Erro estranho no Squid [RESOLVIDO]

1. Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 08:52h

Bom dia comunidade!

Tenho o Squid 3.4.8-6 rodando em um Debian Wheezy e de uns dias para cá começou a apresentar comportamento estranho. Ele simplesmente dá um crash e reinicia o serviço. No syslog aparece a linha:

"Squid Parent: (squid-1) process 32031 exited due to signal 6 with status 0"

E no cache.log aparece a linha:

"kid1| assertion failed: String.cc:201: "len_ + len < 65536""

Já procurei muito na internet e não encontrei resposta. Alguém tem alguma idéia do que pode ser e de como contornar ou consertar?

Grato!!!


  


2. Re: Erro estranho no Squid [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 27/01/2016 - 09:34h

Posta aqui teu squid.conf.


3. Re: Erro estranho no Squid

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 09:42h

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl_cert/my.key cert=/etc/squid3/ssl_cert/my.pem
#debug_options ALL,1 33,2 28,9
connect_timeout 10 minutes
request_timeout 10 minutes
forwarded_for delete
pinger_enable off
###############################################################################################
# AUTENTICACAO - MAQUINAS NO DOMINIO
###############################################################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 30
auth_param ntlm keep_alive on
###############################################################################################
# AUTENTICACAO - MAQUINAS FORA DO DOMINIO
###############################################################################################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm MYDOMAIN
auth_param basic credentialsttl 24 hours
###############################################################################################
# ACLS
###############################################################################################
external_acl_type ad_Group ttl=60 children-startup=20 children-max=20 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl
###############################################################################################
acl rede_local src 192.168.0.0/16
acl nocache src all
no_cache deny nocache
###############################################################################################
# PORTAS SSL
###############################################################################################
acl SSL_ports port 443 # SSL
acl SSL_ports port 2381 # HP-UX
acl SSL_ports port 2301 # HP-UX
acl SSL_ports port 11371 # APT-KEY
acl SSL_ports port 993 # IMAP SSL
acl SSL_ports port 1723 # VPN
acl SSL_ports port 2631 # Conectividade Caixa
acl SSL_ports port 3456
acl SSL_ports port 5022
acl SSL_ports port 8017
acl SSL_ports port 8181
acl SSL_ports port 9339
acl SSL_ports port 33902
acl SSL_ports port 8443
acl SSL_ports port 2012
acl SSL_ports port 2222
###############################################################################################
# PORTAS LIBERADAS
###############################################################################################
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # FTP Dados
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1024-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 143 # IMAP
acl Safe_ports port 993 # IMAP SSL
acl Safe_ports port 465 # SMTP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 1723 # VPN
acl Safe_ports port 81 # HTTP
acl Safe_ports port 2631 # Conectividade Caixa
acl Safe_ports port 3456
acl Safe_ports port 5022
acl Safe_ports port 8017
acl Safe_ports port 8181
acl Safe_ports port 9339
acl Safe_ports port 33902
acl Safe_ports port 8443
acl Safe_ports port 25
acl Safe_ports port 53
acl Safe_ports port 2021
acl Safe_ports port 2222
###############################################################################################
acl CONNECT method CONNECT
acl sites_liberados_sem_auth dstdomain -i "/etc/squid3/acls/sites_liberados_sem_autenticacao"
acl grupo-full external ad_Group Users-Internet-Full
acl grupo-nuvem external ad_Group Users-Internet-Nuvem
acl grupo-padrao external ad_Group Users-Internet-Padrao
acl grupo-skype external ad_Group Users-Internet-Skype
acl grupo-bancos external ad_Group Users-internet-Bancos
acl grupo-restrito external ad_Group Users-Internet-Restrito
acl grupo-bloqueado external ad_Group Users-Internet-Bloqueado
acl grupo-redessociais external ad_Group Users-Internet-RedesSociais
acl grupo-emails external ad_Group Users-Internet-Emails
acl grupo-full-naosocial external ad_Group Users-Internet-Full-NaoSocial
###############################################################################################
acl grupo-100KB external ad_Group Users-Internet-100KB
acl grupo-200KB external ad_Group Users-Internet-200KB
acl grupo-300KB external ad_Group Users-Internet-300KB
acl grupo-ilimitado external ad_Group Users-Internet-Ilimitado
###############################################################################################
acl sites_proibidos dstdomain -i "/etc/squid3/acls/sites_proibidos"
acl sites_liberados dstdomain -i "/etc/squid3/acls/sites_liberados"
acl palavras_proibidas url_regex -i "/etc/squid3/acls/palavras_proibidas"
acl palavras_liberadas url_regex -i "/etc/squid3/acls/palavras_liberadas"
acl maquinas_liberadas src "/etc/squid3/acls/maquinas_liberadas"
acl skype url_regex -i "/etc/squid3/acls/skype"
acl bancos dstdomain -i "/etc/squid3/acls/libera_bancos"
acl redessociais dstdomain -i "/etc/squid3/acls/libera_redes"
acl emails dstdomain -i "/etc/squid3/acls/libera_emails"
acl nuvem dstdomain -i "/etc/squid3/acls/libera_nuvem"
acl redessociais-palavras url_regex -i "/etc/squid3/acls/libera_redes_palavras"
acl maquinas-genericas srcdomain -i "/etc/squid3/acls/maquinas_genericas"
acl java browser Java/1.5 Java/1.6 Java/1.7 Java/1.8 Java/1.9
acl webstart browser Webstart
acl interno dst 192.168.0.0/16
acl conectividade src "/etc/squid3/acls/conectividade1"
acl voice_report dst 54.83.5.110
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
###############################################################################################
# REGRAS
###############################################################################################
