Падает хелпер ext_ldap_group_acl у Squid



  • Добрый день!

    Вот уже неделю бьюсь с настройкой Squid 3.3.10 pkg 2.2.8 и beta 3.1.20 pkg 2.1.2 с авторизацией по группам AD на pfSense 2.1.5.
    Все настроил и все даже работает как задумано!!!
    Но проблема в том что примерно через каждые 2,5-3 часа, а иногда и сразу после запуска squid отваливается хелпер ext_ldap_group_acl.
    Гугл мне не помог, хотя мучал я его долго.
    Что пробовал делать:

    • переносить строки с хелперами в начало конфига
    • запускать ext_ldap_group_acl с параметром -Р и без него
    • увеличивал кол-во запускаемых процессов хелпера до 15

    Cache.log при падении хелпера:

    
    2015/02/05 10:09:05.305 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
    2015/02/05 10:10:10.947 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
    2015/02/05 10:11:21.328 kid1| UserRequest.cc(121) ~UserRequest: freeing request 0x299fb2e0
    2015/02/05 10:17:41 kid1| Logfile: opening log /var/squid/logs/netdb.state
    2015/02/05 10:17:41 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/netdb.state'
    2015/02/05 10:17:41 kid1| Logfile: closing log stdio:/var/squid/logs/netdb.state
    2015/02/05 10:17:41 kid1| NETDB state saved; 45 entries, 1 msec
    2015/02/05 10:27:43 kid1| WARNING: ldapauth #3 exited
    2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
    2015/02/05 10:27:43 kid1| Starting new helpers
    2015/02/05 10:27:43 kid1| helperOpenServers: Starting 1/15 'ext_ldap_group_acl' processes
    2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:43 kid1| WARNING: ldapauth #4 exited
    2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
    2015/02/05 10:27:43 kid1| Closing HTTP port 192.168.0.17:8080
    2015/02/05 10:27:43 kid1| storeDirWriteCleanLogs: Starting...
    2015/02/05 10:27:43 kid1|   Finished.  Wrote 0 entries.
    2015/02/05 10:27:43 kid1|   Took 0.00 seconds (  0.00 entries/sec).
    FATAL: The ldapauth helpers are crashing too rapidly, need help!
    
    Squid Cache (Version 3.3.10): Terminated abnormally.
    CPU Usage: 3.573 seconds = 1.340 user + 2.233 sys
    Maximum Resident Size: 74752 KB
    Page faults with physical i/o: 0
    2015/02/05 10:27:43 kid1| Closing Pinger socket on FD 35
    2015/02/05 10:27:46 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
    2015/02/05 10:27:46 kid1| Process ID 67605
    2015/02/05 10:27:46 kid1| Process Roles: worker
    2015/02/05 10:27:46 kid1| With 11095 file descriptors available
    2015/02/05 10:27:46 kid1| Initializing IP Cache...
    2015/02/05 10:27:46 kid1| DNS Socket created at [::], FD 11
    2015/02/05 10:27:46 kid1| DNS Socket created at 0.0.0.0, FD 12
    2015/02/05 10:27:46 kid1| Adding domain renault-nn.ru from /etc/resolv.conf
    2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.3 from /etc/resolv.conf
    2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.18 from /etc/resolv.conf
    2015/02/05 10:27:46 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth' processes
    2015/02/05 10:27:46 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
    2015/02/05 10:27:46 kid1| helperOpenServers: Starting 7/15 'ext_ldap_group_acl' processes
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
    2015/02/05 10:27:46 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/ru/error-details.txt
    2015/02/05 10:27:46 kid1| Unable to load default error language files. Reset to backups.
    2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
    2015/02/05 10:27:46 kid1| Logfile: opening log /var/squid/logs/access.log
    2015/02/05 10:27:46 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log'
    2015/02/05 10:27:46 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
    2015/02/05 10:27:46 kid1| Store logging disabled
    2015/02/05 10:27:46 kid1| Swap maxSize 0 + 8192 KB, estimated 630 objects
    2015/02/05 10:27:46 kid1| Target number of buckets: 31
    2015/02/05 10:27:46 kid1| Using 8192 Store buckets
    2015/02/05 10:27:46 kid1| Max Mem  size: 8192 KB
    2015/02/05 10:27:46 kid1| Max Swap size: 0 KB
    2015/02/05 10:27:46 kid1| Using Least Load store dir selection
    2015/02/05 10:27:46 kid1| Current Directory is /usr/local/www
    2015/02/05 10:27:46 kid1| Loaded Icons.
    2015/02/05 10:27:46 kid1| HTCP Disabled.
    2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    2015/02/05 10:27:46 kid1| Pinger socket opened on FD 34
    2015/02/05 10:27:46 kid1| NETDB state reloaded; 45 entries, 0 msec
    2015/02/05 10:27:46 kid1| Squid plugin modules loaded: 0
    2015/02/05 10:27:46 kid1| Adaptation support is off.
    2015/02/05 10:27:46 kid1| Accepting HTTP Socket connections at local=192.168.0.17:8080 remote=[::] FD 32 flags=9
    2015/02/05 10:27:46| pinger: Initialising ICMP pinger ...
    2015/02/05 10:27:46| pinger: ICMP socket opened.
    2015/02/05 10:27:46| pinger: ICMPv6 socket opened
    2015/02/05 10:27:47 kid1| storeLateRelease: released 0 obje
    
