Discussion:
[squid-users] Help: squid restarts and squidGuard die
Service MV
2018-09-17 15:37:51 UTC
Permalink
Dear Ones, I draw on your experience in seeking help to determine whether
or not it is possible to achieve the configuration I am looking for, due to
a strange error I am having.

Before commenting on the bug I describe my testing environment:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic
authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
blacklists and acl default.

My problem starts when I try to use source acl using ldapusersearch in
squidGuard...

systemctl status squid:
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need
help!

*squidGuard.conf*

dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3


src WEB_BASIC {
ldapusersearch
ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}

dest BL_adv {
domainlist adv/domains
urllist adv/urls
log block.log
}

dest BL_aggressive {
domainlist aggressive/domains
urllist aggressive/urls
log block.log
}
#
dest BL_alcohol {
domainlist alcohol/domains
urllist alcohol/urls
log block.log
}
#
dest BL_anonvpn {
domainlist anonvpn/domains
urllist anonvpn/urls
log block.log
}
#
dest BL_chat {
domainlist chat/domains
urllist chat/urls
log block.log
}
#
dest BL_costtraps {
domainlist costtraps/domains
urllist costtraps/urls
log block.log
}
#
dest BL_downloads {
domainlist downloads/domains
urllist downloads/urls
log block.log
}
#
dest BL_drugs {
domainlist drugs/domains
urllist drugs/urls
log block.log
}
#
dest BL_dynamic {
domainlist dynamic/domains
log block.log
}
#
dest BL_fortunetelling {
domainlist fortunetelling/domains
urllist fortunetelling/urls
log block.log
}
#
dest BL_gamble {
domainlist gamble/domains
urllist gamble/urls
log block.log
}
#
dest BL_government {
domainlist government/domains
urllist government/urls
log block.log
}
#
dest BL_hacking {
domainlist hacking/domains
urllist hacking/urls
log block.log
}
#
dest BL_hobby_games-misc {
domainlist hobby/games-misc/domains
urllist hobby/games-misc/urls
log block.log
}
#
dest BL_hobby_games-online {
domainlist hobby/games-online/domains
urllist hobby/games-online/urls
log block.log
}
#
dest BL_movies {
domainlist movies/domains
urllist movies/urls
log block.log
}
#
dest BL_music {
domainlist music/domains
urllist music/urls
log block.log
}
#
dest BL_porn {
domainlist porn/domains
urllist porn/urls
log block.log
}
#
dest BL_radiotv {
domainlist radiotv/domains
urllist radiotv/urls
log block.log
}
#
dest BL_redirector {
domainlist redirector/domains
urllist redirector/urls
log block.log
}
#
dest BL_remotecontrol {
domainlist remotecontrol/domains
urllist remotecontrol/urls
log block.log
}
#
dest BL_ringtones {
domainlist ringtones/domains
urllist ringtones/urls
log block.log
}
#
dest BL_socialnet {
domainlist socialnet/domains
urllist socialnet/urls
log block.log
}
#
dest BL_spyware {
domainlist spyware/domains
urllist spyware/urls
log block.log
}
#
dest BL_tracker {
domainlist tracker/domains
urllist tracker/urls
log block.log
}
#
dest BL_updatesites {
domainlist updatesites/domains
urllist updatesites/urls
log block.log
}
#
dest BL_violence {
domainlist violence/domains
urllist violence/urls
log block.log
}
#
dest BL_warez {
domainlist warez/domains
urllist warez/urls
log block.log
}
#
dest BL_weapons {
domainlist weapons/domains
urllist weapons/urls
log block.log
}
#
dest BL_webphone {
domainlist webphone/domains
urllist webphone/urls
log block.log
}
#
dest BL_webradio {
domainlist webradio/domains
urllist webradio/urls
log block.log
}
#
dest BL_WEBTV {
domainlist webtv/domains
urllist webtv/urls
log block.log
}


dest whitelist {
domainlist whitelist/domains
log block.log
}

dest blacklist {
domainlist blacklist/domains
log block.log
}


acl {

WEB_BASIC {
pass whitelist !BL_porn !blacklist all
redirect
http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}

default {
pass !blacklist all
redirect
http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}