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow interno
http_access allow maquinas_liberadas
http_access allow rede_local sites_liberados_sem_auth
http_access allow rede_local voice_report
http_access allow rede_local palavras_liberadas
http_access allow webstart all
http_access allow java all
http_access allow conectividade
###############################################################################################
# ACESSO FULL
###############################################################################################
http_access allow rede_local grupo-ilimitado grupo-full
http_access allow rede_local grupo-300KB grupo-full
http_access allow rede_local grupo-200KB grupo-full
http_access allow rede_local grupo-100KB grupo-full
###############################################################################################
# ACESSO ESPECIFICOS
###############################################################################################
reply_header_access Proxy-Authenticate deny java all
reply_header_replace Proxy-Authenticate Basic realm="MYDOMAIN"
###############################################################################################
http_access allow rede_local grupo-redessociais redessociais redessociais-palavras
http_access deny rede_local redessociais redessociais-palavras all
###############################################################################################
http_access allow rede_local grupo-full-naosocial
###############################################################################################
http_access allow rede_local grupo-nuvem nuvem
http_access deny rede_local nuvem all
###############################################################################################
http_access allow rede_local grupo-bancos bancos
http_access deny rede_local bancos all
###############################################################################################
http_access allow rede_local grupo-emails emails
http_access deny rede_local emails all
###############################################################################################
http_access allow rede_local grupo-skype skype
http_access deny rede_local skype all
###############################################################################################
# USUARIO GENERICO
###############################################################################################
reply_header_access Proxy-Authenticate deny maquinas-genericas
reply_header_replace Proxy-Authenticate Basic realm="MYDOMAIN"
http_access deny rede_local grupo-bloqueado
###############################################################################################
# ACESSO RESTRITO
###############################################################################################
http_access deny rede_local grupo-restrito !sites_liberados
###############################################################################################
# ACESSO PADRÃO
###############################################################################################
http_access allow rede_local grupo-ilimitado grupo-padrao !sites_proibidos !palavras_proibidas
http_access allow rede_local grupo-300KB grupo-padrao !sites_proibidos !palavras_proibidas
http_access allow rede_local grupo-200KB grupo-padrao !sites_proibidos !palavras_proibidas
http_access allow rede_local grupo-100KB grupo-padrao !sites_proibidos !palavras_proibidas
###############################################################################################
# SEM ACESSO
###############################################################################################
http_access deny all
###############################################################################################
# LIMITAÇÃO DE BANDA
###############################################################################################
delay_pools 4
delay_class 1 1
delay_access 1 allow grupo-ilimitado
delay_access 1 deny all
delay_parameters 1 1966080/1966080
###############################################################################################
delay_class 2 4
delay_access 2 allow grupo-300KB
delay_access 2 deny all
delay_parameters 2 -1/-1 -1/-1 307200/307200 307200/307200
###############################################################################################
delay_class 3 4
delay_access 3 allow grupo-200KB
delay_access 3 deny all
delay_parameters 3 -1/-1 -1/-1 204800/204800 204800/204800
###############################################################################################
delay_class 4 4
delay_access 4 allow grupo-100KB
delay_access 4 deny all
delay_parameters 4 -1/-1 -1/-1 102400/102400 102400/102400
###############################################################################################
# SSL
###############################################################################################
always_direct allow all
ssl_bump none localhost
acl bypass_ssl dstdomain -i "/etc/squid3/acls/bypass_ssl"
acl reverse dstdomain -i "/etc/squid3/acls/reverse"
ssl_bump none bypass_ssl
ssl_bump client-first reverse
ssl_bump server-first sites_proibidos palavras_proibidas nuvem bancos redessociais redessociais-palavras emails
ssl_bump none all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/squid3/ssl_db -M 4MB
sslcrtd_children 5
###############################################################################################


Meu Squid não faz cache, apenas controle de acesso... lembrando também que isso começou há 2 dias atrás... funcionou por quase 1 ano sem problemas...


4. Re: Erro estranho no Squid [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 27/01/2016 - 09:53h

Vamos por partes, substitua

no_cache deny nocache

por

cache deny nocache

Faça a alteração, reinicie e teste; enquanto isso o titio vai olhando teu squid.conf.

http://www.squid-cache.org/Versions/v3/3.4/cfgman/cache.html


5. Re: Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 09:57h

Buckminster escreveu:

Vamos por partes, substitua

no_cache deny nocache

por

cache deny nocache

Faça a alteração, reinicie e teste; enquanto isso o titio vai olhando teu squid.conf.

http://www.squid-cache.org/Versions/v3/3.4/cfgman/cache.html


Fiz a alteração, reiniciou normal... estou monitorando....


