LINUX.ORG.RU
решено ФорумAdmin

SQUID FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

 , , ,


0

1

Собственно сабж. Пытаюсь настроить https proxy

uname -a

FreeBSD bsdfsqd 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #0: Wed Aug  9 11:55:48 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

squid -v

Squid Cache: Version 3.5.27
Service Name: squid

This binary uses OpenSSL 1.0.1s-freebsd  1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe  -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib  -pthread  -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' '--disable-ipf-transparent' '--enable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing  -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess' 'CPP=cpp' --enable-ltdl-convenience

Что делаю:

# mkdir /usr/local/etc/squid/ssl_cert
# chown -R squid:squid /usr/local/etc/squid/ssl_cert
# cd /usr/local/etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem
# openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der
# mkdir -p /usr/local/var/squid/lib/ssl_db
# chown -R squid:squid /usr/local/var/squid/lib/ssl_db
# /usr/local/libexec/squid/ssl_crtd -c -s /usr/local/var/squid/lib/ssl_db

Что получаю:

2017/11/14 08:41:41 kid1| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2017/11/14 08:41:41 kid1| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2017/11/14 08:41:41 kid1| WARNING: You should probably remove '::/0' from the ACL named 'all'
2017/11/14 08:41:41 kid1| Current Directory is /usr/home/user
2017/11/14 08:41:41 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd10.3...
2017/11/14 08:41:41 kid1| Service Name: squid
2017/11/14 08:41:41 kid1| Process ID 1757
2017/11/14 08:41:41 kid1| Process Roles: worker
2017/11/14 08:41:41 kid1| With 28467 file descriptors available
2017/11/14 08:41:41 kid1| Initializing IP Cache...
2017/11/14 08:41:41 kid1| ipcacheAddEntryFromHosts: Bad IP address 'AD'
2017/11/14 08:41:41 kid1| DNS Socket created at [::], FD 6
2017/11/14 08:41:41 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/11/14 08:41:41 kid1| Adding nameserver 62.149.128.4 from /etc/resolv.conf
2017/11/14 08:41:41 kid1| Adding nameserver 62.149.132.4 from /etc/resolv.conf
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 0/3 'squidGuard' processes
2017/11/14 08:41:41 kid1| helperOpenServers: No 'squidGuard' processes needed.
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 0/1 'basic_ncsa_auth' processes
2017/11/14 08:41:41 kid1| helperOpenServers: No 'basic_ncsa_auth' processes needed.
2017/11/14 08:41:41 kid1| Unlinkd pipe opened on FD 23
2017/11/14 08:41:41 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/11/14 08:41:41 kid1| Store logging disabled
2017/11/14 08:41:41 kid1| Swap maxSize 14794752 + 262144 KB, estimated 1158222 objects
2017/11/14 08:41:41 kid1| Target number of buckets: 57911
2017/11/14 08:41:41 kid1| Using 65536 Store buckets
2017/11/14 08:41:41 kid1| Max Mem  size: 262144 KB
2017/11/14 08:41:41 kid1| Max Swap size: 14794752 KB
2017/11/14 08:41:41 kid1| Rebuilding storage in /usr/local/var/squid/cache (clean log)
2017/11/14 08:41:41 kid1| Using Least Load store dir selection
2017/11/14 08:41:41 kid1| Current Directory is /usr/home/user
2017/11/14 08:41:41 kid1| Finished loading MIME types and icons.
2017/11/14 08:41:41 kid1| HTCP Disabled.
2017/11/14 08:41:41 kid1| Pinger socket opened on FD 29
2017/11/14 08:41:41 kid1| Squid plugin modules loaded: 0
2017/11/14 08:41:41 kid1| Adaptation support is off.
2017/11/14 08:41:41 kid1| Accepting HTTP Socket connections at local=[::]:2002 remote=[::] FD 26 flags=9
2017/11/14 08:41:41 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:2003 remote=[::] FD 27 flags=41
2017/11/14 08:41:41 kid1| Done reading /usr/local/var/squid/cache swaplog (561 entries)
2017/11/14 08:41:41 kid1| Finished rebuilding storage from disk.
2017/11/14 08:41:41 kid1|       561 Entries scanned
2017/11/14 08:41:41 kid1|         0 Invalid entries.
2017/11/14 08:41:41 kid1|         0 With invalid flags.
2017/11/14 08:41:41 kid1|       561 Objects loaded.
2017/11/14 08:41:41 kid1|         0 Objects expired.
2017/11/14 08:41:41 kid1|         0 Objects cancelled.
2017/11/14 08:41:41 kid1|         0 Duplicate URLs purged.
2017/11/14 08:41:41 kid1|         0 Swapfile clashes avoided.
2017/11/14 08:41:41 kid1|   Took 0.04 seconds (15756.66 objects/sec).
2017/11/14 08:41:41 kid1| Beginning Validation Procedure
2017/11/14 08:41:41 kid1|   Completed Validation Procedure
2017/11/14 08:41:41 kid1|   Validated 561 Entries
2017/11/14 08:41:41 kid1|   store_swap_size = 7011.00 KB
2017/11/14 08:41:41 kid1| WARNING: ssl_crtd #Hlpr1 exited
2017/11/14 08:41:41 kid1| Too few ssl_crtd processes are running (need 1/32)
2017/11/14 08:41:41 kid1| Closing HTTP port [::]:2002
2017/11/14 08:41:41 kid1| Closing HTTPS port [::]:2003
2017/11/14 08:41:41 kid1| storeDirWriteCleanLogs: Starting...
2017/11/14 08:41:41 kid1|   Finished.  Wrote 561 entries.
2017/11/14 08:41:41 kid1|   Took 0.00 seconds (1575842.70 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

2017/11/14 08:41:41 kid1| Closing Pinger socket on FD 29

squid.conf

http_port 2002
https_port 2003 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl_cert/proxyCA.pem key=/usr/locar/local/etc/squid/ssl_cert/proxyCA.pem

auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
auth_param basic children 1
auth_param basic realm Welcome to mfhunruh's proxy server!
auth_param basic credentialsttl 2 hours

always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/var/squid/lib/ssl_db -M 16MB

acl all src all
acl users proxy_auth REQUIRED

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 19055 # torrent
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT
                                                                      
http_access allow users

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all

forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access User-Agent deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

cache_mem 256 MB
cache_dir ufs /usr/local/var/squid/cache 14448 16 256
shutdown_lifetime 5 seconds

access_log none all
cache_store_log none

visible_hostname bsdfsqd.mfhunruh.com

redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
redirect_children 3

Помогите пожалуйста!

chown -R нужно было делать после

/usr/local/libexec/squid/ssl_crtd -c -s /usr/local/var/squid/lib/ssl_db

а не перед

aidaho ★★★★★ ()

Решил, в конфиги папку неправильно обозвал, долблюсь в глаза наверное

mfhunruh ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.