OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: echo_123 on August 11, 2020, 05:00:39 pm
-
Squid unreachable, daemon ports in CLOSED state, suid errors on cache.log
hey everyone,
I am unable to use Squid (apparently after the upgrade OPNsense 20.7). I do only use the Squid Proxy as a simple caching proxy for some development systems, two days ago I've noticed it was not working.
I also have explicit firewall rules to allow all clients on network 10.1.0.0/24 to access the proxy ports (3128/tcp and 2121/tcp) on OPNsense. ACLs are also present on squid configuration to allow 10.1.0.0/24 to access the proxy.
Upon checking its service status on OPNsense console, I have (something new to me, never seen before!): both the http port 3128 and ftp proxy port 2121 have its state listed as 'CLOSED'
On OPNsense GUI the squid service can be started and stopped normally.
----
[root@OPNsense ~]# netstat -la4n -ptcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.1.0.1.443 10.1.0.149.59862 ESTABLISHED
tcp4 0 0 10.1.0.1.2121 *.* CLOSED
tcp4 0 0 10.1.0.1.3128 *.* CLOSED
----
Restarting the daemon works (apparently fine, config is ok)
Manually setting the 'debug_options ALL,3' directly in the file '/usr/local/etc/squid/squid.conf' also produces debug output that hints on problems with suid (setuid ?):
----
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
----
Are there maybe any kind of rights problems, with the user squid not being allowed to setuid or maybe being unable a necessary folder/path as squid?
The squid.conf is attached.
Many thanks for any pointers on how to solve this!
Regards
J.
--
Additional Info:
fstat produces the following output
----
[root@OPNsense ~]# fstat|grep squid
squid unlinkd 90178 text / 5062157 -r-xr-xr-x 106376 r
squid unlinkd 90178 wd / 3934321 drwxr-x--- 1024 r
squid unlinkd 90178 root / 2 drwxr-xr-x 512 r
squid unlinkd 90178 0* pipe fffff80003bf7be0 <-> fffff80003bf7d48 0 rw
squid unlinkd 90178 1* pipe fffff80003bf7460 <-> fffff80003bf72f8 0 rw
squid unlinkd 90178 2 /dev 43 crw-rw-rw- null rw
squid squid 32115 text / 4976135 -r-xr-xr-x 7576448 r
squid squid 32115 wd / 3934321 drwxr-x--- 1024 r
squid squid 32115 root / 2 drwxr-xr-x 512 r
squid squid 32115 0 /dev 43 crw-rw-rw- null rw
squid squid 32115 1 /dev 43 crw-rw-rw- null rw
squid squid 32115 2 /dev 43 crw-rw-rw- null rw
squid squid 32115 3 / 3772252 -rw-r--r-- 2458600 rw
squid squid 32115 4 /dev 43 crw-rw-rw- null rw
squid squid 32115 5* internet6 dgram udp fffff800a5301b70
squid squid 32115 6
squid squid 32115 7 / 3772252 -rw-r--r-- 2458600 rw
squid squid 32115 8* internet dgram udp fffff800a53015b8
squid squid 32115 9 - 3772219 -rw-r--r-- 0 w
squid squid 32115 10* pipe fffff80003bf72f8 <-> fffff80003bf7460 0 rw
squid squid 32115 11* pipe fffff80003bf7460 <-> fffff80003bf72f8 0 rw
squid squid 32115 12* pipe fffff80003bf7be0 <-> fffff80003bf7d48 0 rw
squid squid 32115 13* pipe fffff80003bf7d48 <-> fffff80003bf7be0 0 rw
squid squid 32115 14 - 3772275 -rw-r--r-- 0 w
squid squid 32115 15 - 3934065 -rwxr-x--- 72 w
squid squid 32115 16* internet stream tcp fffff800a874e000
squid squid 32115 17* internet stream tcp fffff800139df7a0
squid squid 32115 18* internet6 dgram udp fffff80013924d58
squid squid 32115 19* internet6 dgram udp fffff80013922b70
squid squid 3466 text / 4976135 -r-xr-xr-x 7576448 r
squid squid 3466 wd / 3772526 drwxrwx--- 512 r
squid squid 3466 root / 2 drwxr-xr-x 512 r
squid squid 3466 0 /dev 43 crw-rw-rw- null rw
squid squid 3466 1 /dev 43 crw-rw-rw- null rw
squid squid 3466 2 /dev 43 crw-rw-rw- null rw
squid squid 3466 3 / 3772252 -rw-r--r-- 2458600 rw
squid squid 3466 4 /dev 43 crw-rw-rw- null rw
squid squid 3466 5 /var/run/squid/cf__metadata.shm -rw------- 8 rw
squid squid 3466 6 /var/run/squid/cf__queues.shm -rw------- 8216 rw
squid squid 3466 7 /var/run/squid/cf__readers.shm -rw------- 36 rw
----
sockstat produces the following output
----
[root@OPNsense ~]# sockstat -l4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
squid squid 32115 5 udp46 *:50331 *:*
squid squid 32115 8 udp4 *:52387 *:*
squid squid 32115 16 tcp4 10.1.0.1:3128 *:*
squid squid 32115 17 tcp4 10.1.0.1:2121 *:*
[..]