6. Re: Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 10:19h

Acabou de acontecer novamente, é sempre umas 3 ou 4 vezes seguidas...

Syslog:

Jan 27 10:13:48 squid[10622]: Squid Parent: (squid-1) process 10799 exited due to signal 6 with status 0
Jan 27 10:13:51 squid[10622]: Squid Parent: (squid-1) process 23322 started
Jan 27 10:14:06 squid[10622]: Squid Parent: (squid-1) process 23322 exited due to signal 6 with status 0
Jan 27 10:14:09 squid[10622]: Squid Parent: (squid-1) process 27520 started
Jan 27 10:14:16 squid[10622]: Squid Parent: (squid-1) process 27520 exited due to signal 6 with status 0
Jan 27 10:14:19 squid[10622]: Squid Parent: (squid-1) process 30222 started
Jan 27 10:14:39 squid[10622]: Squid Parent: (squid-1) process 30222 exited due to signal 6 with status 0
Jan 27 10:14:42 squid[10622]: Squid Parent: (squid-1) process 2194 started
Jan 27 10:14:51 squid[10622]: Squid Parent: (squid-1) process 2194 exited due to signal 6 with status 0
Jan 27 10:14:54 squid[10622]: Squid Parent: (squid-1) process 5366 started
Jan 27 10:15:11 squid[10622]: Squid Parent: (squid-1) process 5366 exited due to signal 6 with status 0
Jan 27 10:15:14 squid[10622]: Squid Parent: (squid-1) process 9778 started


Cache.log:

2016/01/27 10:13:47 kid1| assertion failed: String.cc:201: "len_ + len < 65536"
2016/01/27 10:14:06 kid1| assertion failed: String.cc:201: "len_ + len < 65536"
2016/01/27 10:14:16 kid1| assertion failed: String.cc:201: "len_ + len < 65536"
2016/01/27 10:14:39 kid1| assertion failed: String.cc:201: "len_ + len < 65536"
2016/01/27 10:14:51 kid1| assertion failed: String.cc:201: "len_ + len < 65536"
2016/01/27 10:15:11 kid1| assertion failed: String.cc:201: "len_ + len < 65536"



7. Re: Erro estranho no Squid [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 27/01/2016 - 10:25h

Execute

squid -k reconfigure

e veja se retorna algum erro.

Tu não lembra se fizeste alguma alteração em algum arquivo do Squid ou do sistema nesses últimos dois dias?


8. Re: Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 10:30h

Buckminster escreveu:

Execute

squid -k reconfigure

e veja se retorna algum erro.

Tu não lembra se fizeste alguma alteração em algum arquivo do Squid ou do sistema nesses últimos dois dias?


Já executei esse comando quando eu apliquei a sua sugestão e não retornou nenhum erro... a única mudança que eu fiz foi incluir um domínio em uma das listas, mas isso é de rotina...


9. Re: Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 10:33h

Ah, desabilitei o Pinger também, mas foi depois que isso começou.... como ele tava tendo bastante segfault na libc eu o desabilitei (pinger_enable off) porque pensei que ele estivesse causando esses crashes...


10. Re: Erro estranho no Squid

Buckminster
Buckminster

(usa Debian)

Enviado em 27/01/2016 - 10:38h

Veja bem, o Squid3 versão 3.4 faz cache disk por padrão (cache_dir) somente se tu colocar essa linha no squid.conf, mas armazena os objetos na memória (cache_mem) mesmo sem colocar essa linha e o padrão é 256 MB:

http://www.squid-cache.org/Versions/v3/3.4/cfgman/cache_mem.html

Como tu não especificou no teu squid.conf o cache_mem talvez esse acréscimo de domínio esteja causando esse crash.

Caso tu tenha memória RAM suficiente nessa máquina acrescente uma linha assim no teu squid.conf:

cache_mem 1024 MB

ou

cache_mem 512 MB

e teste.
Entendeu?

E execute squid -v ou squid --version ou squid3 -v ou squid3 --version e poste aqui toda a saída do comando.


11. Re: Erro estranho no Squid [RESOLVIDO]

Rodrigo Garcia
r.garcia

(usa Ubuntu)

Enviado em 27/01/2016 - 10:47h

Fiz a alteração que você sugeriu e executei squid -k reconfigure, vamos ver.... a saída do squid -v foi essa:

Squid Cache: Version 3.4.8
Debian linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-http-violations' '--enable-ssl' '--enable-ssl-crtd' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-useragent-log' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-build-info=Debian linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'



12. Re: Erro estranho no Squid [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 27/01/2016 - 10:53h

--with-filedescriptors=65536

Se o erro acontecer de novo talvez tu tenha que aumentar os descritores de arquivo do sistema.



01 02 03



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts