------------------- > > acl localhostgreen src 10.20.20.1 > > acl localnetgreen src 10.20.20.0/24 > > > > acl SSL_ports port 445 443 441 563 > > acl Safe_ports port 80 # http > > acl Safe_ports port 81 # smoothwall http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 445 443 441 563 # https, snews > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > > > acl CONNECT method CONNECT > > > > # TAG: http_access > > # > > ---------------------------------------------------------------- > > > > > > > > http_access allow localhost > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access allow localnetgreen > > http_access allow CONNECT localnetgreen > > > > http_access allow localhostgreen > > http_access allow CONNECT localhostgreen > > > > # http_port and https_port > > > #---------------------------------------------------------------------------- > > > > # For forward-proxy port. Squid uses this port to serve > > error pages, ftp icons and communication with other proxies. > > > #---------------------------------------------------------------------------- > > http_port 3127 > > > > http_port 10.20.20.1:800 intercept > > https_port 10.20.20.1:808 intercept ssl-bump > > generate-host-certificates=on > > dynamic_cert_mem_cache_size=4MB > > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > > > > > > http_port 127.0.0.1:800 intercept > > > > sslproxy_cert_error allow all > > sslproxy_flags DONT_VERIFY_PEER > > sslproxy_session_cache_size 4 MB > > > > ssl_bump none localhostgreen > > > > acl step1 at_step SslBump1 > > acl step2 at_step SslBump2 > > ssl_bump peek step1 > > ssl_bump bump all > > > > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd > > -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB > > sslcrtd_children 5 > > > > http_access deny all > > > > cache_replacement_policy heap GDSF > > memory_replacement_policy heap GDSF > > > > # CACHE OPTIONS > > # > > > ---------------------------------------------------------------------------- > > cache_effective_user squid > > cache_effective_group squid > > > > cache_swap_high 100 > > cache_swap_low 80 > > > > cache_access_log stdio:/var/log/squid/access.log > > cache_log /var/log/squid/cache.log > > cache_mem 64 MB > > > > cache_dir diskd /var/spool/squid/cache 1024 16 256 > > > > maximum_object_size 33 MB > > > > minimum_object_size 0 KB > > > > > > request_body_max_size 0 KB > > > > # OTHER OPTIONS > > # > > > ---------------------------------------------------------------------------- > > #via off > > forwarded_for off > > > > pid_filename /var/run/squid.pid > > > > shutdown_lifetime 30 seconds > > icp_port 3130 > > > > half_closed_clients off > > icap_enable on > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_encode off > > icap_client_username_header X-Authenticated-User > > icap_preview_enable on > > icap_preview_size 1024 > > icap_service service_avi_req reqmod_precache > > icap://localhost:1344/squidclamav bypass=off > > adaptation_access service_avi_req allow all > > icap_service service_avi_resp respmod_precache > > icap://localhost:1344/squidclamav bypass=on > > adaptation_access service_avi_resp allow all > > > > umask 022 > > > > logfile_rotate 0 > > > > strip_query_terms off > > > > redirect_program /usr/sbin/squidGuard > > url_rewrite_children 5 > > > > > > And the cache.log file when starting 3.5.6 with debug > > options on in squid.conf > > > > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > > adaptation_access > > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > > adaptation_access > > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > > 2015/07/24 17:15:06 kid1| Current Directory is / > > 2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6 > > for i586-pc-linux-gnu... > > 2015/07/24 17:15:06 kid1| Service Name: squid > > 2015/07/24 17:15:06 kid1| Process ID 2907 > > 2015/07/24 17:15:06 kid1| Process Roles: worker > > 2015/07/24 17:15:06 kid1| With 1024 file descriptors > > available > > 2015/07/24 17:15:06 kid1| Initializing IP Cache... > > 2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD > > 8 > > 2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 > > from /etc/resolv.conf > > 2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5 > > 'squidGuard' processes > > 2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard' > > processes needed. > > 2015/07/24 17:15:06 kid1| Logfile: opening log > > stdio:/var/log/squid/access.log > > 2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15 > > 2015/07/24 17:15:06 kid1| Store logging disabled > > 2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, > > estimated 85700 objects > > 2015/07/24 17:15:06 kid1| Target number of buckets: 4285 > > 2015/07/24 17:15:06 kid1| Using 8192 Store buckets > > 2015/07/24 17:15:06 kid1| Max Mem size: 65536 KB > > 2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB > > 2015/07/24 17:15:06 kid1| Rebuilding storage > > in /var/spool/squid/cache (dirty log) > > 2015/07/24 17:15:06 kid1| Using Least Load store dir > > selection > > 2015/07/24 17:15:06 kid1| Current Directory is / > > 2015/07/24 17:15:06 kid1| Finished loading MIME types and > > icons. > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: > > The AsyncCall clientListenerConnectionOpened constructed, > > this=0x946d218 [call5] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > > StartListening.cc(59) will call > > clientListenerConnectionOpened(local=0.0.0.0:3127 > > remote=[::] FD 20 flags=9, err=0, HTTP Socket > > port=0x946d24c) [call5] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: > > The AsyncCall clientListenerConnectionOpened constructed, > > this=0x946d3a8 [call7] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > > StartListening.cc(59) will call > > clientListenerConnectionOpened(local=10.20.20.1:800 > > remote=[::] FD 21 flags=41, err=0, HTTP Socket > > port=0x946d3dc) [call7] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: > > The AsyncCall clientListenerConnectionOpened constructed, > > this=0x946d510 [call9] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > > StartListening.cc(59) will call > > clientListenerConnectionOpened(local=127.0.0.1:800 > > remote=[::] FD 22 flags=41, err=0, HTTP Socket > > port=0x946d544) [call9] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: > > The AsyncCall clientListenerConnectionOpened constructed, > > this=0x946d6b0 [call11] > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > > StartListening.cc(59) will call > > clientListenerConnectionOpened(local=10.20.20.1:808 > > remote=[::] FD 23 flags=41, err=0, HTTPS Socket > > port=0x946d6e4) [call11] > > 2015/07/24 17:15:06.578 kid1| HTCP Disabled. > > 2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0 > > 2015/07/24 17:15:06.578 kid1| Adaptation support is on > > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) > > fireNext: entering > > clientListenerConnectionOpened(local=0.0.0.0:3127 > > remote=[::] FD 20 flags=9, err=0, HTTP Socket > > port=0x946d24c) > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make > > call clientListenerConnectionOpened [call5] > > 2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket > > connections at local=0.0.0.0:3127 remote=[::] FD 20 flags=9 > > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) > > fireNext: leaving > > clientListenerConnectionOpened(local=0.0.0.0:3127 > > remote=[::] FD 20 flags=9, err=0, HTTP Socket > > port=0x946d24c) > > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) > > fireNext: entering > > clientListenerConnectionOpened(local=10.20.20.1:800 > > remote=[::] FD 21 flags=41, err=0, HTTP Socket > > port=0x946d3dc) > > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make > > call clientListenerConnectionOpened [call7] > > 2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP > > Socket connections at local=10.20.20.1:800 remote=[::] FD 21 > > flags=41 > > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) > > fireNext: leaving > > clientListenerConnectionOpened(local=10.20.20.1:800 > > remote=[::] FD 21 flags=41, err=0, HTTP Socket > > port=0x946d3dc) > > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) > > fireNext: entering > > clientListenerConnectionOpened(local=127.0.0.1:800 > > remote=[::] FD 22 flags=41, err=0, HTTP Socket > > port=0x946d544) > > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make > > call clientListenerConnectionOpened [call9] > > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP > > Socket connections at local=127.0.0.1:800 remote=[::] FD 22 > > flags=41 > > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) > > fireNext: leaving > > clientListenerConnectionOpened(local=127.0.0.1:800 > > remote=[::] FD 22 flags=41, err=0, HTTP Socket > > port=0x946d544) > > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) > > fireNext: entering > > clientListenerConnectionOpened(local=10.20.20.1:808 > > remote=[::] FD 23 flags=41, err=0, HTTPS Socket > > port=0x946d6e4) > > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make > > call clientListenerConnectionOpened [call11] > > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL > > bumped HTTPS Socket connections at local=10.20.20.1:808 > > remote=[::] FD 23 flags=41 > > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) > > fireNext: leaving > > clientListenerConnectionOpened(local=10.20.20.1:808 > > remote=[::] FD 23 flags=41, err=0, HTTPS Socket > > port=0x946d6e4) > > 2015/07/24 17:15:06.579 kid1| Accepting ICP messages on > > 0.0.0.0:3130 > > 2015/07/24 17:15:06.579 kid1| Sending ICP messages from > > 0.0.0.0:3130 > > 2015/07/24 17:15:06.579 kid1| Done > > reading /var/spool/squid/cache swaplog (12 entries) > > 2015/07/24 17:15:06.579 kid1| Finished rebuilding storage > > from disk. > > 2015/07/24 17:15:06.579 kid1| 12 Entries scanned > > 2015/07/24 17:15:06.579 kid1| 0 Invalid entries. > > 2015/07/24 17:15:06.579 kid1| 0 With invalid flags. > > 2015/07/24 17:15:06.579 kid1| 12 Objects loaded. > > 2015/07/24 17:15:06.579 kid1| 0 Objects expired. > > 2015/07/24 17:15:06.579 kid1| 0 Objects cancelled. > > 2015/07/24 17:15:06.579 kid1| 0 Duplicate URLs > > purged. > > 2015/07/24 17:15:06.579 kid1| 0 Swapfile clashes > > avoided. > > 2015/07/24 17:15:06.579 kid1| Took 0.06 seconds (210.47 > > objects/sec). > > 2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure > > 2015/07/24 17:15:06.579 kid1| Completed Validation > > Procedure > > 2015/07/24 17:15:06.579 kid1| Validated 12 Entries > > 2015/07/24 17:15:06.579 kid1| store_swap_size = 1444.00 KB > > 2015/07/24 17:15:07 kid1| storeLateRelease: released 0 > > objects > > > > > > > > Any help or suggestions greatly appreciated. > > > > > > Regards > > > > > > Stan > > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > I do not experience this issue: > > [18:04:56 jlay:~/nobackup/build$] ps aux | egrep "ssl|squid" > root 3173 0.0 0.0 18840 372 ? Ss Jul23 > 0:00 /opt/sbin/squid > nobody 3175 0.0 1.2 52856 39744 ? S Jul23 > 0:47 (squid-1) > nobody 3177 0.0 0.0 5916 2040 ? S Jul23 > 0:05 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3178 0.0 0.0 5828 1840 ? S Jul23 > 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3179 0.0 0.0 5828 1708 ? S Jul23 > 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3180 0.0 0.0 5648 912 ? S Jul23 > 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3181 0.0 0.0 5648 912 ? S Jul23 > 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > > my config line: > ./configure --prefix=/opt --with-openssl --enable-ssl > --enable-ssl-crtd --enable-linux-netfilter > --enable-follow-x-forwarded-for --with-large-files > --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none > > Squid Cache: Version 3.5.6 > > James > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
I recall when just starting out with ssl_crtd and had issue until I set the user running as squid on my ssl_db dir: drwxr-xr-x 3 nobody root 4096 May 30 17:22 ssl_db My ssl_crtd lines: sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 Hope it helps. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