}


*squidGuard.log*

2018-09-17 11:13:39 [12663] New setting: dbhome: /etc/squid/db
2018-09-17 11:13:39 [12663] New setting: logdir: /var/log/squidGuard
2018-09-17 11:13:39 [12663] New setting: ldapbinddn:
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
2018-09-17 11:13:39 [12663] New setting: ldapbindpass: myULTRAsecretPASS
2018-09-17 11:13:39 [12663] New setting: ldapprotover: 3
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/adv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/adv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/adv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/adv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/aggressive/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/aggressive/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/aggressive/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/aggressive/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/alcohol/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/alcohol/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/alcohol/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/alcohol/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/anonvpn/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/anonvpn/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/anonvpn/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/anonvpn/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/chat/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/chat/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/chat/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/chat/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/costtraps/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/costtraps/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/costtraps/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/costtraps/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/downloads/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/downloads/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/downloads/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/downloads/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/drugs/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/drugs/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/drugs/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/drugs/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/dynamic/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/dynamic/domains.db
2018-09-17 11:13:39 [12663] init domainlist
/etc/squid/db/fortunetelling/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/fortunetelling/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/fortunetelling/urls
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/fortunetelling/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/gamble/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/gamble/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/gamble/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/gamble/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/government/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/government/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/government/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/government/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/hacking/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hacking/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/hacking/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/hacking/urls.db
2018-09-17 11:13:39 [12663] init domainlist
/etc/squid/db/hobby/games-misc/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/hobby/games-misc/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/hobby/games-misc/urls
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/hobby/games-misc/urls.db
2018-09-17 11:13:39 [12663] init domainlist
/etc/squid/db/hobby/games-online/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/hobby/games-online/domains.db
2018-09-17 11:13:39 [12663] init urllist
/etc/squid/db/hobby/games-online/urls
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/hobby/games-online/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/movies/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/movies/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/movies/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/movies/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/music/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/music/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/music/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/music/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/porn/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/porn/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/porn/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/porn/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/radiotv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/radiotv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/radiotv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/radiotv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/redirector/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/redirector/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/redirector/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/redirector/urls.db
2018-09-17 11:13:39 [12663] init domainlist
/etc/squid/db/remotecontrol/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/remotecontrol/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/remotecontrol/urls
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/remotecontrol/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/ringtones/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/ringtones/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/ringtones/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/ringtones/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/socialnet/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/socialnet/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/socialnet/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/socialnet/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/spyware/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/spyware/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/spyware/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/spyware/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/tracker/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/tracker/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/tracker/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/tracker/urls.db
2018-09-17 11:13:39 [12663] init domainlist
/etc/squid/db/updatesites/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/updatesites/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/updatesites/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/updatesites/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/violence/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/violence/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/violence/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/violence/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/warez/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/warez/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/warez/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/warez/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/weapons/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/weapons/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/weapons/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/weapons/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webphone/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webphone/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webphone/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webphone/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webradio/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webradio/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webradio/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webradio/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/webtv/domains
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webtv/domains.db
2018-09-17 11:13:39 [12663] init urllist /etc/squid/db/webtv/urls
2018-09-17 11:13:39 [12663] loading dbfile /etc/squid/db/webtv/urls.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/whitelist/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/whitelist/domains.db
2018-09-17 11:13:39 [12663] init domainlist /etc/squid/db/blacklist/domains
2018-09-17 11:13:39 [12663] loading dbfile
/etc/squid/db/blacklist/domains.db
2018-09-17 11:13:39 [12663] logfile not allowed in acl other than default
2018-09-17 11:13:39 [12663] squidGuard 1.4 started (1537193619.900)
2018-09-17 11:13:39 [12663] squidGuard ready for requests (1537193619.903)

*squid.conf*

acl localnet src 10.10.8.0/22 # LAN net
acl dmz src 192.168.20.0/27 # DMZ net

### negotiate kerberos & ntlm authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on

### basic authentication for not kerberos or ntlm authenticated users
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=mydomain,dc=local" -D "***@mydomain.local" -w " myULTRAsecretPASS "
-f sAMAccountName=%s -h dc-1.mydomain.local
auth_param basic children 10
auth_param basic realm Identifiquese
auth_param basic credentialsttl 4 hours

### standard allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

### enforce authentication
http_access allow auth
http_access deny !auth

### standard access rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow dmz
http_access allow localhost
http_access deny all

### OPCIONES VARIAS ###
http_port 8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
half_closed_clients off
shutdown_lifetime 15 seconds
log_icp_queries off
dns_v4_first on
ipcache_size 2048
ipcache_low 90
fqdncache_size 4096
forwarded_for off
cache_mgr ***@mydomain.com
visible_hostname eren
httpd_suppress_version_string on
uri_whitespace strip


## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off


*cache.log*

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.055 user + 0.015 sys
Maximum Resident Size: 68768 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2018/09/17 11:13:36 kid1| Service Name: squid
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36 kid1| Starting new negotiateauthenticator helpers...
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name
authenticated
2018/09/17 11:13:36 kid1| WARNING: redirector #Hlpr1 exited
FATAL: The redirector helpers are crashing too rapidly, need help!

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.086 seconds = 0.057 user + 0.029 sys
Maximum Resident Size: 68752 KB
Page faults with physical i/o: 0
2018/09/17 11:13:36| negotiate_kerberos_auth: INFO: User my.name
authenticated
2018/09/17 11:13:39 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2018/09/17 11:13:39 kid1| Service Name: squid

*access.log*

1537193586.999 0 10.10.11.154 TCP_DENIED/407 4137 CONNECT
www.google.com.ar:443 - HIER_NONE/- text/html
1537193587.242 0 10.10.11.154 TCP_DENIED/407 4185 CONNECT
clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193587.269 0 10.10.11.154 TCP_DENIED/407 4145 CONNECT
accounts.google.com:443 - HIER_NONE/- text/html
1537193587.269 0 10.10.11.154 TCP_DENIED/407 4137 CONNECT
www.google.com.ar:443 - HIER_NONE/- text/html
1537193613.322 0 10.10.11.154 TCP_DENIED/407 4185 CONNECT
clientservices.googleapis.com:443 - HIER_NONE/- text/html
1537193616.653 1 10.10.11.154 TCP_DENIED/407 4125 CONNECT
www.clarin.com:443 - HIER_NONE/- text/html
1537193616.732 0 10.10.11.154 TCP_DENIED/407 4145 CONNECT
accounts.google.com:443 - HIER_NONE/- text/html
1537193616.749 1 10.10.11.154 TCP_DENIED/407 4137 CONNECT
www.google.com.ar:443 - HIER_NONE/- text/html

*messages*

Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
libldap-2.4.so.2.10.7[7fd79b75c000+52000]
Sep 17 11:13:07 proxy (squid-1): The redirector helpers are crashing too
rapidly, need help!
Sep 17 11:13:07 proxy squid[12549]: Squid Parent: (squid-1) process 12551
exited with status 1
Sep 17 11:13:10 proxy squid[12549]: Squid Parent: (squid-1) process 12627
started
Sep 17 11:13:33 proxy kernel: squidGuard[12628]: segfault at 1fbd2bb0 ip
00007f452b305e70 sp 00007ffda8c714b0 error 4 in
libldap-2.4.so.2.10.7[7f452b2da000+52000]
Sep 17 11:13:33 proxy (squid-1): The redirector helpers are crashing too
rapidly, need help!
Sep 17 11:13:33 proxy squid[12549]: Squid Parent: (squid-1) process 12627
exited with status 1
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643
started
Sep 17 11:13:36 proxy kernel: squidGuard[12644]: segfault at 540fdbb0 ip
00007fab84f2de70 sp 00007ffc1aa8d2a0 error 4 in
libldap-2.4.so.2.10.7[7fab84f02000+52000]
Sep 17 11:13:36 proxy (squid-1): The redirector helpers are crashing too
rapidly, need help!
Sep 17 11:13:36 proxy squid[12549]: Squid Parent: (squid-1) process 12643
exited with status 1
Sep 17 11:13:39 proxy squid[12549]: Squid Parent: (squid-1) process 12658
started


If I disable src and acl WEB_BASIC I have no problem. The default acl does
its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid
restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am I
misconfiguring my squid ?

