[SOLVED] squid not happy about the update

Started by interfaSys, January 28, 2016, 10:53:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 28, 2016, 10:53:22 PM Last Edit: January 29, 2016, 07:06:30 AM by franco
Squid can't shut up and is hammering
Code Select
/tmp/PHP_errors.log

Code Select
Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32
2016/01/28 22:50:03 kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr39932, 120 bytes '
2016/01/28 22:50:03 kid1| helperOpenServers: Starting 1/5 'squid.auth-user.php' processes
2016/01/28 22:50:03 kid1| Starting new helpers
2016/01/28 22:50:03 kid1| Too few basicauthenticator processes are running (need 1/5)
2016/01/28 22:50:03 kid1| WARNING: basicauthenticator #Hlpr39931 exited

I've tried killing it, restarting it, nothing works. Is the code broken or is this a know problem with a workaround?
January 28, 2016, 11:22:29 PM #1
OK, so I had to disable the proxy client on my machine, stop squid and kill old PHP processes (just to be sure). At the next start, things appeared normal.

Code Select
NOTICE: Authentication not applicable on intercepted requests.
January 28, 2016, 11:46:45 PM #2
Nope, it's back... Seems like squid has to be turned off for now.
January 29, 2016, 12:31:03 AM #3
Do you have any substantial evidence as to how to reproduce this? This includes squid configuration, I'm guessing you're using authentication....
January 29, 2016, 12:49:01 AM #4
I haven't made any changes to the authentication part. I've just added a user.
The config is pretty standard

Code Select
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.

# setup listen configuration
# transparant mode, listen on localhost
http_port 127.0.0.1:3128 intercept

http_port 1.2.3.1:3128

http_port 1.2.4.1:3128

http_port 1.2.5.1:3128


# Setup ftp proxy

# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
acl localnet src 1.2.3.1/24 # Possible internal network
acl localnet src 1.2.4.1/25 # Possible internal network
acl localnet src 1.2.5.1/26 # Possible internal network
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# Default localhost and to_localhost acl's
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# ACL lists
# ALC - Whitelist - User defined (whiteList)
acl whiteList url_regex some\.site\.com


# ACL - Blacklist - User defined (blackList)
acl blackList url_regex (^|\.)101com\.com$
acl blackList url_regex (^|\.)101order\.com$
acl blackList url_regex (^|\.)123found\.com$

# ACL - Remote fetched Blacklist (remoteblacklist)

# ALC - Block browser/user-agent - User defined (browser)

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 443 # https

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ALC - Safe_ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Authentication Settings
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
auth_param basic realm OPNsense proxy authentication
auth_param basic credentialsttl 2 hours
auth_param basic children 5
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED


# ACL list (Allow) whitelist
http_access allow whiteList


#
# ACL list (Deny) blacklist
http_access deny blackList





# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# Access Permission configuration:
#
# Deny request from unauthorized clients
http_access allow local_auth

#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet

# ACL - localhost
http_access allow localhost

# Deny all other access to this proxy
http_access deny all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 30000 16 256

cache_mem 2048 MB

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Squid Options
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on


cache_store_log /var/log/squid/store.log
# URI hanlding with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
January 29, 2016, 01:08:20 AM #5
Ok, yes, you're using authentication, which calls Phalcon, which throws the error... auth_param basic program /usr/local/etc/inc/squid.auth-user.php

The error is pretty fundamental when something is completely wrong. Does a reboot settle this?

Worst case, try to force reinstall of all packages using

# pkg upgrade -f

While the error is genuine, we've never seen linger this in a production environment. Clients have always been able to work around these things albeit not disrupting their services away from the GUI.
January 29, 2016, 01:16:19 AM #6
A reboot doesn't help.
I'll try to investigate why Phalcon isn't loaded when squid.auth-user.php is launched from squid.
January 29, 2016, 02:12:14 AM #7
Code Select
# /usr/local/bin/php /usr/local/etc/inc/squid.auth-user.php

No problem, but

Code Select
# sudo -usquid /usr/local/bin/php /usr/local/etc/inc/squid.auth-user.php

Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32


So that user doesn't seem to have access to phalcon.


Code Select
# sudo -usquid /usr/local/bin/php -i | grep phalcon
#

Empty. Whereas with root
Code Select
# /usr/local/bin/php -i | grep phalcon
phalcon
phalcon => enabled
phalcon.db.escape_identifiers => On => On
phalcon.db.force_casting => Off => Off
phalcon.orm.cast_on_hydrate => Off => Off
phalcon.orm.column_renaming => On => On
phalcon.orm.enable_implicit_joins => On => On
phalcon.orm.enable_literals => On => On
phalcon.orm.events => On => On
phalcon.orm.exception_on_failed_save => Off => Off
phalcon.orm.ignore_unknown_columns => Off => Off
phalcon.orm.late_state_binding => Off => Off
phalcon.orm.not_null_validations => On => On
phalcon.orm.virtual_foreign_keys => On => On

For root:
Code Select
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
Loaded Configuration File => /usr/local/etc/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php
Additional .ini files parsed => /usr/local/etc/php/extensions.ini

But for squid:
Code Select
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
Loaded Configuration File => /usr/local/etc/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php
Additional .ini files parsed => (none)


Permissions for "/usr/local/etc/php/extensions.ini"
Code Select
4 -rw-------  1 root  wheel  487 Jan 29 00:10 /usr/local/etc/php/extensions.ini

It's impossible for squid to read that file...

So is it really my system which somehow has created the wrong permissions?



January 29, 2016, 06:51:41 AM #8
Nope this is a regression that's fixable. Thanks for debugging. :)
January 29, 2016, 07:06:19 AM #9
My bad actually, although unexpected: copying the file from /usr/local to /tmp changes the permissions from 644 to 600.

https://github.com/opnsense/core/commit/0086548dc42d4ec69e36162dd87463092667946b
January 29, 2016, 10:18:43 AM #10
Thanks!
Print
Go Up Pages1
User actions