squid -k parse Requiring client certificates. Segmentation fault (core dumped)

[bcookatpcsd]

OPNsense 24.1.1-amd64

no updates.. available.. squid migrated to package

# pkg info | grep squid
os-squid-1.0                   Squid is a caching proxy for the web
squid-6.6                      HTTP Caching Proxy
squid-langpack-7.0.0.20230225  Language-specific error documents for Squid web cache

machine up 6 days..

6 days 16:03:55

tried to enable logging to work through a problem with someone..

squid won't restart..

here's another machine with the same issue..

2024/02/07 13:12:46| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/07 13:12:46| Requiring client certificates.
Segmentation fault (core dumped)
root@OPNsense:~ # uptime
1:15PM  up 6 days,  8:11, 1 user, load averages: 0.36, 0.54, 0.56
root@OPNsense:~ # ps auxwww | grep squid
squid   19995   1.9 11.9 2310112 1974192  -  S    Thu05     245:03.09 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid   18901   0.0  0.1  148980   18124  -  Is   Thu05       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root    78055   0.0  0.0   12720    2388  0  S+   13:15       0:00.00 grep squid

anyone else?

can you run a 'squid -k parse'?

Thanks in advance..

[bcookatpcsd]

I pulled down gost from github.. there is no rust-shadowsocks freebsd port ..

./gost-freebsd-amd64-2.11.5 -L=10.20.245.10:3128

I changed squid to run on 3129 for the time being..

for anyone else interested..

netstat -an | grep 3128 | wc -l
    12706

things are at least moving again..

[bcookatpcsd]

Code Select Expand

root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid           56643   0.0  0.1  149112  19228  -  Is   13:28       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
squid           57516   0.0  0.3  292964  52924  -  S    13:28       0:00.17 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
root            69827   0.0  0.0   12720   2392  1  S+   13:35       0:00.00 grep squid
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.
squid.conf.documented  squid.conf.sample
root@OPNsense:/var/log/squid # grep pid /usr/local/etc/squid/squid.conf.documented
#       <pid>'.
#  TAG: pid_filename
#       Note: If you change this setting, you need to set squid_pidfile
# pid_filename /var/run/squid/squid.pid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
56643
root@OPNsense:/var/log/squid # kill -9 56643 57516
root@OPNsense:/var/log/squid # ps auxwww | grep squid
root            80421   0.0  0.0   12720   2388  1  S+   13:36       0:00.00 grep squid
root@OPNsense:/var/log/squid # rm /var/run/squid/squid.pid

Code Select Expand

root@OPNsense:/var/log/squid # /usr/local/etc/rc.d/squid start
Segmentation fault
Starting squid.
Segmentation fault (core dumped)
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log/squid # ps auxwww | grep squid
squid           67739   1.4  0.3  292964  52868  -  S    13:36       0:00.14 (squid-1) --kid squid-1 -f /usr/local/etc/squid/squid.conf (squid)
squid           66736   0.6  0.1  149112  19228  -  Ss   13:36       0:00.00 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
root            93375   0.0  0.0   12720   2384  1  S+   13:36       0:00.00 grep squid
root@OPNsense:/var/log/squid # cat /var/run/squid/squid.pid
66736
root@OPNsense:/var/log/squid #


:o

[DOM_EUWest]