Just in case I've checked more than ten times the URLs of LDAP queries (,
%2c, etc etc)

Thank you very much for any help you can give me.
Best regards

Gabriel
Amos Jeffries
2018-09-17 18:38:06 UTC
Permalink
Post by Service MV
Dear Ones, I draw on your experience in seeking help to determine
whether or not it is possible to achieve the configuration I am looking
for, due to a strange error I am having.
FYI: SquidGuard has not been maintained for many years now.

I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.

You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion.
Post by Service MV
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic
authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
blacklists and acl default.
My problem starts when I try to use source acl using ldapusersearch in
squidGuard... 
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need
help!
*squidGuard.conf*
dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3
src WEB_BASIC {
ldapusersearch
ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}
...
Post by Service MV
acl {
WEB_BASIC{
pass whitelist !BL_porn !blacklist all
redirect
http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
log block.log
}
...
Post by Service MV
*squid.conf*
acl localnet src 10.10.8.0/22 # LAN net
acl dmz src 192.168.20.0/27 # DMZ net
These ACLs are never used dues to what you are doing with the "auth" ACL.

...
Post by Service MV
### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
These have nothing to do with redirects and are never used.
Post by Service MV
### enforce authentication
http_access allow auth 
http_access deny !auth
All possible traffic will match either "auth" or "!auth" above.

That means no http_access rules following this point do anything.
Post by Service MV
### standard access rules
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost manager 
http_access deny manager
Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.
Post by Service MV
http_access allow localnet
http_access allow dmz
http_access allow localhost 
http_access deny all
...
Post by Service MV
visible_hostname eren
The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.

FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.
Post by Service MV
httpd_suppress_version_string on 
uri_whitespace strip
## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off
Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
this config line:

url_rewrite_access deny CONNECT


.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.
Post by Service MV
*messages*
Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
libldap-2.4.so.2.10.7[7fd79b75c000+52000]
...
Post by Service MV
If I disable src and acl WEB_BASIC I have no problem. The default acl
does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid
restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am
I misconfiguring my squid ?
It is not a Squid error. It is something in SquidGuard and/or the library.

Amos
Flashdown
2018-09-17 23:10:54 UTC
Permalink
Just want to add, I use SquidGuard in two High load setups and never ran into issues. I didnt integrate it as url rewrite helper but as external acl helper and it works great with 800 Users..
Post by Service MV
Post by Service MV
Dear Ones, I draw on your experience in seeking help to determine
whether or not it is possible to achieve the configuration I am
looking
Post by Service MV
for, due to a strange error I am having.
FYI: SquidGuard has not been maintained for many years now.
I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.
You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion.
Post by Service MV
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
Post by Service MV
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files
involved.
Post by Service MV
- squid 3.5.20 installed and working great with kerberos, NTLM and
basic
Post by Service MV
authentication. All authentication mechanisms tested and working
great.
Post by Service MV
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
blacklists and acl default.
My problem starts when I try to use source acl using ldapusersearch
in
Post by Service MV
squidGuard... 
(squid-1)[12627]: The redirector helpers are crashing too rapidly,
need
Post by Service MV
help!
*squidGuard.conf*
dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
Post by Service MV
ldapbindpass myULTRAsecretPASS
ldapprotover 3
src WEB_BASIC {
ldapusersearch
ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
Post by Service MV
log block.log
}
...
Post by Service MV
acl {
WEB_BASIC{
pass whitelist !BL_porn !blacklist all
redirect
http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
Post by Service MV
log block.log
}
...
Post by Service MV
*squid.conf*
acl localnet src 10.10.8.0/22 # LAN net
acl dmz src 192.168.20.0/27 # DMZ net
These ACLs are never used dues to what you are doing with the "auth" ACL.
...
Post by Service MV
### acl for proxy authentication (kerberos or ntlm) and ldap
authorizations
Post by Service MV
acl auth proxy_auth REQUIRED
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
These have nothing to do with redirects and are never used.
Post by Service MV
### enforce authentication
http_access allow auth 
http_access deny !auth
All possible traffic will match either "auth" or "!auth" above.
That means no http_access rules following this point do anything.
Post by Service MV
### standard access rules
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost manager 
http_access deny manager
Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.
Post by Service MV
http_access allow localnet
http_access allow dmz
http_access allow localhost 
http_access deny all
...
Post by Service MV
visible_hostname eren
The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.
FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.
Post by Service MV
httpd_suppress_version_string on 
uri_whitespace strip
## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off
Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
url_rewrite_access deny CONNECT
.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.
Post by Service MV
*messages*
Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
libldap-2.4.so.2.10.7[7fd79b75c000+52000]
...
Post by Service MV
If I disable src and acl WEB_BASIC I have no problem. The default acl
does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid
restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or
am
Post by Service MV
I misconfiguring my squid ?
It is not a Squid error. It is something in SquidGuard and/or the library.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
neok
2018-09-18 13:54:15 UTC
Permalink
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Amos Jeffries
2018-09-19 02:03:39 UTC
Permalink
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.

You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.

