Bug#1037290: squid-openssl: refresh_pattern does not allow more 999999 seconds - cropped to 1 year

DoMe Le Sat, 10 Jun 2023 03:06:18 -0700

Package: squid-openssl
Version: 4.13-10+deb11u2
Severity: normal
X-Debbugs-Cc: djc8...@gmail.com





-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.107-2-pve (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages squid-openssl depends on:
ii  adduser                  3.118
ii  init-system-helpers      1.60
ii  libc6                    2.31-13+deb11u6
ii  libcap2                  1:2.44-1
ii  libcom-err2              1.46.5-2~bpo11+2
ii  libcrypt1                1:4.4.18-4
ii  libdb5.3                 5.3.28+dfsg1-0.8
ii  libdbi-perl              1.643-3+b1
ii  libecap3                 1.0.1-3.2+b1
ii  libexpat1                2.2.10-2+deb11u5
ii  libgcc-s1                10.2.1-6
ii  libgssapi-krb5-2         1.18.3-6+deb11u3
ii  libkrb5-3                1.18.3-6+deb11u3
ii  libldap-2.4-2            2.4.57+dfsg-3+deb11u1
ii  libltdl7                 2.4.6-15
ii  libnetfilter-conntrack3  1.0.8-3
ii  libnettle8               3.7.3-1
ii  libnsl2                  1.3.0-2
ii  libpam0g                 1.4.0-9+deb11u1
ii  libsasl2-2               2.1.27+dfsg-2.1+deb11u1
ii  libssl1.1                1.1.1n-0+deb11u5
ii  libstdc++6               10.2.1-6
ii  libsystemd0              247.3-7+1-pmx11u1
ii  libxml2                  2.9.10+dfsg-6.7+deb11u4
ii  logrotate                3.18.0-2+deb11u1
ii  lsb-base                 11.1.0
ii  netbase                  6.3
ii  squid-common             4.13-10+deb11u2

Versions of packages squid-openssl recommends:
ii  ca-certificates  20210119
ii  libcap2-bin      1:2.44-1

Versions of packages squid-openssl suggests:
ii  apparmor     2.13.6-10
pn  resolvconf   <none>
ii  smbclient    2:4.13.13+dfsg-1~deb11u5
ii  squid-cgi    4.13-10+deb11u2
ii  squid-purge  4.13-10+deb11u2
ii  squidclient  4.13-10+deb11u2
pn  ufw          <none>
pn  winbind      <none>

-- Configuration Files:
/etc/logrotate.d/squid changed:
/var/log/squid/*.log {
        daily
        compress
        delaycompress
        rotate 800
        missingok
        nocreate
        sharedscripts
        prerotate
                test ! -x /usr/sbin/sarg-reports || /usr/sbin/sarg-reports daily
        endscript
        postrotate
                test ! -e /run/squid.pid || test ! -x /usr/sbin/squid || 
/usr/sbin/squid -k rotate
        endscript
}

/etc/squid/conf.d/debian.conf changed:
logfile_rotate 0
http_access allow localnet

/etc/squid/squid.conf changed:
acl blackweb dstdomain "/etc/squid/tld_block"
http_access deny blackweb
dns_nameservers 127.0.0.1 192.168.0.20 192.168.0.1
htcp_access allow all
icp_access allow all
htcp_port 13337
icp_port 13336
        
acl local-servers dstdomain 192.180.0.20 192.168.0.10
always_direct allow local-servers
max_stale 4 week
max_filedescriptors 65534
offline_mode off
url_rewrite_program /usr/bin/squidGuard –c /etc/squidguard/squidGuard.conf
via off
forwarded_for off
request_header_access cache-control deny all
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
acl intermediate_fetching transaction_initiator certificate-fetching 
http_access allow intermediate_fetching
acl manager proto cache_object
acl localnet src 10.0.0.0/8 192.168.0.0/16 172.16.0.0/16
acl Safe_ports port 1-65535 # unregistered ports
http_access allow localhost localnet
http_access allow manager
http_port 5555 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=256MB tls-cert=/etc/squid/ssl/squid-self-signed.crt 
tls-key=/etc/squid/ssl/squid-self-signed.key 
tls-dh=prime256v1:/etc/squid/ssl/squid-self-signed_dhparam.pem
http_port 6666 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB
http_port 6767 intercept
http_port 8888
http_port 7777
access_log /var/log/squid/access.log squid
coredump_dir /var/spool/squid
http_access deny all !localnet
acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites
err_page_stylesheet /etc/squid/errorpage.css
cache_dir diskd /var/cache/squid/diskd 10000 32 32 Q1=128 Q2=256
tls_outgoing_options 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/security_file_certgen -s 
/var/cache/squid/ssl_db/ssl-db -M 256MB
sslcrtd_children 5
ssl_bump server-first all
ssl_bump stare all
sslproxy_cert_error deny all
minimum_object_size 0 bytes
maximum_object_size 4 GB
maximum_object_size_in_memory 4096 KB
refresh_pattern ^(ftp:|http:|https:) 1440 80% 10080 override-expire 
ignore-reload ignore-no-store ignore-private
refresh_pattern -i (/cgi-bin/|\?) 11440 80% 60000 override-expire ignore-reload 
ignore-no-store ignore-private store-stale
refresh_pattern -i ^.* 86400 100% 1000000 override-expire ignore-reload 
ignore-no-store ignore-private store-stale
# 999999 works fine without a warning, above a million it crops to one year
range_offset_limit -1
quick_abort_min -1
cache_dir rock /var/cache/squid/rock 100000 min-size=0 max-size=3145720
cache_dir rock /var/cache/squid/rock2 100000 min-size=3145721
cache_mem 8 GB


-- no debconf information

the generic problem in here is, that refresh_pattern does not allow more as 
999999 seconds or 11 days

-- squid -k parse

2023/06/10 11:58:37| Processing: refresh_pattern -i ^.* 86400 100% 1000000 
override-expire ignore-reload ignore-no-store ignore-private store-stale
2023/06/10 11:58:37| WARNING: refresh_pattern maximum age too high. Cropped 
back to 1 year.

-> By setting this value to 999999, the warning is disabled. However, why am I 
able to use a year in seconds but not able to... or is there a unknown 
restriction?
-> http://www.squid-cache.org/Doc/config/refresh_pattern/ does not show a 
maximum value
-> Assuming the Warning, it shall be 1 year. Or around about 32 million seconds 
and not less 1 million ;-)

Bug#1037290: squid-openssl: refresh_pattern does not allow more 999999 seconds - cropped to 1 year

Reply via email to