03.03.2017 10:24, Adrian Miller пишет: > Are you creating the database as root or the squid user.....try as the > squid user It will not work when created as root. Will be permission denied. crtd runs as squid, not as root. > > On 3 March 2017 at 08:46, <squid-users-requ...@lists.squid-cache.org > <mailto:squid-users-requ...@lists.squid-cache.org>> wrote: > > Send squid-users mailing list submissions to > squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > <http://lists.squid-cache.org/listinfo/squid-users> > or, via email, send a message with subject or body 'help' to > squid-users-requ...@lists.squid-cache.org > <mailto:squid-users-requ...@lists.squid-cache.org> > > You can reach the person managing the list at > squid-users-ow...@lists.squid-cache.org > <mailto:squid-users-ow...@lists.squid-cache.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Re: squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are > crashing too rapidly, need help! (Yuri Voinov) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 3 Mar 2017 03:46:10 +0600 > From: Yuri Voinov <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> > To: squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > Subject: Re: [squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd > helpers are crashing too rapidly, need help! > Message-ID: <714528e5-a6d5-e72a-2bc7-9950a8eec...@gmail.com > <mailto:714528e5-a6d5-e72a-2bc7-9950a8eec...@gmail.com>> > Content-Type: text/plain; charset="utf-8" > > This problem, in principle, is common to all versions of ssl-bumped > Squid from version 3.4 and 5.0, inclusive, and occurs when the stored > certificate is damaged for any reason. The only thing vorkeraund > that I > could find - a monitor kesh.log and initialize the certificate > database > again with squid restart automatically. > > In some installations, this problem does not occur over the years. In > other - almost daily. I have no desire to find out why this is > happening > exactly. For me it was easier to make the watchdog, which will > follow up > on this. > > 03.03.2017 3:40, Yuri Voinov пишет: > > > > One hint finally: > > > > '([^ ]*) helper database ([^ ]*) failed: The SSL certificate > database > > ([^ ]*) is corrupted. Please rebuild' - - - 0 exec > > "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1" > > 'FATAL: ([^ ]*) helpers are crashing too rapidly, need help!' - - - > > 0 exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1" > > 'Cannot add certificate to db.' - - - 0 exec > > "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1" > > > > PS. This is from logsurfer.conf. > > > > > > 03.03.2017 3:34, Yuri Voinov пишет: > >> > >> This error is usually preceded by another error in cache.log > >> associated with the certificates. > >> > >> I will show you the direction. Then go himself. > >> > >> This software will useful for you to solve: > >> > >> http://www.crypt.gen.nz/logsurfer/ > <http://www.crypt.gen.nz/logsurfer/> > >> > >> HTH, Yuri > >> > >> > >> 03.03.2017 2:47, --Ahmad-- пишет: > >>> hey folks . > >>> i have a problem with squid it get crashed after i enabled https ! > >>> cache log error => FATAL: The ssl_crtd helpers are crashing too > >>> rapidly, need help! > >>> > >>> i googled many topics and relevant pages and couldnt find a > >>> clear solution . > >>> > >>> the quick solution i made was i removed the certs in file : > >>> *rm -rfv /var/lib/ssl_db/* > >>> * > >>> * > >>> *then reinitiated the DB using cmd below :* > >>> /lib/squid/ssl_crtd -c -s /var/lib/ssl_db > >>> chown -R squid.squid /var/lib/ssl_db > >>> chown-R squid.squid /var/lib/ssl_db > >>> > >>> the restarted squid . > >>> > >>> but this is not a solution becuase squid get crashed again after > >>> certain time and i don’t know why ! > >>> my version is 3.5.2 > >>> > >>> here is squid.conf : > >>> /etc/squid/squid.conf > >>> visible_hostname pcloud > >>> acl ip1 myip 10.1.0.1 > >>> acl ip2 myip 192.168.10.210 > >>> tcp_outgoing_address 192.168.10.210 ip1 > >>> tcp_outgoing_address 192.168.10.210 ip2 > >>> # > >>> # Recommended minimum configuration: > >>> # > >>> > >>> # Example rule allowing access from your local networks. > >>> # Adapt to list your (internal) IP networks from where browsing > >>> # should be allowed > >>> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC1918 > possible internal network > >>> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # > RFC1918 possible internal network > >>> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # > RFC1918 possible internal network > >>> acl localnet src fc00::/7 # RFC 4193 local private > network range > >>> acl localnet src fe80::/10 # RFC 4291 link-local (directly > >>> plugged) machines > >>> > >>> acl SSL_ports port 443 > >>> acl Safe_ports port 80 # http > >>> acl Safe_ports port 21 # ftp > >>> acl Safe_ports port 443 # https > >>> acl Safe_ports port 70 # gopher > >>> acl Safe_ports port 210 # wais > >>> acl Safe_ports port 1025-65535 # unregistered ports > >>> acl Safe_ports port 280 # http-mgmt > >>> acl Safe_ports port 488 # gss-http > >>> acl Safe_ports port 591 # filemaker > >>> acl Safe_ports port 777 # multiling http > >>> acl CONNECT method CONNECT > >>> > >>> # > >>> # Recommended minimum Access Permission configuration: > >>> # > >>> # Deny requests to certain unsafe ports > >>> http_access deny !Safe_ports > >>> > >>> # Deny CONNECT to other than secure SSL ports > >>> http_access deny CONNECT !SSL_ports > >>> http_access allow CONNECT > >>> # Only allow cachemgr access from localhost > >>> http_access allow localhost manager > >>> http_access deny manager > >>> > >>> # We strongly recommend the following be uncommented to > protect innocent > > >>> # web applications running on the proxy server who think the only > >>> # one who can access services on "localhost" is a local user > >>> #http_access deny to_localhost > >>> > >>> # > >>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > >>> # > >>> > >>> # Example rule allowing access from your local networks. > >>> # Adapt localnet in the ACL section to list your (internal) IP > networks > >>> # from where browsing should be allowed > >>> http_access allow localnet > >>> http_access allow localhost > >>> > >>> # And finally deny all other access to this proxy > >>> http_access deny all > >>> > >>> # Squid normally listens to port 3128 > >>> http_port 3128 > >>> > >>> # Uncomment and adjust the following to add a disk cache > directory. > >>> #cache_dir ufs /var/cache/squid 100 16 256 > >>> > >>> # Leave coredumps in the first cache dir > >>> #coredump_dir /var/cache/squid > >>> > >>> # > >>> # Add any of your own refresh_pattern entries above these. > >>> # > >>> # > >>> > >>> http_port 3126 > >>> #http_port 3128 > >>> ####################################### > >>> #cache_swap_low 90 > >>> #cache_swap_high 95 > >>> ############################ > >>> cache_effective_user squid > >>> cache_effective_group squid > >>> memory_replacement_policy lru > >>> cache_replacement_policy heap LFUDA > >>> ######################## > >>> maximum_object_size 10000 MB > >>> #cache_mem 5000 MB > >>> maximum_object_size_in_memory 10 MB > >>> ######################### > >>> logfile_rotate 2 > >>> max_filedescriptors 131072 > >>> ############################### > >>> ############ > >>> cache_dir aufs /var/cache/squid 600000 64 128 > >>> ####################################### > >>> https_port 3129 intercept ssl-bump generate-host-certificates=on > >>> dynamic_cert_mem_cache_size=4MB > >>> cert=/usr/local/squid/ssl_cert/myca.pem > >>> key=/usr/local/squid/ssl_cert/myca.pem > >>> ssl_bump server-first all > >>> sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > >>> sslcrtd_children 1000 startup=1 idle=1 > >>> ### > >>> minimum_object_size 0 bytes > >>> #refresh patterns for caching static files > >>> refresh_pattern ^ftp: 1440 20% 10080 > >>> refresh_pattern ^gopher: 1440 0% 1440 > >>> refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 > >>> override-expire ignore-no-cache ignore-no-store ignore-private > >>> refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ > 43200 > >>> 90% 432000 override-expire ignore-no-cache ignore-no-store > >>> ignore-private > >>> refresh_pattern -i > >>> .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% > 43200 > >>> override-expire ignore-no-cache ignore-no-store ignore-private > >>> refresh_pattern -i .index.(html|htm)$ 0 40% 10080 > >>> refresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320 > >>> refresh_pattern . 0 40% 40320 > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> any Joy Guys ? > >>> > >>> should i update squid ? or downgrade squid ? > >>> > >>> kind regards > >>> > >>> > >>> > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > >>> http://lists.squid-cache.org/listinfo/squid-users > <http://lists.squid-cache.org/listinfo/squid-users> > >> > >> -- > >> Bugs to the Future > > > > -- > > Bugs to the Future > > -- > Bugs to the Future > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.html > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.html>> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: 0x613DEC46.asc > Type: application/pgp-keys > Size: 2437 bytes > Desc: not available > URL: > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.key > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.key>> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 473 bytes > Desc: OpenPGP digital signature > URL: > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.sig > > <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.sig>> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > http://lists.squid-cache.org/listinfo/squid-users > <http://lists.squid-cache.org/listinfo/squid-users> > > > ------------------------------ > > End of squid-users Digest, Vol 31, Issue 9 > ****************************************** > > > > > -- > I hate to advocate *drugs*, *alcohol*,*violence *or > *insanity* to anyone,*but* they've *always* worked for*me* > > - Hunter S. Thompson > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
-- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users