Amos
Enrico Heine
2018-09-19 08:08:40 UTC
Permalink
Thank you for this information Amos! :) I had ufdbguard as possible replacement in my list, your info about it beeing a fork, is the reason that I will switch to it soon. Thanks :)
Post by Service MV
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is
to use
Post by neok
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in
normal squid
Post by neok
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
Diese Nachricht wurde von meinem Android-GerÀt mit K-9 Mail gesendet.
Marcus Kool
2018-09-19 11:49:37 UTC
Permalink
Post by Amos Jeffries
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
ufdbGuard is a simple tool that has the same syntax in its configuration file as squidGuard has.
It is far from complex, has a great Reference Manual, exmaple config file and a responsive support desk.
Amos, I have never seen you calling a URL writer being a complex and destructive process. What do you mean?

URL rewriters have been used for decades for HTTP access control but you state "squid.conf is where HTTP access control takes place".
Are you saying that you want it is the _only_ place for HTTP access control?

Marcus
Post by Amos Jeffries
Amos
Amos Jeffries
2018-09-20 11:46:14 UTC
Permalink
Post by Marcus Kool
Post by Amos Jeffries
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
ufdbGuard is a simple tool that has the same syntax in its configuration
file as squidGuard has.
It is far from complex, has a great Reference Manual, exmaple config
file and a responsive support desk.
Amos, I have never seen you calling a URL writer being a complex and
destructive process.  What do you mean?
Re-writing requires Squid to:
* fork external helpers, and
* maintain queues of lookups to those helpers, and
* maintain cache of helper responses, and
* maintain a whole extra copy of HTTP-request state, and
* copy some (not all) of that state info between the two "client" requests.

... lots of complexity, memory, CPU time, traffic latency, etc.

Also when used for access control (re-write to an "error" URL) the
re-write helper needs extra complexity in itself to act as the altered
origin server for error pages, or have some fourth-party web server.
Post by Marcus Kool
URL rewriters have been used for decades for HTTP access control but you
state "squid.conf is where HTTP access control takes place".
Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
lacked external_acl_type and modular ACLs.

That persisted for the first decade or so of Squid's life, with only the
re-write API for admin to use for complicated permissions.

Then one day about 2 decades or so ago, external ACL was added and the
ACLs were also made much easier to implement and plug in new checks.
Today we have hundreds of native ACLs and even a selection of custom ACL
helpers. Making the need for these abuses of the poor re-writers.

Old habits and online tutorials however are hard to get rid of.
Post by Marcus Kool
Are you saying that you want it is the _only_ place for HTTP access control?
I'm saying the purpose of the url_rewrite_* API in Squid is to tell
Squid whether the URL (only) needs some mangling in order for the
server/origin to understand it.
It can re-write transparently with all the problems that causes to
security scopes and URL sync between the endpoints. Or redirect the
client to the "correct" URL.


The Squid http_access and similar *access controls* are the place for
access control - hint is in the naming. With external ACL type for
anything Squid does not support natively or well. As Flashdown mentioned
even calls to SquidGuard etc. can be wrapped and used as external ACLs.


Amos
Flashdown
2018-09-20 12:40:28 UTC
Permalink
Post by Amos Jeffries
I'm saying the purpose of the url_rewrite_* API in Squid is to tell
Squid whether the URL (only) needs some mangling in order for the
server/origin to understand it.
It can re-write transparently with all the problems that causes to
security scopes and URL sync between the endpoints. Or redirect the
client to the "correct" URL.
The Squid http_access and similar *access controls* are the place for
access control - hint is in the naming. With external ACL type for
anything Squid does not support natively or well. As Flashdown
mentioned
even calls to SquidGuard etc. can be wrapped and used as external ACLs.
Just want to add, in the beginning I thought about using a wrapper or
writing one but as I found out during testing during these time,
SquidGuard gives back the right responses to Squid, so a wrapper was not
needed, and the rewrite adding in such a respone is simply ignored by
Squid and it works like a charm, hope ufdbguard can be used as external
acl helper natively as well. My config line:
external_acl_type squidguard ipv4 concurrency=0 children-max=XXX
children-startup=XX ttl=60 %URI %SRC %{-} %un %METHOD
/usr/bin/squidGuard

Taken out from my internal documentation:

"Manual testing:

echo "website.com 10.0.0.1/ - - GET" | squidGuard

Explaination of Responses:

ERR tells us: The access was not denied by Squidguard, so wether its
not part of the blacklists or it is listed in the whitelist
BH message=“squidGuard error parsing squid line” tells us: there was
an error when checking your input, may you had a syntax error or there
is an issue in SquidGuard, the message param gives more insight.
OK rewrite-url=“https://127.0.0.1/” tells us: the item was found on
the blacklists and is blocked. BTW Squid only sees the OK and ignores
the rewrite command, since we didn't integrate it as an URL-rewrite
program which would have many disadvantages.

PS: This is just how an external ACL Helper for Squid must work/respond.
So Squid only takes ERR and BH including the message and OK. Thats why I
was able to implement it this way without writing a wrapper for it. "

Hope it helps and hope I can do the same with ufdbguard, the SquidGuard
Version I use is the latest one from the official Debian Repositories.



---
Best regards,
Flashdown
Marcus Kool
2018-09-20 15:46:56 UTC
Permalink
Post by Amos Jeffries
Post by Marcus Kool
Post by Amos Jeffries
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
ufdbGuard is a simple tool that has the same syntax in its configuration
file as squidGuard has.
It is far from complex, has a great Reference Manual, exmaple config
file and a responsive support desk.
Amos, I have never seen you calling a URL writer being a complex and
destructive process.  What do you mean?
* fork external helpers, and
* maintain queues of lookups to those helpers, and
* maintain cache of helper responses, and
* maintain a whole extra copy of HTTP-request state, and
* copy some (not all) of that state info between the two "client" requests.
... lots of complexity, memory, CPU time, traffic latency, etc.
Squid itself is complex and for any feature of Squid one can make a list like above to say that it is complex.
The fact that one can make such a list does not mean much to me.
One can make the same or a similar list for external acl helpers and even native acls.
Post by Amos Jeffries
Also when used for access control (re-write to an "error" URL) the
re-write helper needs extra complexity in itself to act as the altered
origin server for error pages, or have some fourth-party web server.
Squid cannot do everything that a URL writer, and specifically ufdbGuard, can.
For example, Squid must restart and break all open connections when a tiny detail of the configuration changes. With ufdbGuard this does not happen.
ufdbGuard supports dynamic lists of users, domains and source ip addresses which are updated every X minutes without any service interruption.
When other parameters change, ufdbGuard resets itself with zero service interruption for Squid and its users.
ufdbGuard can decide to probe a site to make a decision, and hence detect Skype, Teamviewer and other types of sites that an admin might want to block. Squid cannot.
ufdbGuard can decide to do a lookup of a reverse IP lookup to make a decision. Squid cannot.
ufdbGuard supports complex time restrictions for access. Squid support simple time restrictions.
ufdbGuard supports flat file domain/url lists and a commercial URL database. Squid does not.
And the list goes on.

