Squid unreachable, daemon ports in CLOSED state, suid errors on cache.log
hey everyone,
I am unable to use Squid (apparently after the upgrade OPNsense 20.7). I do only use the Squid Proxy as a simple caching proxy for some development systems, two days ago I've noticed it was not working.
I also have explicit firewall rules to allow all clients on network 10.1.0.0/24 to access the proxy ports (3128/tcp and 2121/tcp) on OPNsense. ACLs are also present on squid configuration to allow 10.1.0.0/24 to access the proxy.
Upon checking its service status on OPNsense console, I have (something new to me, never seen before!): both the http port 3128 and ftp proxy port 2121 have its state listed as 'CLOSED'
On OPNsense GUI the squid service can be started and stopped normally.
----
[root@OPNsense ~]# netstat -la4n -ptcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.1.0.1.443 10.1.0.149.59862 ESTABLISHED
tcp4 0 0 10.1.0.1.2121 *.* CLOSED
tcp4 0 0 10.1.0.1.3128 *.* CLOSED
----
Restarting the daemon works (apparently fine, config is ok)
Manually setting the 'debug_options ALL,3' directly in the file '/usr/local/etc/squid/squid.conf' also produces debug output that hints on problems with suid (setuid ?):
----
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
----
Are there maybe any kind of rights problems, with the user squid not being allowed to setuid or maybe being unable a necessary folder/path as squid?
The squid.conf is attached.
Many thanks for any pointers on how to solve this!
Regards
J.
--
Additional Info:
fstat produces the following output
----
[root@OPNsense ~]# fstat|grep squid
squid unlinkd 90178 text / 5062157 -r-xr-xr-x 106376 r
squid unlinkd 90178 wd / 3934321 drwxr-x--- 1024 r
squid unlinkd 90178 root / 2 drwxr-xr-x 512 r
squid unlinkd 90178 0* pipe fffff80003bf7be0 <-> fffff80003bf7d48 0 rw
squid unlinkd 90178 1* pipe fffff80003bf7460 <-> fffff80003bf72f8 0 rw
squid unlinkd 90178 2 /dev 43 crw-rw-rw- null rw
squid squid 32115 text / 4976135 -r-xr-xr-x 7576448 r
squid squid 32115 wd / 3934321 drwxr-x--- 1024 r
squid squid 32115 root / 2 drwxr-xr-x 512 r
squid squid 32115 0 /dev 43 crw-rw-rw- null rw
squid squid 32115 1 /dev 43 crw-rw-rw- null rw
squid squid 32115 2 /dev 43 crw-rw-rw- null rw
squid squid 32115 3 / 3772252 -rw-r--r-- 2458600 rw
squid squid 32115 4 /dev 43 crw-rw-rw- null rw
squid squid 32115 5* internet6 dgram udp fffff800a5301b70
squid squid 32115 6
squid squid 32115 7 / 3772252 -rw-r--r-- 2458600 rw
squid squid 32115 8* internet dgram udp fffff800a53015b8
squid squid 32115 9 - 3772219 -rw-r--r-- 0 w
squid squid 32115 10* pipe fffff80003bf72f8 <-> fffff80003bf7460 0 rw
squid squid 32115 11* pipe fffff80003bf7460 <-> fffff80003bf72f8 0 rw
squid squid 32115 12* pipe fffff80003bf7be0 <-> fffff80003bf7d48 0 rw
squid squid 32115 13* pipe fffff80003bf7d48 <-> fffff80003bf7be0 0 rw
squid squid 32115 14 - 3772275 -rw-r--r-- 0 w
squid squid 32115 15 - 3934065 -rwxr-x--- 72 w
squid squid 32115 16* internet stream tcp fffff800a874e000
squid squid 32115 17* internet stream tcp fffff800139df7a0
squid squid 32115 18* internet6 dgram udp fffff80013924d58
squid squid 32115 19* internet6 dgram udp fffff80013922b70
squid squid 3466 text / 4976135 -r-xr-xr-x 7576448 r
squid squid 3466 wd / 3772526 drwxrwx--- 512 r
squid squid 3466 root / 2 drwxr-xr-x 512 r
squid squid 3466 0 /dev 43 crw-rw-rw- null rw
squid squid 3466 1 /dev 43 crw-rw-rw- null rw
squid squid 3466 2 /dev 43 crw-rw-rw- null rw
squid squid 3466 3 / 3772252 -rw-r--r-- 2458600 rw
squid squid 3466 4 /dev 43 crw-rw-rw- null rw
squid squid 3466 5 /var/run/squid/cf__metadata.shm -rw------- 8 rw
squid squid 3466 6 /var/run/squid/cf__queues.shm -rw------- 8216 rw
squid squid 3466 7 /var/run/squid/cf__readers.shm -rw------- 36 rw
----
sockstat produces the following output
----
[root@OPNsense ~]# sockstat -l4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
squid squid 32115 5 udp46 *:50331 *:*
squid squid 32115 8 udp4 *:52387 *:*
squid squid 32115 16 tcp4 10.1.0.1:3128 *:*
squid squid 32115 17 tcp4 10.1.0.1:2121 *:*
[..]
----
a section of cache.log
----
2020/08/11 14:20:52.610 kid1| 16,3| cache_manager.cc(66) registerProfile: registered profile: events
2020/08/11 14:20:52.610 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: WCCPv1 disabled.
2020/08/11 14:20:52.610 kid1| 80,2| wccp2.cc(961) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured.
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a998678a0 [call4]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:3128
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:3128 remote=[::] FD 16 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 16 HTTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:3128 remote=[::] FD 16 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:3128 remote=[::] FD 16 flags=9, err=0, HTTP Socket port=0x4a99867900) [call4]
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a99867940 [call6]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:2121
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:2121 remote=[::] FD 17 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 17 FTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:2121 remote=[::] FD 17 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:2121 remote=[::] FD 17 flags=9, err=0, FTP Socket port=0x4a998679a0) [call6]
2020/08/11 14:20:52.610 kid1| HTCP Disabled.
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 18 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 18 Pinger Socket
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 19 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 19 Pinger Socket
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(204) ipcCreate: ipcCreate: prfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(205) ipcCreate: ipcCreate: pwfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(206) ipcCreate: ipcCreate: crfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(207) ipcCreate: ipcCreate: cwfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(221) ipcCreate: ipcCreate: FD 19 sockaddr [::1]:60912
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(238) ipcCreate: ipcCreate: FD 18 sockaddr [::1]:40241
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(859) _comm_close: comm_close: start closing FD 18
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(546) commUnsetFdTimeout: Remove timeout for FD 18
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 93164 called
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(606) no_suid: no_suid: PID 93164 giving up root privileges forever
2020/08/11 14:20:52.613 kid1| sendto FD 18: (13) Permission denied
2020/08/11 14:20:52.613 kid1| ipcCreate: CHILD: hello write test failed
----
[/font]
Resolved the issue by applying a configuration backup taken from before the upgrade. Restore config for ALL system. Squid is up and running. Cannot tell what caused the issue. Thank you.
Same Problem here. On one of my OPN Router squid does not start as it should und sockets stay in closed state.
Version 20.7.
netstat -an | grep 3128
tcp4 0 0 10.40.21.1.3128 *.* CLOSED
tcp4 0 0 192.168.250.251.3128 *.* CLOSED
tcp4 0 0 192.168.250.250.3128 *.* CLOSED
tcp4 0 0 192.168.250.244.3128 *.* CLOSED
tcp4 0 0 192.168.85.2.3128 *.* CLOSED
tcp4 0 0 192.168.2.4.3128 *.* CLOSED
tcp4 0 0 192.168.250.2.3128 *.* CLOSED
tcp6 0 0 ::1.3128 *.* CLOSED
tcp4 0 0 127.0.0.1.3128 *.* CLOSED
2020/08/19 06:59:53 kid1| sendto FD 19: (13) Permission denied
2020/08/19 06:59:53 kid1| ipcCreate: CHILD: hello write test failed
Any ideas ?