I have the same problem. With 24.1.1
On 23.7.10 all works fine

Code Select Expand

root@firewall:/usr/local/etc/squid # squid -k parse
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/02/08 10:36:31| Processing: http_port 10.10.2.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.30.2.254:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.50.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.51.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB
2024/02/08 10:36:31| Processing: sslcrtd_children 5
2024/02/08 10:36:31| Processing: tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
2024/02/08 10:36:31| Processing: acl bump_step1 at_step SslBump1
2024/02/08 10:36:31| Processing: acl bump_step2 at_step SslBump2
2024/02/08 10:36:31| Processing: acl bump_step3 at_step SslBump3
2024/02/08 10:36:31| Processing: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step1 all
2024/02/08 10:36:31| Processing: ssl_bump splice all
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step2 all
2024/02/08 10:36:31| Processing: ssl_bump splice bump_step3 all
2024/02/08 10:36:31| Processing: ssl_bump bump
2024/02/08 10:36:31| Processing: sslproxy_cert_error deny all
2024/02/08 10:36:31| Processing: acl ftp proto FTP
2024/02/08 10:36:31| Processing: http_access allow ftp
2024/02/08 10:36:31| Processing: acl localnet src 10.10.2.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.30.2.254/32 # Possible internal network (aliases)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.50.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.51.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2024/02/08 10:36:31| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2024/02/08 10:36:31| Processing: acl whiteList url_regex windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl remoteblacklist_UT1 dstdomain "/usr/local/etc/squid/acl/UT1"
2024/02/08 10:36:31| Processing: acl SSL_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 80 # http
2024/02/08 10:36:31| Processing: acl Safe_ports port 21 # ftp
2024/02/08 10:36:31| Processing: acl Safe_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 70 # gopher
2024/02/08 10:36:31| Processing: acl Safe_ports port 210 # wais
2024/02/08 10:36:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2024/02/08 10:36:31| Processing: acl Safe_ports port 280 # http-mgmt
2024/02/08 10:36:31| Processing: acl Safe_ports port 488 # gss-http
2024/02/08 10:36:31| Processing: acl Safe_ports port 591 # filemaker
2024/02/08 10:36:31| Processing: acl Safe_ports port 777 # multiling http
2024/02/08 10:36:31| Processing: acl CONNECT method CONNECT
2024/02/08 10:36:31| Processing: icap_enable off
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_peer 10.10.253.10 parent 3128 0 no-query default
2024/02/08 10:36:31| Processing: acl ExcludePPDomains dstdomain .lan .wlan .purner.eu
2024/02/08 10:36:31| Processing: acl ExcludePPIPs dst 10.10.2.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.31.0/24 10.10.40.0/24 10.10.50.0/24 10.10.51.0/24 10.10.60.0/24 10.10.61.0/24 10.10.70.0/24 10.10.71.0/24 10.10.200.0/24 10.10.201.0/24 10.10.254.0/24 172.30.30.0/24 10.2.0.1 10.96.0.1 10.98.0.1 172.30.100.0/24 10.10.253.0/24
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPDomains
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPIPs
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 allow all
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPDomains
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPIPs
2024/02/08 10:36:31| Processing: never_direct allow all
2024/02/08 10:36:31| Processing: http_access allow whiteList
2024/02/08 10:36:31| Processing: http_access deny remoteblacklist_UT1
2024/02/08 10:36:31| Processing: http_access deny !Safe_ports
2024/02/08 10:36:31| Processing: http_access deny CONNECT !SSL_ports
2024/02/08 10:36:31| Processing: http_access allow localhost manager
2024/02/08 10:36:31| Processing: http_access deny manager
2024/02/08 10:36:31| Processing: http_access deny to_localhost
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: http_access allow localnet
2024/02/08 10:36:31| Processing: http_access allow localhost
2024/02/08 10:36:31| Processing: http_access deny all
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/post-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_mem 256 MB
2024/02/08 10:36:31| Processing: coredump_dir /var/squid/cache
2024/02/08 10:36:31| Processing: refresh_pattern ^ftp:          1440    20%     10080
2024/02/08 10:36:31| Processing: refresh_pattern ^gopher:       1440    0%      1440
2024/02/08 10:36:31| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2024/02/08 10:36:31| Processing: refresh_pattern .              0       20%     4320
2024/02/08 10:36:31| Processing: access_log stdio:/var/log/squid/access.log squid
2024/02/08 10:36:31| Processing: cache_store_log none
2024/02/08 10:36:31| Processing: httpd_suppress_version_string on
2024/02/08 10:36:31| Processing: uri_whitespace strip
2024/02/08 10:36:31| Processing: forwarded_for on
2024/02/08 10:36:31| Processing: logfile_rotate 0
2024/02/08 10:36:31| Processing: cache_mgr proxy@purner.eu
2024/02/08 10:36:31| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/08 10:36:31| Requiring client certificates.
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
Segmentation fault (core dumped)

Code Select Expand

root@firewall:/usr/local/etc/squid # netstat -an | grep 3128 | wc -l
       4

Code Select Expand

root@firewall:/usr/local/etc/squid # pkg info | grep squid
os-squid-1.0                   Squid is a caching proxy for the web
squid-6.6                      HTTP Caching Proxy
squid-langpack-7.0.0.20230225  Language-specific error documents for Squid web cache

[bcookatpcsd]

Thank you.. greatly appreciate the acknowledgement.

fwiw, I'm not doing ssl-bump

configs for https://meta.wikimedia.org/wiki/Cunningham%27s_Law..