----
a section of cache.log
----
2020/08/11 14:20:52.610 kid1| 16,3| cache_manager.cc(66) registerProfile: registered profile: events
2020/08/11 14:20:52.610 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: WCCPv1 disabled.
2020/08/11 14:20:52.610 kid1| 80,2| wccp2.cc(961) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured.
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a998678a0 [call4]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:3128
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:3128 remote=[::] FD 16 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 16 HTTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:3128 remote=[::] FD 16 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:3128 remote=[::] FD 16 flags=9, err=0, HTTP Socket port=0x4a99867900) [call4]
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a99867940 [call6]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:2121
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:2121 remote=[::] FD 17 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 17 FTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:2121 remote=[::] FD 17 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:2121 remote=[::] FD 17 flags=9, err=0, FTP Socket port=0x4a998679a0) [call6]
2020/08/11 14:20:52.610 kid1| HTCP Disabled.
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 18 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 18 Pinger Socket
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 19 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 19 Pinger Socket
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(204) ipcCreate: ipcCreate: prfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(205) ipcCreate: ipcCreate: pwfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(206) ipcCreate: ipcCreate: crfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(207) ipcCreate: ipcCreate: cwfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(221) ipcCreate: ipcCreate: FD 19 sockaddr [::1]:60912
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(238) ipcCreate: ipcCreate: FD 18 sockaddr [::1]:40241
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(859) _comm_close: comm_close: start closing FD 18
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(546) commUnsetFdTimeout: Remove timeout for FD 18
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 93164 called
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(606) no_suid: no_suid: PID 93164 giving up root privileges forever
2020/08/11 14:20:52.613 kid1| sendto FD 18: (13) Permission denied
2020/08/11 14:20:52.613 kid1| ipcCreate: CHILD: hello write test failed
----
[/font]
-
Resolved the issue by applying a configuration backup taken from before the upgrade. Restore config for ALL system. Squid is up and running. Cannot tell what caused the issue. Thank you.
-
Same Problem here. On one of my OPN Router squid does not start as it should und sockets stay in closed state.
Version 20.7.
netstat -an | grep 3128
tcp4 0 0 10.40.21.1.3128 *.* CLOSED
tcp4 0 0 192.168.250.251.3128 *.* CLOSED
tcp4 0 0 192.168.250.250.3128 *.* CLOSED
tcp4 0 0 192.168.250.244.3128 *.* CLOSED
tcp4 0 0 192.168.85.2.3128 *.* CLOSED
tcp4 0 0 192.168.2.4.3128 *.* CLOSED
tcp4 0 0 192.168.250.2.3128 *.* CLOSED
tcp6 0 0 ::1.3128 *.* CLOSED
tcp4 0 0 127.0.0.1.3128 *.* CLOSED
2020/08/19 06:59:53 kid1| sendto FD 19: (13) Permission denied
2020/08/19 06:59:53 kid1| ipcCreate: CHILD: hello write test failed
Any ideas ?