    

    Конфиг Сквида:

    
    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 192.168.0.17:3128
    icp_port 0
    dns_v4_first off
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language ru
    icon_directory /usr/pbi/squid-i386/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@firma.ru
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/pbi/squid-i386/libexec/squid/pinger
    
    logfile_rotate 1
    debug_options rotate=1
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  192.168.0.0/24
    httpd_suppress_version_string on
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    
    cache_mem 8 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    
    minimum_object_size 0 KB
    maximum_object_size 10 KB
    offline_mode off
    cache allow all
    
    # No redirector configured
    
    #Remote proxies
    
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src 127.0.0.1/32
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
    acl sslports port 443 563  
    
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src 192.168.0.0/24
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer. 
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    
    # Package Integration
    #Integrations
    
    # Custom options before auth
    #Custom ACLS (Before_Auth)
    
    auth_param basic program /usr/pbi/squid-i386/libexec/squid/basic_ldap_auth -R -v 3 -b dc=firma,dc=ru -D squid@firma.ru -w 2015 -f "sAMAccountName=%s" -u uid -h 192.168.0.3 -p 389
    auth_param basic children 5
    auth_param basic realm Please enter your credentials to access the proxy
    auth_param basic credentialsttl 60 minutes
    acl password proxy_auth REQUIRED
    
    # Custom options after auth
    external_acl_type ldapauth ttl=60 %LOGIN /usr/pbi/squid-i386/libexec/squid/ext_ldap_group_acl \
    	-R -d -v 3 -b "dc=firma,dc=ru" -D squid@firma.ru -w 2015 -f \
    	"(&(objectclass=user)(sAMAccountName=%v)(memberOf=CN=%a,OU=Internet,DC=firma,DC=ru))" -P 192.168.0.3:389
    acl u_full external ldapauth inet_access_full
    acl u_common external ldapauth inet_access_common
    acl u_site_definition external ldapauth inet_access_site_definition
    acl deny_sites url_regex -i "/var/squid/acl/deny_all.txt"
    acl allow_sites url_regex -i "/var/squid/acl/allow_sites.txt"
    acl banned_users proxy_auth_regex -i "/var/squid/acl/counter_deny.acl"
    acl password proxy_auth REQUIRED
    deny_info ERR_ACL_TRAFFIC_QUOTA_EXCEEDED banned_users
    http_access deny banned_users
    http_access deny u_common deny_sites
    http_access allow u_full
    http_access allow u_common
    http_access allow u_site_definition allow_sites
    
    # Default block all to be sure
    http_access deny allsrc
    
    


  • В логах ошибки / предупреждения не видите?



  • Если Вы про:

    2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
    

    то это баг сквида который как там пишут не влияет на работоспособность.

    И потом при использовании beta 3.1.20 pkg 2.1.2, такого и такого:

    WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
    

    предупреждений нет, но хелпер все равно вылетает.



  • Ради интереса попробовал поднять на freebsd 8.4 и pfSense 2.2 сквид 3.4, все работает уже двое суток, ни каких проблем, но на pfSense 2.1.5 хелпер у этого сквида вылетает так же как и у 3.1, 3.3. :-[ :-[

    На сенс 2.2 пока не хочу переходить.


Log in to reply