[squid-users] Squid 2.6 and chroot - what files are needed?

From: Jeff Tharp <[email protected]>
Date: Mon, 25 Sep 2006 18:05:25 -0700

Folks,
I know this topic has come up with previous versions of Squid, and I've
seen various answers in the archives but I was wondering what the
official stance was for 2.6 (and maybe what the plan would be for 3.0).

I'm working on setting up a pair of Linux servers (running RHEL 4 and
Squid 2.6STABLE3) which will sit in our DMZ and serve as reverse proxy
servers/HTTP accelerators for our external web sites. One of the steps
I wanted to take to secure these systems was run Squid chroot'ed. Thus
I configured a new directory, /cache, which would serve as the base of
the chroot which I implemented using the chroot directive in my
squid.conf (see below).

I was somewhat surprised at the number of files required...seems that
more is required now than simply the cache directories, /dev/null, and
directory for logs, as I was expecting. Please see below for an output
of find /cache -ls on my test box -- I sniped out the lower-level
directories in errors, icons, and my two cache directories for brevity.
Is this the correct list of files needed in the chroot, or do I have
something misconfigured?

I should note that though I can connect to my test suite via this Squid
cache using Firefox, I do still get startup errors when the child
processes start:

...
Sep 22 16:20:20 trailmap squid[14800]: Squid Parent: child process 14931
exited due to signal 6
Sep 22 16:20:20 trailmap squid[14800]: Exiting due to repeated, frequent
failures

The only other error I see is in /cache/logs/cache.log:
2006/09/22 23:21:12| ipcCreate: /usr/lib/squid/unlinkd: (2) No such file
or directory

I'd appreciate any pointers or suggestions on troubleshooting either of
these.

Thanks,
Jeff Tharp
System Administrator
ESRI - Redlands, CA
http://www.esri.com

PS: Thanks so much for releasing 2.6, it really is a huge improvement
for those of us using Squid for a reverse proxy! :-)

~~~squid.conf~~~~

#
# Squid 2.6 Configuration
#
# Version 2.0 Jeff Tharp 9/21/2006
#

# -----------------------------------------------
# GENERAL/NETWORK SETTINGS

# Ports
http_port 80 vhost
# https_ports defined in virtualhosts section
icp_port 0

# Connection Timeouts
forward_timeout 4 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
request_timeout 5 minutes

# User/Group to run as
cache_effective_user squid
cache_effective_group squid

# Email of cache manager
cache_mgr basis@esri.com

# General SSL configuration
ssl_unclean_shutdown off
sslproxy_version 1

# Maximum file descriptors (set at compile)
max_filedesc 16384

# -----------------------------------------------
# CACHE SETTINGS

# Adjust based on physical RAM of system
cache_mem 332 MB
# Increase cache_swap_low if cache_mem is high
cache_swap_low 93
cache_swap_high 95

# Maximum size for objects to be saved to disk
# Objects larger than this will not be cached
maximum_object_size 10240 KB
# Mimimum size for objects to be saved to disk
minimum_object_size 0 KB
# Maximum size for objects to be stored in memory
maximum_object_size_in_memory 128 KB

# Replacement policy for disk cache
# Options are:
# lru Original LRU policy (default)
# heap GDSF GDSF, higher object hit rate, lower byte hit rate
# heap LFUDA LFUDA, higher byte hit rate, lower obj hit rate
# heap LRU LRU policy impmented with a heap
#
# For LFUDA, increase maximum_object_size
# For GDSF, decrease maximum_object_size
#
cache_replacement_policy heap GDSF

# Replacement policy for memory cache
# Same options as disk cache policy
#
memory_replacement_policy heap GDSF

