Падает хелпер ext_ldap_group_acl у Squid
-
Добрый день!
Вот уже неделю бьюсь с настройкой Squid 3.3.10 pkg 2.2.8 и beta 3.1.20 pkg 2.1.2 с авторизацией по группам AD на pfSense 2.1.5.
Все настроил и все даже работает как задумано!!!
Но проблема в том что примерно через каждые 2,5-3 часа, а иногда и сразу после запуска squid отваливается хелпер ext_ldap_group_acl.
Гугл мне не помог, хотя мучал я его долго.
Что пробовал делать:- переносить строки с хелперами в начало конфига
- запускать ext_ldap_group_acl с параметром -Р и без него
- увеличивал кол-во запускаемых процессов хелпера до 15
Cache.log при падении хелпера:
2015/02/05 10:09:05.305 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header. 2015/02/05 10:10:10.947 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header. 2015/02/05 10:11:21.328 kid1| UserRequest.cc(121) ~UserRequest: freeing request 0x299fb2e0 2015/02/05 10:17:41 kid1| Logfile: opening log /var/squid/logs/netdb.state 2015/02/05 10:17:41 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/netdb.state' 2015/02/05 10:17:41 kid1| Logfile: closing log stdio:/var/squid/logs/netdb.state 2015/02/05 10:17:41 kid1| NETDB state saved; 45 entries, 1 msec 2015/02/05 10:27:43 kid1| WARNING: ldapauth #3 exited 2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15) 2015/02/05 10:27:43 kid1| Starting new helpers 2015/02/05 10:27:43 kid1| helperOpenServers: Starting 1/15 'ext_ldap_group_acl' processes 2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:43 kid1| WARNING: ldapauth #4 exited 2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15) 2015/02/05 10:27:43 kid1| Closing HTTP port 192.168.0.17:8080 2015/02/05 10:27:43 kid1| storeDirWriteCleanLogs: Starting... 2015/02/05 10:27:43 kid1| Finished. Wrote 0 entries. 2015/02/05 10:27:43 kid1| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ldapauth helpers are crashing too rapidly, need help! Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 3.573 seconds = 1.340 user + 2.233 sys Maximum Resident Size: 74752 KB Page faults with physical i/o: 0 2015/02/05 10:27:43 kid1| Closing Pinger socket on FD 35 2015/02/05 10:27:46 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3... 2015/02/05 10:27:46 kid1| Process ID 67605 2015/02/05 10:27:46 kid1| Process Roles: worker 2015/02/05 10:27:46 kid1| With 11095 file descriptors available 2015/02/05 10:27:46 kid1| Initializing IP Cache... 2015/02/05 10:27:46 kid1| DNS Socket created at [::], FD 11 2015/02/05 10:27:46 kid1| DNS Socket created at 0.0.0.0, FD 12 2015/02/05 10:27:46 kid1| Adding domain renault-nn.ru from /etc/resolv.conf 2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.3 from /etc/resolv.conf 2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.18 from /etc/resolv.conf 2015/02/05 10:27:46 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth' processes 2015/02/05 10:27:46 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed. 2015/02/05 10:27:46 kid1| helperOpenServers: Starting 7/15 'ext_ldap_group_acl' processes 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2015/02/05 10:27:46 kid1| parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/ru/error-details.txt 2015/02/05 10:27:46 kid1| Unable to load default error language files. Reset to backups. 2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2015/02/05 10:27:46 kid1| Logfile: opening log /var/squid/logs/access.log 2015/02/05 10:27:46 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log' 2015/02/05 10:27:46 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2015/02/05 10:27:46 kid1| Store logging disabled 2015/02/05 10:27:46 kid1| Swap maxSize 0 + 8192 KB, estimated 630 objects 2015/02/05 10:27:46 kid1| Target number of buckets: 31 2015/02/05 10:27:46 kid1| Using 8192 Store buckets 2015/02/05 10:27:46 kid1| Max Mem size: 8192 KB 2015/02/05 10:27:46 kid1| Max Swap size: 0 KB 2015/02/05 10:27:46 kid1| Using Least Load store dir selection 2015/02/05 10:27:46 kid1| Current Directory is /usr/local/www 2015/02/05 10:27:46 kid1| Loaded Icons. 2015/02/05 10:27:46 kid1| HTCP Disabled. 2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2015/02/05 10:27:46 kid1| Pinger socket opened on FD 34 2015/02/05 10:27:46 kid1| NETDB state reloaded; 45 entries, 0 msec 2015/02/05 10:27:46 kid1| Squid plugin modules loaded: 0 2015/02/05 10:27:46 kid1| Adaptation support is off. 2015/02/05 10:27:46 kid1| Accepting HTTP Socket connections at local=192.168.0.17:8080 remote=[::] FD 32 flags=9 2015/02/05 10:27:46| pinger: Initialising ICMP pinger ... 2015/02/05 10:27:46| pinger: ICMP socket opened. 2015/02/05 10:27:46| pinger: ICMPv6 socket opened 2015/02/05 10:27:47 kid1| storeLateRelease: released 0 obje
Конфиг Сквида:
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.0.17:3128 icp_port 0 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language ru icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname localhost cache_mgr admin@firma.ru access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/pbi/squid-i386/libexec/squid/pinger logfile_rotate 1 debug_options rotate=1 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.0.0/24 httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 10 KB offline_mode off cache allow all # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.0.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration #Integrations # Custom options before auth #Custom ACLS (Before_Auth) auth_param basic program /usr/pbi/squid-i386/libexec/squid/basic_ldap_auth -R -v 3 -b dc=firma,dc=ru -D squid@firma.ru -w 2015 -f "sAMAccountName=%s" -u uid -h 192.168.0.3 -p 389 auth_param basic children 5 auth_param basic realm Please enter your credentials to access the proxy auth_param basic credentialsttl 60 minutes acl password proxy_auth REQUIRED # Custom options after auth external_acl_type ldapauth ttl=60 %LOGIN /usr/pbi/squid-i386/libexec/squid/ext_ldap_group_acl \ -R -d -v 3 -b "dc=firma,dc=ru" -D squid@firma.ru -w 2015 -f \ "(&(objectclass=user)(sAMAccountName=%v)(memberOf=CN=%a,OU=Internet,DC=firma,DC=ru))" -P 192.168.0.3:389 acl u_full external ldapauth inet_access_full acl u_common external ldapauth inet_access_common acl u_site_definition external ldapauth inet_access_site_definition acl deny_sites url_regex -i "/var/squid/acl/deny_all.txt" acl allow_sites url_regex -i "/var/squid/acl/allow_sites.txt" acl banned_users proxy_auth_regex -i "/var/squid/acl/counter_deny.acl" acl password proxy_auth REQUIRED deny_info ERR_ACL_TRAFFIC_QUOTA_EXCEEDED banned_users http_access deny banned_users http_access deny u_common deny_sites http_access allow u_full http_access allow u_common http_access allow u_site_definition allow_sites # Default block all to be sure http_access deny allsrc
-
В логах ошибки / предупреждения не видите?
-
Если Вы про:
2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
то это баг сквида который как там пишут не влияет на работоспособность.
И потом при использовании beta 3.1.20 pkg 2.1.2, такого и такого:
WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
предупреждений нет, но хелпер все равно вылетает.
-
Ради интереса попробовал поднять на freebsd 8.4 и pfSense 2.2 сквид 3.4, все работает уже двое суток, ни каких проблем, но на pfSense 2.1.5 хелпер у этого сквида вылетает так же как и у 3.1, 3.3. :-[ :-[
На сенс 2.2 пока не хочу переходить.