OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: interfaSys on January 28, 2016, 10:53:22 pm
-
Squid can't shut up and is hammering
/tmp/PHP_errors.log
Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32
2016/01/28 22:50:03 kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr39932, 120 bytes '
2016/01/28 22:50:03 kid1| helperOpenServers: Starting 1/5 'squid.auth-user.php' processes
2016/01/28 22:50:03 kid1| Starting new helpers
2016/01/28 22:50:03 kid1| Too few basicauthenticator processes are running (need 1/5)
2016/01/28 22:50:03 kid1| WARNING: basicauthenticator #Hlpr39931 exited
I've tried killing it, restarting it, nothing works. Is the code broken or is this a know problem with a workaround?
-
OK, so I had to disable the proxy client on my machine, stop squid and kill old PHP processes (just to be sure). At the next start, things appeared normal.
NOTICE: Authentication not applicable on intercepted requests.
-
Nope, it's back... Seems like squid has to be turned off for now.
-
Do you have any substantial evidence as to how to reproduce this? This includes squid configuration, I'm guessing you're using authentication....
-
I haven't made any changes to the authentication part. I've just added a user.
The config is pretty standard
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
# setup listen configuration
# transparant mode, listen on localhost
http_port 127.0.0.1:3128 intercept
http_port 1.2.3.1:3128
http_port 1.2.4.1:3128
http_port 1.2.5.1:3128
# Setup ftp proxy
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
acl localnet src 1.2.3.1/24 # Possible internal network
acl localnet src 1.2.4.1/25 # Possible internal network
acl localnet src 1.2.5.1/26 # Possible internal network
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Default localhost and to_localhost acl's
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# ACL lists
# ALC - Whitelist - User defined (whiteList)
acl whiteList url_regex some\.site\.com
# ACL - Blacklist - User defined (blackList)
acl blackList url_regex (^|\.)101com\.com$
acl blackList url_regex (^|\.)101order\.com$
acl blackList url_regex (^|\.)123found\.com$
# ACL - Remote fetched Blacklist (remoteblacklist)
# ALC - Block browser/user-agent - User defined (browser)
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 443 # https
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ALC - Safe_ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Authentication Settings
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
auth_param basic realm OPNsense proxy authentication
auth_param basic credentialsttl 2 hours
auth_param basic children 5
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
# ACL list (Allow) whitelist
http_access allow whiteList
#
# ACL list (Deny) blacklist
http_access deny blackList
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
http_access allow local_auth
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet
# ACL - localhost
http_access allow localhost
# Deny all other access to this proxy
http_access deny all
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 30000 16 256
cache_mem 2048 MB
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid Options
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on
cache_store_log /var/log/squid/store.log
# URI hanlding with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
-
Ok, yes, you're using authentication, which calls Phalcon, which throws the error... auth_param basic program /usr/local/etc/inc/squid.auth-user.php
The error is pretty fundamental when something is completely wrong. Does a reboot settle this?
Worst case, try to force reinstall of all packages using
# pkg upgrade -f
While the error is genuine, we've never seen linger this in a production environment. Clients have always been able to work around these things albeit not disrupting their services away from the GUI.
-
A reboot doesn't help.
I'll try to investigate why Phalcon isn't loaded when squid.auth-user.php is launched from squid.
-
# /usr/local/bin/php /usr/local/etc/inc/squid.auth-user.php
No problem, but
# sudo -usquid /usr/local/bin/php /usr/local/etc/inc/squid.auth-user.php
Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32
So that user doesn't seem to have access to phalcon.
# sudo -usquid /usr/local/bin/php -i | grep phalcon
#
Empty. Whereas with root
# /usr/local/bin/php -i | grep phalcon
phalcon
phalcon => enabled
phalcon.db.escape_identifiers => On => On
phalcon.db.force_casting => Off => Off
phalcon.orm.cast_on_hydrate => Off => Off
phalcon.orm.column_renaming => On => On
phalcon.orm.enable_implicit_joins => On => On
phalcon.orm.enable_literals => On => On
phalcon.orm.events => On => On
phalcon.orm.exception_on_failed_save => Off => Off
phalcon.orm.ignore_unknown_columns => Off => Off
phalcon.orm.late_state_binding => Off => Off
phalcon.orm.not_null_validations => On => On
phalcon.orm.virtual_foreign_keys => On => On
For root:
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
Loaded Configuration File => /usr/local/etc/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php
Additional .ini files parsed => /usr/local/etc/php/extensions.ini
But for squid:
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
Loaded Configuration File => /usr/local/etc/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php
Additional .ini files parsed => (none)
Permissions for "/usr/local/etc/php/extensions.ini"
4 -rw------- 1 root wheel 487 Jan 29 00:10 /usr/local/etc/php/extensions.ini
It's impossible for squid to read that file...
So is it really my system which somehow has created the wrong permissions?
-
Nope this is a regression that's fixable. Thanks for debugging. :)
-
My bad actually, although unexpected: copying the file from /usr/local to /tmp changes the permissions from 644 to 600.
https://github.com/opnsense/core/commit/0086548dc42d4ec69e36162dd87463092667946b
-
Thanks!