Re: [squid-users] Segfault on squid 3.1.X on Ubuntu 12.04 with external_acl_type

From: Marcio Merlone <marcio.merlone_at_a1.ind.br>
Date: Thu, 13 Sep 2012 16:28:19 -0300

Em 13-09-2012 14:55, Eliezer Croitoru escreveu:
> On 9/13/2012 5:58 PM, Marcio Merlone wrote:
>> Sep 13 10:01:57 (pam_auth): pam_unix(squid:auth): authentication
>> failure; logname= uid=13 euid=13 tty= ruser= rhost= user=marcio.merlone
>> Sep 13 10:01:57 kernel: [ 711.170108] squid3[11856]: segfault at 40 ip
>> 00007f2aae7c43b7 sp 00007fff9910f6e0 error 4 in
>> squid3[7f2aae5e3000+2ef000]
>> Sep 13 10:01:57 kernel: [ 711.358552] init: squid3 main process (11856)
>> killed by SEGV signal
>> Sep 13 10:01:57 kernel: [ 711.358653] init: squid3 main process ended,
>> respawning
> and add the squid.conf (removing sensitive data such as passwords)

auth_param basic program /usr/lib/squid3/basic_pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl SENHA proxy_auth REQUIRED
external_acl_type grupoPosix ttl=300 %LOGIN /usr/lib/squid3/squid_unix_group -p
acl GP_TI external grupoPosix ti
acl xxx_tld dstdomain .xxx
acl SITES_NONE url_regex -i "/etc/squid3/sites_none"
acl SITES_NONE_WORD url_regex -i "/etc/squid3/sites_none_word"
acl soft_updates url_regex -i "/etc/squid3/soft_updates"
acl server_updates url_regex -i "/etc/squid3/server_updates"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow server_updates
http_access allow soft_updates
http_access deny bad_users
http_access deny SITES_NONE
http_access deny SITES_NONE_WORD !GP_VIP !GP_TI
http_access deny xxx_tld
http_access allow SENHA GP_TI
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid3 20000 16 256

(Trimmed some repetitive fat regarding other groups and some irrelevant defaults, not just comments)

In short, if I replace
http_access allow SENHA GP_TI
by
http_access allow SENHA
while keeping external_acl_type uncommented it works fine.

> If you are looking for a package I have RPM for fedora\centos\redhat
> but not DEB for debian\ubuntu.
hhhmmm.... sounds tempting. Alien could be of use for a rpm package.

> I would suggest you to try couple times to compile your own squid if
> you have specific list of needs.
Not much besides external_acl_type. I am a lazy admin with 3 servers
with exact same conf, just need to keep the most on shared DB - either
LDAP or posix system calls for group membership - squid_unix_group or
squid_ldap_group would do.

> We can try to help you figure out some basics and to move on from there.
> What exactly do you need? LDAP or PAM?
See above. PAM is required for auth, LDAP is not needed if
squid_unix_group works - pam_ldap is working fine for users and auth.
Complied latest source squid-3.2.1.tar.gz as per Ubuntu docs like this:

./configure --prefix=/usr \
   --localstatedir=/var \
   --libexecdir=/usr/lib/squid3 \
   --srcdir=. \
   --datadir=/usr/share/squid3 \
   --sysconfdir=/etc/squid3 \
   --disable-ipv6 \
   --enable-auth-basic="PAM"

make all && make install

Could not yet test the results, will post here when done. I'll be glad
if you can advance some tips.

Thanks a lot and best regards.

-- 
*Marcio Merlone*
Received on Thu Sep 13 2012 - 19:28:28 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 14 2012 - 12:00:04 MDT