So when you state on the mailing list that users should unconditionally stop using a URL writer in favor of using Squid acls, you may be causing troubles for admins who do not know the implications of
your advice.
Post by Amos Jeffries
Post by Marcus Kool
URL rewriters have been used for decades for HTTP access control but you
state "squid.conf is where HTTP access control takes place".
Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
lacked external_acl_type and modular ACLs.
That persisted for the first decade or so of Squid's life, with only the
re-write API for admin to use for complicated permissions.
Then one day about 2 decades or so ago, external ACL was added and the
ACLs were also made much easier to implement and plug in new checks.
Today we have hundreds of native ACLs and even a selection of custom ACL
helpers. Making the need for these abuses of the poor re-writers.
Old habits and online tutorials however are hard to get rid of.
If you want to get rid of habits that in your view are old/obsolete, then why not start a discussion?
And in the event that at the end of the discussion, the decision is made that a particular interface should be removed, why not phase it out ?
Post by Amos Jeffries
Post by Marcus Kool
Are you saying that you want it is the _only_ place for HTTP access control?
I'm saying the purpose of the url_rewrite_* API in Squid is to tell
Squid whether the URL (only) needs some mangling in order for the
server/origin to understand it.
It can re-write transparently with all the problems that causes to
security scopes and URL sync between the endpoints. Or redirect the
client to the "correct" URL.
The Squid http_access and similar *access controls* are the place for
access control - hint is in the naming. With external ACL type for
anything Squid does not support natively or well. As Flashdown mentioned
even calls to SquidGuard etc. can be wrapped and used as external ACLs.
Wrapping and externals ACLs adds the same complexity, memory, CPU time, traffic latency, etc that you use as an argument against a URL writer.
Is it only because of the name, 'external acl helper' vs 'url rewriter helper', that you dislike the url rewriter?

Marcus
Post by Amos Jeffries
Amos
Amos Jeffries
2018-09-20 20:41:48 UTC
Permalink
Post by Marcus Kool
Post by Marcus Kool
Post by Amos Jeffries
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConvertDB tool to convert my blacklists in plain text to the
ufdbGuard database format? And then use that/those databases in normal squid
ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
ufdbGuard is a simple tool that has the same syntax in its configuration
file as squidGuard has.
It is far from complex, has a great Reference Manual, exmaple config
file and a responsive support desk.
Amos, I have never seen you calling a URL writer being a complex and
destructive process.  What do you mean?
  * fork external helpers, and
  * maintain queues of lookups to those helpers, and
  * maintain cache of helper responses, and
  * maintain a whole extra copy of HTTP-request state, and
  * copy some (not all) of that state info between the two "client"
requests.
  ... lots of complexity, memory, CPU time, traffic latency, etc.
Squid itself is complex and for any feature of Squid one can make a list
like above to say that it is complex.
The fact that one can make such a list does not mean much to me.
One can make the same or a similar list for external acl helpers and even native acls.
Also when used for access control (re-write to an "error" URL) the
re-write helper needs extra complexity in itself to act as the altered
origin server for error pages, or have some fourth-party web server.
Squid cannot do everything that a URL writer, and specifically
ufdbGuard, can.
For example, Squid must restart and break all open connections when a
tiny detail of the configuration changes.  With ufdbGuard this does not
happen.
Squid does not close or break any client connections when reconfigured.
Squid pauses active transactions, reconfigures then continues with the
new config.

Are you perhapse mistaking the fact that Squid shuts down the
*rewriters* on reconfigure for a full Squid shutdown?

(hmm, there is another downside to placing all the access control in a
helper - waiting for the helpers to restart on config changes. Though as
you say ufdbguard does it efficiently, others do not).
Post by Marcus Kool
ufdbGuard supports dynamic lists of users, domains and source ip
addresses which are updated every X minutes without any service
interruption.
So does Squid, via external ACL and/or authentication.
Post by Marcus Kool
When other parameters change, ufdbGuard resets itself with zero service
interruption for Squid and its users.
This is not always true. If the helper pauses even for some milliseconds
it is holding up Squid and clients. Particularly if it is a bottleneck
process like URL-rewrite interface where the helper lookup queue limits
total traffic capacity of the entire proxy.

I think you mean that the helper has threading to do a load in the
background and swap in the config. Correct?

Squid is working (very slowly) towards that model and the SMP features
already reconfigure one worker at a time sequentially so effectively
there should always be a helper with either old or new config answering
incoming traffic while one "resets itself".
Post by Marcus Kool
ufdbGuard can decide to probe a site to make a decision, and hence
detect Skype, Teamviewer and other types of sites that an admin might
want to block.  Squid cannot.
Squid can, via external ACL. IIRC, Eliezer wrote an ICAP system that did
that too.

Also, the URL-rewrite helper cannot do anything if Squid cannot pass it
a URL. By nature of what the interface is designed to do.
Post by Marcus Kool
ufdbGuard can decide to do a lookup of a reverse IP lookup to make a
decision.  Squid cannot.
Squid can via external ACL.

We have not had much (any?) requests for an ACL doing that. Patches welcome.
Post by Marcus Kool
ufdbGuard supports complex time restrictions for access. Squid support
simple time restrictions.
Such as?

