Squid 6.5 keeps crashing when Parent Proxy is on

[Kreee]

Hi all,

I recently updated OPNsense to 23.7.8_1, and found that Squid kept crashing when Parent Proxy is on. After I turned of the Parent Proxy, Squid stopped crashing.

I have set up Transparent proxy, SSL inspection, Log SNI information only, Access Control List/Allowed Subnets, Parent Proxy(pointing to a local http proxy server). This config was working on old version of Squid(5.9).

Here is the logs(Cache Log) when Parent Proxy is on before crash:

Code Select Expand


2023-11-21T11:04:44 squid | Removing PID file (/var/run/squid/squid.pid)
2023-11-21T11:04:44 squid kid1| FATAL: assertion failed: peer_digest.cc:399: "fetch->pd && receivedData.data"
2023-11-21T11:04:43 squid pinger| ICMPv6 socket opened
2023-11-21T11:04:43 squid pinger| ICMP socket opened.
2023-11-21T11:04:43 squid pinger| Initialising ICMP pinger ...
listening port: 192.168.3.1:3128
2023-11-21T11:04:43 squid kid1| Accepting SSL bumped HTTP Socket connections at conn21 local=192.168.3.1:3128 remote=[::] FD 26 flags=9
listening port: [::1]:3129
2023-11-21T11:04:43 squid kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn19 local=[::1]:3129 remote=[::] FD 25 flags=41
listening port: 127.0.0.1:3129
2023-11-21T11:04:43 squid kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn17 local=127.0.0.1:3129 remote=[::] FD 24 flags=41
listening port: [::1]:3128
2023-11-21T11:04:43 squid kid1| Accepting NAT intercepted SSL bumped HTTP Socket connections at conn15 local=[::1]:3128 remote=[::] FD 23 flags=41
listening port: 127.0.0.1:3128
2023-11-21T11:04:43 squid kid1| Accepting NAT intercepted SSL bumped HTTP Socket connections at conn13 local=127.0.0.1:3128 remote=[::] FD 22 flags=41
2023-11-21T11:04:43 squid kid1| Adaptation support is off.
2023-11-21T11:04:43 squid kid1| Squid plugin modules loaded: 0
2023-11-21T11:04:43 squid kid1| Configuring Parent 192.168.3.10
2023-11-21T11:04:43 squid kid1| Pinger socket opened on FD 28
2023-11-21T11:04:43 squid kid1| HTCP Disabled.
2023-11-21T11:04:43 squid kid1| HTCP Disabled.
2023-11-21T11:04:43 squid kid1| Finished loading MIME types and icons.
2023-11-21T11:04:43 squid kid1| Set Current Directory to /var/squid/cache
2023-11-21T11:04:43 squid kid1| Using Least Load store dir selection
2023-11-21T11:04:43 squid kid1| Max Swap size: 0 KB
2023-11-21T11:04:43 squid kid1| Max Mem size: 262144 KB
2023-11-21T11:04:43 squid kid1| Using 8192 Store buckets
2023-11-21T11:04:43 squid kid1| Target number of buckets: 1008
2023-11-21T11:04:43 squid kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023-11-21T11:04:43 squid kid1| Logfile: opening log stdio:/var/log/squid/store.log
2023-11-21T11:04:43 squid kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023-11-21T11:04:43 squid kid1| Logfile: opening log stdio:/var/log/squid/access.log
2023-11-21T11:04:43 squid kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/error-details.txt': (2) No such file or directory
2023-11-21T11:04:43 squid kid1| helperOpenServers: Starting 5/5 'security_file_certgen' processes
2023-11-21T11:04:43 squid kid1| Adding domain gate.example.com from /etc/resolv.conf
2023-11-21T11:04:43 squid kid1| Adding nameserver 192.168.3.1 from /etc/resolv.conf
2023-11-21T11:04:43 squid kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2023-11-21T11:04:43 squid kid1| Adding domain gate.example.com from /etc/resolv.conf
2023-11-21T11:04:43 squid kid1| DNS IPv4 socket created at 0.0.0.0, FD 9
2023-11-21T11:04:43 squid kid1| DNS IPv6 socket created at [::], FD 8
2023-11-21T11:04:43 squid kid1| Initializing IP Cache...
2023-11-21T11:04:43 squid kid1| With 116883 file descriptors available
2023-11-21T11:04:43 squid kid1| Process Roles: worker
2023-11-21T11:04:43 squid kid1| Process ID 22219
2023-11-21T11:04:43 squid kid1| Service Name: squid
2023-11-21T11:04:43 squid kid1| Starting Squid Cache version 6.5 for amd64-portbld-freebsd13.2...
2023-11-21T11:04:43 squid kid1| Set Current Directory to /var/squid/cache
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2023-11-21T11:04:43 squid kid1| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2023-11-21T11:04:43 squid kid1| Disabling Authentication on port [::1]:3129 (interception enabled)
2023-11-21T11:04:43 squid kid1| Starting Authentication on port [::1]:3129
2023-11-21T11:04:43 squid kid1| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2023-11-21T11:04:43 squid kid1| Starting Authentication on port 127.0.0.1:3129
2023-11-21T11:04:43 squid kid1| Disabling Authentication on port [::1]:3128 (interception enabled)
2023-11-21T11:04:43 squid kid1| Starting Authentication on port [::1]:3128
2023-11-21T11:04:43 squid kid1| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2023-11-21T11:04:43 squid kid1| Starting Authentication on port 127.0.0.1:3128
2023-11-21T11:04:43 squid kid1| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)


Thanks in advance.

[Nordmann]

This bug is already handled / fixed by squid developers.

https://bugs.squid-cache.org/show_bug.cgi?id=5318

I have the same problem here.

[franco]

Thanks for the report. Can you try this version?

https://github.com/opnsense/ports/commit/a38608380

# opnsense-revert -z squid


Cheers,
Franco

[Nordmann]

Thx Franco, it seems to run now as it should. The service is running for 30 minutes now while it crashed after a few seconds the last days. I'll keep an eye on it.

[franco]

Ok, good start. If I get another confirm I can hotfix this for 23.7.9.


Cheers,
Franco