[squid-users] Debian jessie + squid 3.5.16 - Will not start.

[Markey, Bruce]

I'm running debian Jessie.
Squid 3.5.16 compiled from source with the following:

./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=${prefix}/include \
--mandir=${prefix}/share/man \
--infodir=${prefix}/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid3 \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--enable-inline \
--enable-gnuregex \
--enable-xmalloc-statistics \
--enable-useragent-log \
--enable-kill-parent-hack \
--enable-htpc \
--enable-forw-via-db \
--enable-dl-malloc \
--enable-time-hack \
--enable-err-language=English \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,smb_lm \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group
 \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid3 \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--enable-wccpv2 \
--with-openssl \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CPPFLAGS=-D_FORTIFY_SOURCE=2' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat 
-Werror=format-security'

Here is my squid.conf

#Access Lists
acl internal src 192.168.200.0/21
acl wireless src 192.168.100.0/23

#Ports allowed through Squid
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl CONNECT method CONNECT

#allow/deny
http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

#Bumping
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
ssl_bump splice all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 5


logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni 
%ssl::>cert_subject %>Hs %<st %Ss:%Sh

#access_log syslog:daemon.info mine
access_log daemon:/var/log/squid3/access.log mine

#intercept
http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem 
cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  
generate-host-cer
tificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

#nameservers
dns_nameservers 192.168.201.1 8.8.8.8

#WCCPv2 items
wccp_version 2
wccp2_router 192.168.200.73
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=LNP1
wccp2_service dynamic 70 password=LNP1
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

-I did initialize the ssl_db
-I did create certs

I'm simply trying to start via :  sudo squid   It throws no errors nothing.  
The pid lives for a sec then dies. This is the only log message I get.

Apr  7 11:51:19 LNP-Proxy (squid-1): The ssl_crtd helpers are crashing too 
rapidly, need help!

I tried deleting and recreating the ssl_db as I saw from a few other posts, did 
not work.

Other info:

Tunnel is up:

gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
wccp0: gre/ip  remote 192.168.200.73  local 192.168.201.248  dev eth3  ttl 
inherit

Iptables:

bruce@LNP-Proxy:/var/log$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http 
to:192.168.201.248:3128
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https 
to:192.168.201.248:3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

I'm not sure what to even check next.  I cant do a sudo squid -k debug since 
the process doesn't last long enough.

Thanks


Bruce Markey | Network Security Analyst
STEINMAN COMMUNICATIONS
717.291.8758 (o) | bmar...@steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users