Squid supports complex time points and/or ranges. The time ACL is a
bitmap extending at 1 second intervals across an entire week. Further
extension is done with external ACL, note ACL and/or allof ACL.
Post by Marcus Kool
ufdbGuard supports flat file domain/url lists and a commercial URL
database.  Squid does not.
And the list goes on.
I am still looking for a feature Squid does not actually support in one
way or another.

As you can see from Flashdown posts "external ACL" can mean SquidGuard /
ufdbguard running on that other interface. So really *anything* they can
do so can Squid external ACL - if not one of the other mechanisms.
At no point is the URL-rewrite API _necessary_ for access control in a
modern Squid.
Post by Marcus Kool
So when you state on the mailing list that users should unconditionally
stop using a URL writer in favor of using Squid acls, you may be causing
troubles for admins who do not know the implications of your advice.
Understood. I shall try harder to remember the disclaimers usually
added. Thank you for pointing out the omission.
Post by Marcus Kool
Post by Marcus Kool
URL rewriters have been used for decades for HTTP access control but you
state "squid.conf is where HTTP access control takes place".
Once upon a time, back at the dawn of the WWW (before the 1990s) Squid
lacked external_acl_type and modular ACLs.
That persisted for the first decade or so of Squid's life, with only the
re-write API for admin to use for complicated permissions.
Then one day about 2 decades or so ago, external ACL was added and the
ACLs were also made much easier to implement and plug in new checks.
Today we have hundreds of native ACLs and even a selection of custom ACL
helpers. Making the need for these abuses of the poor re-writers.
Old habits and online tutorials however are hard to get rid of.
If you want to get rid of habits that in your view are old/obsolete,
then why not start a discussion?
I have. This appears to be the latest one.
Post by Marcus Kool
And in the event that at the end of the discussion, the decision is made
that a particular interface should be removed, why not phase it out ?
It still has uses as a URL-rewrite/redirect interface for actions not
related directly to access control.
Post by Marcus Kool
Post by Marcus Kool
Are you saying that you want it is the _only_ place for HTTP access control?
I'm saying the purpose of the url_rewrite_* API in Squid is to tell
Squid whether the URL (only) needs some mangling in order for the
server/origin to understand it.
  It can re-write transparently with all the problems that causes to
security scopes and URL sync between the endpoints. Or redirect the
client to the "correct" URL.
The Squid http_access and similar *access controls* are the place for
access control - hint is in the naming. With external ACL type for
anything Squid does not support natively or well. As Flashdown mentioned
even calls to SquidGuard etc. can be wrapped and used as external ACLs.
Wrapping and externals ACLs adds the same complexity, memory, CPU time,
traffic latency, etc that you use as an argument against a URL writer.
Is it only because of the name, 'external acl helper' vs 'url rewriter
helper', that you dislike the url rewriter?
The external ACL usage is better because it is run at times when Squid
is making decisions about access to the proxy and/or features supplied
by the proxy. The admin can decide exactly when in Squid processing it
is tested - limiting the delays and reducing the lookups to only when
necessary.
eg. you cannot decide whether a transaction is allowed to be sent to
ICAP or not with a re-writer. Or decide whether ssl_bump is going to
splice vs bump with a URL re-writer.


URL-rewrite API requires access control to *prevent* it being used, and
runs *after* access control - so Squid has to actively allow the traffic
through its own access controls first in order to use the URL-rewrite
API. This leads to a lot of the "http_access allow all" type config issues.


Amos
Alex Rousskov
2018-09-21 00:02:43 UTC
Permalink
Post by Amos Jeffries
Squid does not close or break any client connections when reconfigured.
IIRC, this statement is inaccurate (unfortunately): Reconfiguring Squid
may break client connections that Squid has not started processing yet.
The connections already being processed by Squid are not closed, but the
new/arriving ones may be rejected for a short time period. Such
rejections may affect clients in some environments. This is a bug, so I
hope it will get fixed.

This correction does not affect the rewriter-vs-ACLs comparison, but I
wanted to make it in case that statement is used outside its context.


Cheers,

Alex.
Marcus Kool
2018-09-24 19:07:56 UTC
Permalink
The sub-thread starts with "do not use the url rewriter helper because of complexity"
and ends with that the (not less complex) external acl helpers are fine to use.
And in between there is an attempt to kill the URL rewriter interface.

It would be a lot less confusing if you started with something like
I do not like the URL rewriter interface, use the external acl one
Post by Amos Jeffries
Post by Marcus Kool
ufdbGuard supports dynamic lists of users, domains and source ip
addresses which are updated every X minutes without any service
interruption.
So does Squid, via external ACL and/or authentication.
Aren't you confusing what Squid itself and what Squid+helpers can do?

Marcus
Amos Jeffries
2018-09-25 00:48:02 UTC
Permalink
Post by Marcus Kool
The sub-thread starts with "do not use the url rewriter helper because of complexity"
The thread started earlier than that, with essentially "move simple
rules to squid.conf"
Post by Marcus Kool
I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.
The statement about the helper being complex came later after a
misunderstanding by the OP about what the tools were used for.

You are paraphrasing in a way which changes the meaning of my actual
statement. I was clearly and explicitly advising the OP to work towards
"less complexity" and pointing out that the helper (any helper) is
complex and to be avoided when a simpler solution is also available.
Post by Marcus Kool
and ends with that the (not less complex) external acl helpers are fine to use.
They are ... when needed. Having them do everything from src-IP check to
re-authenticating a login Squid already authenticated passed it is
needless extra complexity as a long-term solution.
Post by Marcus Kool
And in between there is an attempt to kill the URL rewriter interface.
No, just the use of the rewriters for access control. In the context of
an OP who is using a rewriter for a fairly simple set of blacklist and
whitelist of traffic - which got diverted into a debate of Squid vs
re-writer feature comparisons.

