Падает хелпер ext_ldap_group_acl у Squid

fak1r

Добрый день!

Вот уже неделю бьюсь с настройкой Squid 3.3.10 pkg 2.2.8 и beta 3.1.20 pkg 2.1.2 с авторизацией по группам AD на pfSense 2.1.5.
Все настроил и все даже работает как задумано!!!
Но проблема в том что примерно через каждые 2,5-3 часа, а иногда и сразу после запуска squid отваливается хелпер ext_ldap_group_acl.
Гугл мне не помог, хотя мучал я его долго.
Что пробовал делать:

• переносить строки с хелперами в начало конфига
• запускать ext_ldap_group_acl с параметром -Р и без него
• увеличивал кол-во запускаемых процессов хелпера до 15

Cache.log при падении хелпера:

2015/02/05 10:09:05.305 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2015/02/05 10:10:10.947 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2015/02/05 10:11:21.328 kid1| UserRequest.cc(121) ~UserRequest: freeing request 0x299fb2e0
2015/02/05 10:17:41 kid1| Logfile: opening log /var/squid/logs/netdb.state
2015/02/05 10:17:41 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/netdb.state'
2015/02/05 10:17:41 kid1| Logfile: closing log stdio:/var/squid/logs/netdb.state
2015/02/05 10:17:41 kid1| NETDB state saved; 45 entries, 1 msec
2015/02/05 10:27:43 kid1| WARNING: ldapauth #3 exited
2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
2015/02/05 10:27:43 kid1| Starting new helpers
2015/02/05 10:27:43 kid1| helperOpenServers: Starting 1/15 'ext_ldap_group_acl' processes
2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:43 kid1| WARNING: ldapauth #4 exited
2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
2015/02/05 10:27:43 kid1| Closing HTTP port 192.168.0.17:8080
2015/02/05 10:27:43 kid1| storeDirWriteCleanLogs: Starting...
2015/02/05 10:27:43 kid1|   Finished.  Wrote 0 entries.
2015/02/05 10:27:43 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ldapauth helpers are crashing too rapidly, need help!

Squid Cache (Version 3.3.10): Terminated abnormally.
CPU Usage: 3.573 seconds = 1.340 user + 2.233 sys
Maximum Resident Size: 74752 KB
Page faults with physical i/o: 0
2015/02/05 10:27:43 kid1| Closing Pinger socket on FD 35
2015/02/05 10:27:46 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2015/02/05 10:27:46 kid1| Process ID 67605
2015/02/05 10:27:46 kid1| Process Roles: worker
2015/02/05 10:27:46 kid1| With 11095 file descriptors available
2015/02/05 10:27:46 kid1| Initializing IP Cache...
2015/02/05 10:27:46 kid1| DNS Socket created at [::], FD 11
2015/02/05 10:27:46 kid1| DNS Socket created at 0.0.0.0, FD 12
2015/02/05 10:27:46 kid1| Adding domain renault-nn.ru from /etc/resolv.conf
2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.3 from /etc/resolv.conf
2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.18 from /etc/resolv.conf
2015/02/05 10:27:46 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth' processes
2015/02/05 10:27:46 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
2015/02/05 10:27:46 kid1| helperOpenServers: Starting 7/15 'ext_ldap_group_acl' processes
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
2015/02/05 10:27:46 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/ru/error-details.txt
2015/02/05 10:27:46 kid1| Unable to load default error language files. Reset to backups.
2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
2015/02/05 10:27:46 kid1| Logfile: opening log /var/squid/logs/access.log
2015/02/05 10:27:46 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log'
2015/02/05 10:27:46 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/02/05 10:27:46 kid1| Store logging disabled
2015/02/05 10:27:46 kid1| Swap maxSize 0 + 8192 KB, estimated 630 objects
2015/02/05 10:27:46 kid1| Target number of buckets: 31
2015/02/05 10:27:46 kid1| Using 8192 Store buckets
2015/02/05 10:27:46 kid1| Max Mem  size: 8192 KB
2015/02/05 10:27:46 kid1| Max Swap size: 0 KB
2015/02/05 10:27:46 kid1| Using Least Load store dir selection
2015/02/05 10:27:46 kid1| Current Directory is /usr/local/www
2015/02/05 10:27:46 kid1| Loaded Icons.
2015/02/05 10:27:46 kid1| HTCP Disabled.
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| Pinger socket opened on FD 34
2015/02/05 10:27:46 kid1| NETDB state reloaded; 45 entries, 0 msec
2015/02/05 10:27:46 kid1| Squid plugin modules loaded: 0
2015/02/05 10:27:46 kid1| Adaptation support is off.
2015/02/05 10:27:46 kid1| Accepting HTTP Socket connections at local=192.168.0.17:8080 remote=[::] FD 32 flags=9
2015/02/05 10:27:46| pinger: Initialising ICMP pinger ...
2015/02/05 10:27:46| pinger: ICMP socket opened.
2015/02/05 10:27:46| pinger: ICMPv6 socket opened
2015/02/05 10:27:47 kid1| storeLateRelease: released 0 obje

Конфиг Сквида:

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.0.17:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language ru
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr admin@firma.ru
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/24
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off
cache allow all

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.0.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
#Integrations

# Custom options before auth
#Custom ACLS (Before_Auth)

auth_param basic program /usr/pbi/squid-i386/libexec/squid/basic_ldap_auth -R -v 3 -b dc=firma,dc=ru -D squid@firma.ru -w 2015 -f "sAMAccountName=%s" -u uid -h 192.168.0.3 -p 389
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 60 minutes
acl password proxy_auth REQUIRED

# Custom options after auth
external_acl_type ldapauth ttl=60 %LOGIN /usr/pbi/squid-i386/libexec/squid/ext_ldap_group_acl \
	-R -d -v 3 -b "dc=firma,dc=ru" -D squid@firma.ru -w 2015 -f \
	"(&(objectclass=user)(sAMAccountName=%v)(memberOf=CN=%a,OU=Internet,DC=firma,DC=ru))" -P 192.168.0.3:389
acl u_full external ldapauth inet_access_full
acl u_common external ldapauth inet_access_common
acl u_site_definition external ldapauth inet_access_site_definition
acl deny_sites url_regex -i "/var/squid/acl/deny_all.txt"
acl allow_sites url_regex -i "/var/squid/acl/allow_sites.txt"
acl banned_users proxy_auth_regex -i "/var/squid/acl/counter_deny.acl"
acl password proxy_auth REQUIRED
deny_info ERR_ACL_TRAFFIC_QUOTA_EXCEEDED banned_users
http_access deny banned_users
http_access deny u_common deny_sites
http_access allow u_full
http_access allow u_common
http_access allow u_site_definition allow_sites

# Default block all to be sure
http_access deny allsrc

dvserg

В логах ошибки / предупреждения не видите?

fak1r

Если Вы про:

2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted

то это баг сквида который как там пишут не влияет на работоспособность.

И потом при использовании beta 3.1.20 pkg 2.1.2, такого и такого:

WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE

предупреждений нет, но хелпер все равно вылетает.

fak1r

Ради интереса попробовал поднять на freebsd 8.4 и pfSense 2.2 сквид 3.4, все работает уже двое суток, ни каких проблем, но на pfSense 2.1.5 хелпер у этого сквида вылетает так же как и у 3.1, 3.3. :-[ :-[

На сенс 2.2 пока не хочу переходить.