Code Select Expand


root@OPNsense:/usr/local/etc/squid # cat squid.conf
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#



# Setup regular listeners configuration
http_port 10.20.245.10:3129


acl ftp proto FTP
http_access allow ftp


# Setup ftp proxy

# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# ACL - Allow localhost for PURGE cache if enabled

# ACL lists

# ACL - Allow Subnets - User defined (subnets)
acl subnets src 10.120.56.0/22
acl subnets src 10.120.60.0/22
acl subnets src 10.20.48.0/20
acl subnets src 10.120.49.0/24
acl subnets src 10.120.50.0/24
acl subnets src 10.120.51.0/24
acl subnets src 10.120.52.0/24
acl subnets src 10.121.48.0/22
acl subnets src 10.20.245.8/29
acl subnets src 10.20.112.200/32
acl subnets src 10.120.48.0/24

# ACL - Remote fetched Blacklist (remoteblacklist)

# ACL - Block browser/user-agent - User defined (browser)

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 82 # unknown
acl SSL_ports port 8080 # unknown
acl SSL_ports port 443 # https
acl SSL_ports port 5228-5230 # unknown

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 82 # unknown
acl Safe_ports port 8080 # unknown
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 5228-5230 # unknown
acl CONNECT method CONNECT

# ICAP SETTINGS
# disable icap
icap_enable off

# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf

# Authentication Settings








# Google Suite Filter

# YouTube Filter
request_header_add YouTube-Restrict moderate

# Deny requests to certain unsafe ports

http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Auth plugins
include /usr/local/etc/squid/auth/*.conf

#
# Access Permission configuration:
#
# Deny request from unauthorized clients

#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet

# ACL - localhost
http_access allow localhost

# ACL list (Allow) subnets
http_access allow subnets

# Deny all other access to this proxy
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf

# Caching settings
cache_mem 4096 MB
maximum_object_size 32 MB
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 2048 KB

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Squid Options
pinger_enable off
access_log stdio:/var/log/squid/access.log squid
# Disable cache store log
cache_store_log none
dns_nameservers 172.16.48.247
# Suppress http version string (default=off)
httpd_suppress_version_string on
# URI handling with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible hostname
visible_hostname proxy.at.bldg.name

# Set error directory language
error_directory /usr/local/etc/squid/errors/local


Code Select Expand


# cat auth/local.conf
shutdown_lifetime 0 seconds

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
http_access deny to_ipv6
http_access deny from_ipv6

positive_dns_ttl 5 minutes

client_db off
memory_pools off

pinger_enable off

read_timeout 5 minute # default 15
write_timeout 5 minutes # default 15

max_filedescriptors 204800
digest_generation off

ipcache_size 4096
workers 1

accept_filter httpready
accept_filter dataready

collapsed_forwarding on
half_closed_clients off
pipeline_prefetch 6 # default 0

## timeouts
forward_timeout 1 minute # default 4
connect_timeout 1 minute # default 1
request_timeout 1 minute # default 5
client_lifetime 2 hours # default 24


# quick_abort_min 0 KB
# quick_abort_max 0 KB
# we recommend first tuning the read_timeout,
#       request_timeout, persistent_request_timeout and quick_abort values.

happy_eyeballs_connect_timeout 30 # default 250
pconn_lifetime 60 seconds  # default 0


Code Select Expand

# kldstat | grep 'http\|data'
4    1 0xffffffff823ea000     2828 accf_data.ko
6    1 0xffffffff823f2000     2e38 accf_http.ko

cat /boot/loader.conf.local
cc_htcp_load="YES"

accf_http_load="YES"
accf_data_load="YES"
accf_dns_load="YES"

machdep.hyperthreading_intr_allowed=1
# net.inet.tcp.tso=0
kern.ipc.nmbclusters=2048000
kern.ipc.nmbjumbop=524288


it seems to say it core'd but then something does start..

Code Select Expand

find / -name \*.core | xargs ls -al
-rw-------  1 root   squid   16470016 Feb  7 13:26 /usr/local/etc/squid/squid.core
-rw-------  1 root   wheel     704512 Nov  9 23:04 /usr/local/opnsense/service/php.core
-rw-------  1 root   wheel  176029696 Nov 29 09:01 /usr/local/opnsense/service/python3.9.core
-rw-------  1 root   wheel   11051008 Oct 25 23:12 /usr/local/www/pfctl.core
-rw-------  1 root   wheel   33144832 Jul 31  2023 /var/db/syslog-ng.core
-rwxr-x---  1 squid  squid  639852544 Feb  7 13:25 /var/squid/cache/squid.core
-rwxr-x---  1 squid  squid   16470016 Feb  7 13:36 /var/squid/squid.core


[keropiko]

I also have segmentation fault error messages with squid, after upgrade to 24.1.

When i restart or stop and start squid it get "Segmentation fault (core dumped)" messages similar to @DOM_EUWest  errors , without any change from 23.7.

[kornexl]

I have opened an issue on github
https://github.com/opnsense/plugins/issues/3827#top