You brought up the topic of removing the interface. As I responded then,
there are still use-cases for it. Just, access control is not one of
those cases.
Post by Marcus Kool
It would be a lot less confusing if you started with something like
   I do not like the URL rewriter interface, use the external acl one
That would be only a small amount better (improvement in principle, no
longer destructive for the state lost when re-writing - still complex in
practice). I am pointing the OP at something that should work a bit
better than even that semi-theoretical improvement. They may or may not
end up with a helper still being used, but either way re-assessing this
1980's style config will improve their situation for modern traffic.
Post by Marcus Kool
Post by Amos Jeffries
Post by Marcus Kool
ufdbGuard supports dynamic lists of users, domains and source ip
addresses which are updated every X minutes without any service
interruption.
So does Squid, via external ACL and/or authentication.
Aren't you confusing what Squid itself and what Squid+helpers can do?
There is crossover. Though we are delving into realms of principle here.
The data available to the helper running on the URL-rewrite interface is
quite limited - the other interfaces (external ACL in particular) have
wider scope and much more flexibility in what Squid can do with them.

For example SG and ufdbguard may be able to load dynamic lists of users,
but cannot make Squid generate authentication challenge with the correct
parameters to authenticate those users. They can only re-check an
already authenticated username (without access to the password details)
or rewrite/redirect to a third-party server that does so.
Whereas looking up users in some "dynamic list" without needing a
reconfigure of Squid is pretty much the essence of what auth user/group
helpers do. It is rare to find a never-changing list of users.

Amos
Donald Muller
2018-09-19 20:47:16 UTC
Permalink
Amos,

So instead of using squidguard are you saying you should use something like the following?

acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"

http_access deny ads
http_access deny adult

Do the lists need to be sorted in alphabetical order?

Don
-----Original Message-----
Of Amos Jeffries
Sent: Tuesday, September 18, 2018 10:04 PM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is
to use the ufdbConvertDB tool to convert my blacklists in plain text
to the ufdbGuard database format? And then use that/those databases in
normal squid ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where HTTP
access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Matus UHLAR - fantomas
2018-09-20 11:16:12 UTC
Permalink
Post by Donald Muller
So instead of using squidguard are you saying you should use something like the following?
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
I don't think so - the lists are parsed to in -memory format for faster
processing.

The case where sw like ufdbguard is important is where you use regular
expressions like url_regex (but srcdom_regex and dstdom_regex may neet it
too).

Processing of those is very inefficient inside of squid.
Post by Donald Muller
-----Original Message-----
Of Amos Jeffries
Sent: Tuesday, September 18, 2018 10:04 PM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is
to use the ufdbConvertDB tool to convert my blacklists in plain text
to the ufdbGuard database format? And then use that/those databases in
normal squid ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where HTTP
access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Donald Muller
2018-09-20 15:46:15 UTC
Permalink
-----Original Message-----
Of Matus UHLAR - fantomas
Sent: Thursday, September 20, 2018 7:16 AM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by Donald Muller
So instead of using squidguard are you saying you should use something
like the following?
Post by Donald Muller
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
I don't think so - the lists are parsed to in -memory format for faster
processing.
Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?
The case where sw like ufdbguard is important is where you use regular
expressions like url_regex (but srcdom_regex and dstdom_regex may neet it
too).
Processing of those is very inefficient inside of squid.
Post by Donald Muller
-----Original Message-----
Behalf Of Amos Jeffries
Sent: Tuesday, September 18, 2018 10:04 PM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by neok
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend
is to use the ufdbConvertDB tool to convert my blacklists in plain
text to the ufdbGuard database format? And then use that/those
databases in normal squid ACL's?
No, ufdbguard is a fork of SquidGuard that can be used as a drop-in
replacement which works better while you improve your config.
You should work towards less complexity. Squid / squid.conf is where
HTTP access control takes place. The helper is about re-writing the URL
(only) - which is a complex and destructive process.
--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2018-09-20 19:50:05 UTC
Permalink
Post by Donald Muller
-----Original Message-----
From: Matus UHLAR - fantomas
Sent: Thursday, September 20, 2018 7:16 AM
Post by Donald Muller
So instead of using squidguard are you saying you should use something
like the following?
Post by Donald Muller
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
I don't think so - the lists are parsed to in -memory format for faster
processing.
Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?
Not currently. I'm looking for a nice portable way to do file watching.

The Linux inotify system can apparently be used to send the -k
reconfigure command on FS changes in the config directory. Though I've
yet to see any working example and have not had the time myself to
experiment on it.

Patches and/or info welcome. This might be a good starter project if
anyone wants to dip their fingers into the Squid code.

Amos
Alex Rousskov
2018-09-20 23:52:47 UTC
Permalink
Post by Amos Jeffries
Post by Donald Muller
Does Squid monitor dstdomain files for changes and reload them or does a '-k reconfigure' need to be issued?
Not currently. I'm looking for a nice portable way to do file watching.
Patches and/or info welcome. This might be a good starter project if
anyone wants to dip their fingers into the Squid code.
... but please start with an RFC on squid-dev before writing any Squid
code. Implementing correct file watching support in Squid is not
trivial, and the feature itself may not be such a good idea. Please
discuss your plans before spending time on modifying Squid.


Thank you,

Alex.
Donald Muller
2018-09-21 17:18:12 UTC
Permalink
-----Original Message-----
Of Amos Jeffries
Sent: Thursday, September 20, 2018 3:50 PM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by Donald Muller
-----Original Message-----
From: Matus UHLAR - fantomas
Sent: Thursday, September 20, 2018 7:16 AM
Post by Donald Muller
So instead of using squidguard are you saying you should use something
like the following?
Post by Donald Muller
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
I don't think so - the lists are parsed to in -memory format for
faster processing.
Does Squid monitor dstdomain files for changes and reload them or does a
'-k reconfigure' need to be issued?
Not currently. I'm looking for a nice portable way to do file watching.
The Linux inotify system can apparently be used to send the -k reconfigure
command on FS changes in the config directory. Though I've yet to see any
working example and have not had the time myself to experiment on it.
Patches and/or info welcome. This might be a good starter project if anyone
wants to dip their fingers into the Squid code.
I will be downloading the blacklists from the internet and I'm sure that there will be sites that I want to whitelist via

acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist

What logging do I need to enable to capture when a domain is blacklisted?
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Donald Muller
2018-09-24 15:46:00 UTC
Permalink
I will be downloading the blacklists from the internet and I'm sure that there
will be sites that I want to whitelist via

acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist

What logging do I need to enable to capture when a site I am trying to access is blacklisted so I can add it to the whitelist?

Thanks
-----Original Message-----
Of Donald Muller
Sent: Friday, September 21, 2018 1:18 PM
cache.org
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
-----Original Message-----
Behalf Of Amos Jeffries
Sent: Thursday, September 20, 2018 3:50 PM
Subject: Re: [squid-users] Help: squid restarts and squidGuard die
Post by Donald Muller
-----Original Message-----
From: Matus UHLAR - fantomas
Sent: Thursday, September 20, 2018 7:16 AM
Post by Donald Muller
So instead of using squidguard are you saying you should use something
like the following?
Post by Donald Muller
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
I don't think so - the lists are parsed to in -memory format for
faster processing.
Does Squid monitor dstdomain files for changes and reload them or does a
'-k reconfigure' need to be issued?
Not currently. I'm looking for a nice portable way to do file watching.
The Linux inotify system can apparently be used to send the -k
reconfigure command on FS changes in the config directory. Though I've
yet to see any working example and have not had the time myself to
experiment on it.
Patches and/or info welcome. This might be a good starter project if
anyone wants to dip their fingers into the Squid code.
I will be downloading the blacklists from the internet and I'm sure that there
will be sites that I want to whitelist via
acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist
What logging do I need to enable to capture when a domain is blacklisted?
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2018-09-24 23:16:40 UTC
Permalink
Post by Donald Muller
I will be downloading the blacklists from the internet and I'm sure that there
will be sites that I want to whitelist via
acl whitelist dstdomain "/some folder path/whitelist.acl"
http_access allow whitelist
What logging do I need to enable to capture when a site I am trying to access is blacklisted so I can add it to the whitelist?
When your access.log contains DENIED/403 as the transaction status and
no server details it was denied by your policy.

NP: If all you are doing is adding blocked sites to a whitelist, then
its pointless doing the block at all. The best solution there is to
remove the blacklist entirely.

Amos
Amos Jeffries
2018-09-20 20:47:55 UTC
Permalink
Post by Donald Muller
Amos,
So instead of using squidguard are you saying you should use something like the following?
acl ads dstdomain -i "/etc/squid/squid-ads.acl"
acl adult dstdomain -i "/etc/squid/squid-adult.acl"
*If* those lists contain dstdomain format names. Otherwise, no some
other ACL may be better (dstdom_regex?).

NP: The -i should not be necessary on dstdomain since domain comparsions
are case insensitive and regex are not correct syntax for dstdomain.

Also, as Matus reminded me. I should have said up front this is
something to consider doing - you may decide no to for reasons. One of
which is if those lists are very large the helper can be faster.
Post by Donald Muller
http_access deny ads
http_access deny adult
Do the lists need to be sorted in alphabetical order?
Don
No. Squid does that. For dstdomain they do need to be reduced so you are
not adding a subdomain like "www.example.com" which overlaps a wildcard
domain like ".example.com" elsewhere in the list.

Amos
Eliezer Croitoru
2018-09-29 06:18:01 UTC
Permalink
Hey Gabriel,



The thread seems to me as a milestone in this mailing list and in Squid-Cache history.

From what I understood there is an issue when SquidGuard receives a specific line from Squid.

In this whole long thread I have not seen any debug logs of what SquidGuard receives from Squid.

It’s crucial to understand what the issue is and why it happens regardless to whether SquidGuard is old or not.

Also it’s not related to an ICAP service or URL rewrite or external acl


I do not remember by heart what debug log section is relevant but Amos and Alex should be able to direct us towards these.

When you will have the exact line that the url_rewrite helper receives we would be able to know and maybe understand some details.

For some admins this kind of setup is easy but.. any LDAP\NTLM\Kerberos related setup needs to be tested and I believe this is where you are at.

There is a possibility that SquidGuard as a url_rewrite helper doesn’t receive the relevant details it expects such as username or group.

The above can cause this issue.



If you can share with us the relevant line that SquidGuard receives and crashes it would help other admins who have yet to encounter it.



Eliezer

· I have a setup of above 800 users but
 the cache features are tuned off and it’s only working for ACL checking.





----

<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il





From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Service MV
Sent: Monday, September 17, 2018 18:38
To: squid-***@lists.squid-cache.org
Subject: [squid-users] Help: squid restarts and squidGuard die



Dear Ones, I draw on your experience in seeking help to determine whether or not it is possible to achieve the configuration I am looking for, due to a strange error I am having.



Before commenting on the bug I describe my testing environment:

- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.

- My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved.

- squid 3.5.20 installed and working great with kerberos, NTLM and basic authentication. All authentication mechanisms tested and working great.

- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with blacklists and acl default.



My problem starts when I try to use source acl using ldapusersearch in squidGuard...



systemctl status squid:

(squid-1)[12627]: The redirector helpers are crashing too rapidly, need help!

<SNIP>
neok
2018-10-01 20:52:23 UTC
Permalink
Hi Eliezer, I apologize! I don't know why I stopped receiving emails from the
squid users list.
Only today I see the thread in nabble.com and I see that it has 23 posts!

Regarding your question, I didn't investigate the error of squidGuard... I
started to migrate my lists to native squid lists as Amos recommended. I
really thought it was the best option. Of course it took work, but the
configuration is cleaner and faster in my opinion.
There are other posts in which I share my configuration if you want to see
it.

Best regards...

Gabriel




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Loading...