# Disk cache location
# Usage:
# cache_dir Type Path Size (in MB) L1 L2
# Note if Path is a filesystem, Size should be no larger
# than 80% of the size of the filesystem, in MB
cache_dir aufs /data/data1 8192 64 512
cache_dir aufs /data/data2 8192 64 512

# Refresh pattern
# Determines how objects are expired from cache
# Usage:
# refresh_pattern regex min percent max
# regex is a regular expression to match against request URI
# min is the time in minutes to consider an object fresh
# unless otherwise specified
# percent is the percentage of the objects age that an object
# will be considered fresh
# max is the upper limit on how long an object will be considered
# fresh
#
# Objects are considered:
# FRESH if expires < now, else STALE
# STALE if age > max
# FRESH if lm-factor < percent, else STALE
# FRESH if age < min
# else STALE
# (these are checked in the order listed)
refresh_pattern -i \.js$ 0 0% 1
refresh_pattern -i \.css$ 0 10% 30
refresh_pattern . 0 20% 4320

# Quick Abort
# These options control how Squid handles downloading
# aborted requests
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95

# Negative TTL for failed requests
# Controls how long Squid remembers failed requests
negative_ttl 1 minutes

# Correct broken vary encoding for Apache:mod_deflate
acl apache rep_header Server ^ArcWS
broken_vary_encoding allow apache

# Minimum caching time based on expiry
minimum_expiry_time 0 seconds

# -----------------------------------------------
# LOG SETTINGS

# Log Format
logformat combined %Ss:%Sh %la %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs
%<st "%{Referer}>h" "%{User-Agent}>h"

# Access Log (main request log)
cache_access_log /cache/logs/access.log combined

# Cache Log (cache handling log)
cache_log /cache/logs/cache.log

# Store Log (storage manager log, can be disabled)
cache_store_log none

# Emulate HTTPD Log
# Causes access log to match format of Apache web log
emulate_httpd_log off

# PID file location
pid_filename /var/run/squid.pid

# number of log file rotations to keep
# set to 0 if using separate logrotation program
logfile_rotate 0

# Client DB (database of per-client statistics)
client_db off

# Strip query terms before logging
strip_query_terms off

# -----------------------------------------------
# SECURITY SETTINGS

# Access Controls

# ACLs (see docs for details of syntax)
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl safe_ports port 80 443
acl CONNECT method CONNECT
#acl DYNAMIC urlpath_regex \.jsp \.cfm \.do \?

# Allow cache purge
acl PURGE method purge
http_access allow purge localhost
http_access deny purge

# http_access
# Allows or denys access based on ACL (first match)

# Deny access to unknown ports
http_access deny !safe_ports
# Default deny rule
#http_access deny all

# http_reply_access
# Allow replies to requests, compliment of http_access
http_reply_access allow all

# icp_access
icp_access deny all

# turn off caching for dynamic content
#no_cache deny DYNAMIC

# Security checks on replies and requests

# Maximum request header size
request_header_max_size 10 KB
# Maximum request body size (0 to disable)
request_body_max_size 0 KB
# Maximum reply header size
reply_header_max_size 20 KB
# Maximum reply body size (0 to disable)
reply_body_max_size 0 allow all

# Turn off X-Forwarded-For header
forwarded_for on

# Disable cache manager passwords
cachemgr_passwd none all

# Chroot location
chroot /cache

# Supress version
httpd_suppress_version_string on

# -----------------------------------------------
# VIRTUALHOSTS SETTINGS

# xoriat.esri.com:8100
cache_peer xoriat.esri.com parent 8100 0 no-query originserver
name=test1
cache_peer_domain test1 trailmap.esri.com

