Добрый день, коллеги. Столкнулся со следующей проблемой в squid 3.5.7(Не работает прозрачное проксирование https):less +G /var/log/squid/cache.log
2015/08/04 16:24:08 kid1| /var/lib/ssl-db: (2) No such file or directory
2015/08/04 16:24:08 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
(ssl_crtd): Cannot create /var/lib/ssl-db
(ssl_crtd): Cannot create /var/lib/ssl-db
(ssl_crtd)(ssl_crtd): : Cannot create /var/lib/ssl-dbCannot create /var/lib/ssl-db2015/08/04 16:24:08 kid1| Logfile: opening log /var/log/squid/access.log
2015/08/04 16:24:08 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
(ssl_crtd): Cannot create /var/lib/ssl-db
2015/08/04 16:24:08 kid1| Store logging disabled
2015/08/04 16:24:08 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2015/08/04 16:24:08 kid1| Target number of buckets: 1008
2015/08/04 16:24:08 kid1| Using 8192 Store buckets
2015/08/04 16:24:08 kid1| Max Mem size: 262144 KB
2015/08/04 16:24:08 kid1| Max Swap size: 0 KB
2015/08/04 16:24:08 kid1| Using Least Load store dir selection
2015/08/04 16:24:08 kid1| Set Current Directory to /var/spool/squid
2015/08/04 16:24:08 kid1| Finished loading MIME types and icons.
2015/08/04 16:24:08 kid1| HTCP Disabled.
2015/08/04 16:24:08 kid1| Squid plugin modules loaded: 0
2015/08/04 16:24:08 kid1| Adaptation support is off.
2015/08/04 16:24:08 kid1| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 21 flags=9
2015/08/04 16:24:08 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3130 remote=[::] FD 22 flags=41
2015/08/04 16:24:08 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3131 remote=[::] FD 23 flags=41
2015/08/04 16:24:08 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr1, 25 bytes 'Initialization SSL db...
'
2015/08/04 16:24:08 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr2, 25 bytes 'Initialization SSL db...
'
2015/08/04 16:24:08 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr4, 25 bytes 'Initialization SSL db...
'
2015/08/04 16:24:08 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr3, 25 bytes 'Initialization SSL db...
'
2015/08/04 16:24:08 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr5, 25 bytes 'Initialization SSL db...
'
2015/08/04 16:24:08 kid1| WARNING: ssl_crtd #Hlpr1 exited
2015/08/04 16:24:08 kid1| Too few ssl_crtd processes are running (need 1/32)
2015/08/04 16:24:08 kid1| Closing HTTP port [::]:3129
2015/08/04 16:24:08 kid1| Closing HTTP port [::]:3130
2015/08/04 16:24:08 kid1| Closing HTTPS port [::]:3131
2015/08/04 16:24:08 kid1| storeDirWriteCleanLogs: Starting...
2015/08/04 16:24:08 kid1| Finished. Wrote 0 entries.
2015/08/04 16:24:08 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!Сборка squid была со следующими параметрами:
squid -v
Squid Cache: Version 3.5.7-20150801-r13880
Service Name: squid
configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid3' '--enable-delay-pools' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-eui' '--enable-snmp' '--with-openssl' --enable-ltdl-convenience
cat /etc/squid3/squid.conf | grep -v "^#"acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl wan src ip/21
acl wan src ip/21acl url_filtered src ip/21
acl url_filtered src ip/21
acl url_filtered src 10.0.0.0/8acl blacklist url_regex -i "/etc/squid3/blacklist_test"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECThttp_access allow manager localhost
http_access deny managerhttp_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blacklist url_filtered
http_access allow localnet
http_access allow localhost
http_access allow wanhttp_access deny all
http_port 3129
http_port 3130 intercept
https_port 3131 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem key=/etc/squid3/ssl/squid.pemalways_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl-db -M 4MB
coredump_dir /var/spool/squidrefresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log squidcache_effective_user squid
cache_effective_group squidГенерирование сертификата:
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem
Делал rm -rf /var/lib/ssl_db && /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db && chown -R squid:squid /var/lib/ssl_db - не помогло.C правами вроде бы всё нормально:
ls -lsa ssl/
итого 12
4 drwxrwxrwx 2 squid squid 4096 Авг 4 16:08 .
4 drwxr-xr-x 3 squid squid 4096 Авг 4 16:14 ..
4 -rw-r--r-- 1 squid squid 1783 Авг 4 16:08 squid.pem
Может кто сталкивался с данной проблемой, заранее спасибо за помощь.
http://www.opennet.me/openforum/vsluhforumID12/7034.html
> http://www.opennet.me/openforum/vsluhforumID12/7034.htmlСпасибо, но я видел уже эту статью.
И написал, что делал уже
rm -rf /var/lib/ssl_db && /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db && chown -R squid:squid /var/lib/ssl_db
и в squid.conf указано:
sslcrtd_program /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl-db -M 4MB
но в логах вижу всё равно:2015/08/05 09:46:28 kid1| Adaptation support is off.
2015/08/05 09:46:28 kid1| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 21 flags=9
2015/08/05 09:46:28 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3130 remote=[::] FD 22 flags=41
2015/08/05 09:46:28 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3131 remote=[::] FD 23 flags=41
2015/08/05 09:46:28 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr1, 25 bytes 'Initialization SSL db...
'
2015/08/05 09:46:28 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr2, 25 bytes 'Initialization SSL db...
'
2015/08/05 09:46:28 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr5, 25 bytes 'Initialization SSL db...
'
2015/08/05 09:46:28 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr4, 25 bytes 'Initialization SSL db...
'
2015/08/05 09:46:28 kid1| helperHandleRead: unexpected read from ssl_crtd #Hlpr3, 25 bytes 'Initialization SSL db...
'
2015/08/05 09:46:28 kid1| WARNING: ssl_crtd #Hlpr1 exited
2015/08/05 09:46:28 kid1| Too few ssl_crtd processes are running (need 1/32)
2015/08/05 09:46:28 kid1| Closing HTTP port [::]:3129
2015/08/05 09:46:28 kid1| Closing HTTP port [::]:3130
2015/08/05 09:46:28 kid1| Closing HTTPS port [::]:3131
2015/08/05 09:46:28 kid1| storeDirWriteCleanLogs: Starting...
2015/08/05 09:46:28 kid1| Finished. Wrote 0 entries.
2015/08/05 09:46:28 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!Есть ещё идеи?
> Есть ещё идеи?Выглядит как нехватка прав.
su -m squid
cd /
touch /var/lib/ssl_db/test
rm /var/lib/ssl_db/test
exitПроблем нет?
>> Есть ещё идеи?
> Выглядит как нехватка прав.
> su -m squid
> cd /
> touch /var/lib/ssl_db/test
> rm /var/lib/ssl_db/test
> exit
> Проблем нет?Отъезжал в командировку, спасибо за помощь.. Проблема была в том, что в squid.conf поставил строку sslcrtd_program /usr/lib/squid/ssl_crtd -с -s /cache/lib/ssl-db -M 16MB, надо было убрать параметр -с.