~~~Output of find /cache -ls ~~~~~

     2 4 drwxr-xr-x 10 root root 4096 Sep 22 16:05
/cache
    12 0 lrwxrwxrwx 1 root root 1 Sep 22 16:05
/cache/cache -> .
1077121 4 drwxr-xr-x 3 root root 4096 Sep 22 16:19
/cache/etc
1078493 4 -rw-r--r-- 1 root root 59 Sep 22 16:19
/cache/etc/resolv.conf
1077122 4 drwxr-xr-x 2 root root 4096 Sep 22 16:18
/cache/etc/squid
1078491 8 -rw-r----- 1 root squid 5549 Sep 22 16:18
/cache/etc/squid/squid.conf
1078482 0 lrwxrwxrwx 1 root root 31 Sep 22 16:18
/cache/etc/squid/errors -> /usr/share/squid/errors/English
1078484 4 -rw-r--r-- 1 root root 421 Sep 22 16:18
/cache/etc/squid/msntauth.conf
1078488 28 -rw-r--r-- 1 root root 26969 Sep 22 16:18
/cache/etc/squid/mib.txt
1078486 0 lrwxrwxrwx 1 root root 22 Sep 22 16:18
/cache/etc/squid/icons -> /usr/share/squid/icons
1078492 4 -rw-r--r-- 1 root root 421 Sep 22 16:18
/cache/etc/squid/msntauth.conf.default
1078483 12 -rw-r--r-- 1 root root 11651 Sep 22 16:18
/cache/etc/squid/mime.conf.default
1078490 152 -rw-r----- 1 root squid 147632 Sep 22 16:18
/cache/etc/squid/squid.conf.old
1078489 12 -rw-r--r-- 1 root root 11651 Sep 22 16:18
/cache/etc/squid/mime.conf
1078485 4 -rw-r----- 1 root squid 419 Sep 22 16:18
/cache/etc/squid/cachemgr.conf
1078487 152 -rw-r--r-- 1 root root 147632 Sep 22 16:18
/cache/etc/squid/squid.conf.default
2350081 4 drwxr-x--- 2 squid squid 4096 Sep 24 04:02
/cache/logs
2350084 0 -rw------- 1 squid squid 0 Sep 23 04:02
/cache/logs/access.log
2350083 4 -rw------- 1 squid squid 88 Sep 24 11:17
/cache/logs/cache.log
2350082 4 -rw------- 1 root root 1878 Sep 22 16:21
/cache/logs/squid.out
456961 4 drwxr-xr-x 3 root root 4096 Sep 22 16:02
/cache/var
456962 4 drwxrwxrwx 2 root root 4096 Sep 22 16:21
/cache/var/run
456963 4 -rw-r--r-- 1 squid squid 6 Sep 22 16:21
/cache/var/run/squid.pid
1778881 4 drwxr-xr-x 2 root root 4096 Sep 22 16:01
/cache/dev
1778882 0 crw-rw-rw- 1 root root Sep 22 16:01
/cache/dev/null
1942081 4 drwxr-xr-x 4 root root 4096 Sep 22 14:11
/cache/usr
1942082 4 drwxr-xr-x 3 root root 4096 Sep 22 16:06
/cache/usr/lib
1942084 4 drwxr-xr-x 2 root root 4096 Sep 22 16:06
/cache/usr/lib/squid
1943063 4 -rwxr-xr-x 1 root root 2280 Sep 22 16:06
/cache/usr/lib/squid/smb_auth.sh
1943062 48 -rwxr-xr-x 1 root root 45066 Sep 22 16:06
/cache/usr/lib/squid/msnt_auth
1943061 24 -rwxr-xr-x 1 root root 22096 Sep 22 16:06
/cache/usr/lib/squid/diskd-daemon
1943059 20 -rwxr-xr-x 1 root root 17339 Sep 22 16:06
/cache/usr/lib/squid/yp_auth
1943053 24 -rwsr-x--- 1 root squid 22935 Sep 22 16:06
/cache/usr/lib/squid/ncsa_auth
1943057 56 -rwxr-xr-x 1 root root 52675 Sep 22 16:06
/cache/usr/lib/squid/ntlm_auth
1943064 28 -rwxr-xr-x 1 root root 25892 Sep 22 16:06
/cache/usr/lib/squid/squid_ldap_auth
1943047 20 -rwsr-x--- 1 root squid 19800 Sep 22 16:06
/cache/usr/lib/squid/pam_auth
1943048 20 -rwxr-xr-x 1 root root 18959 Sep 22 16:06
/cache/usr/lib/squid/fakeauth_auth
1943051 24 -rwxr-xr-x 1 root root 22356 Sep 22 16:06
/cache/usr/lib/squid/digest_pw_auth
1943050 20 -rwxr-xr-x 1 root root 16513 Sep 22 16:06
/cache/usr/lib/squid/getpwname_auth
1943052 20 -rwxr-xr-x 1 root root 17250 Sep 22 16:06
/cache/usr/lib/squid/sasl_auth
1943058 28 -rwxr-xr-x 1 root root 26974 Sep 22 16:06
/cache/usr/lib/squid/squid_ldap_group
1943049 4 -rwxr-xr-x 1 root root 4010 Sep 22 16:06
/cache/usr/lib/squid/smb_auth.pl
1943045 4 -rwxr-xr-x 1 root root 2359 Sep 22 16:06
/cache/usr/lib/squid/wbinfo_group.pl
1943056 20 -rwxr-xr-x 1 root root 18345 Sep 22 16:06
/cache/usr/lib/squid/smb_auth
1943060 8 -rwxr-xr-x 1 root root 7423 Sep 22 16:06
/cache/usr/lib/squid/unlinkd
1943055 20 -rwxr-xr-x 1 root root 18359 Sep 22 16:06
/cache/usr/lib/squid/ip_user_check
1943054 20 -rwxr-xr-x 1 root root 18634 Sep 22 16:06
/cache/usr/lib/squid/squid_unix_group
1943046 32 -rwxr-xr-x 1 root root 30222 Sep 22 16:06
/cache/usr/lib/squid/cachemgr.cgi
1942083 4 drwxr-xr-x 3 root root 4096 Sep 22 15:01
/cache/usr/share
1942085 4 drwxr-xr-x 4 root root 4096 Sep 22 15:01
/cache/usr/share/squid
1942086 4 drwxr-xr-x 32 root root 4096 Sep 22 15:01
/cache/usr/share/squid/errors

---snip--snip--snip---

1943017 4 drwxr-xr-x 2 root root 4096 Sep 22 15:01
/cache/usr/share/squid/icons

---snip--snip--snip---

979201 4 drwxr-x--- 4 squid squid 4096 Sep 22 14:47
/cache/data
979203 4 drwx------ 66 squid squid 4096 Sep 22 16:21
/cache/data/data2

---snip--snip--snip---

979202 4 drwx------ 66 squid squid 4096 Sep 22 16:21
/cache/data/data1

---snip--snip--snip---
Received on Mon Sep 25 2006 - 19:08:38 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:04 MDT