Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Squid: ACL 'manager' already exists
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Mon Mar 04, 2013 11:56 am    Post subject: [Solved] Squid: ACL 'manager' already exists Reply with quote

Sinse a copple of days my squid will not start anaymore. I get a errormessage:
Code:

elmarotter@ZaphodBeeblebrox ~ $ sudo /etc/init.d/squid start
 * Initializing cache directory /var/cache/squid ...                                                                                                                                              [ !! ]
2013/03/04 12:48:51| aclParseAclLine: ACL 'manager' already exists with different type.
FATAL: Bungled squid.conf line 6: acl manager proto cache_object
Squid Cache (Version 3.2.6): Terminated abnormally.
CPU Usage: 0.022 seconds = 0.014 user + 0.008 sys
Maximum Resident Size: 31104 KB
Page faults with physical i/o: 0
 * ERROR: squid failed to start


I havn't changed the script so I don't know whats wrong. I also don't know where the ACL 'manager' should have been made before.

Here are some configs:
Code:
elmarotter@ZaphodBeeblebrox ~ $ cat /etc/squid/squid.conf
debug_options ALL,1 33,2 28,9
#
# Recommended minimum configuration:
#
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/24
#acl localnet src 192.168.178.0/24
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl SSL_ports port 443 # RFC1918 possible internal network
acl Safe_ports port 80 # RFC1918 possible internal network
acl Safe_ports port 21 # RFC1918 possible internal network
acl CONNECT method CONNECT # RFC 4193 local private network range
acl Safe_ports port 443 # RFC 4291 link-local (directly plugged) machines
acl Safe_ports port 70

acl Safe_ports port 210
acl Safe_ports port 1025-65535 # http
acl Safe_ports port 280 # ftp
acl Safe_ports port 488 # https
acl Safe_ports port 591 # gopher
acl Safe_ports port 777 # wais
#acl blockeddomain url_regex "/etc/squid/blocked.domains.acl"
#acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
#acl regex url_regex "/etc/squid/blocked.regex.acl"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

#http_access deny regex
#http_access deny blockeddomain
http_access allow manager localhost
http_access allow localnet

# Deny requests to certain unsafe ports
http_access allow localhost

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny !Safe_ports
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny to_localhost
http_access deny all

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
#http_port 3128

http_port 3128 intercept
#http_port 3129 transparent
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /opt/local/var/squid/cache 100 16 256
cache_dir ufs /var/cache/squid 100 16 256
#cache_mem = 256 MB
cache_mem 256 MB

cache_dir ufs /usr/tmp/squid/cache 50000 64 512
# Leave coredumps in the first cache dir
coredump_dir /usr/tmp/squid/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern -i (/cgi-bin/|\?) 0   0%   0
refresh_pattern .      0   20%   4320
cache_effective_user squid
cache_effective_group squid
#https_port 3129 intercept

#url_rewrite_program /etc/adzapper/wrapzap
#url_rewrite_children 10

cache_mgr name@domain.nl (mail deleted)


Code:

elmarotter@ZaphodBeeblebrox ~ $ emerge -pv squid

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-proxy/squid-3.2.6  USE="ipv6 logrotate mysql pam samba sasl sqlite ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -ldap -nis (-pf-transparent) -postgres -qos -radius (-selinux) -snmp -ssl-crtd {-test} -tproxy" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB


Last edited by elmar283 on Sun Apr 14, 2013 6:58 am; edited 1 time in total
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Wed Mar 06, 2013 7:04 am    Post subject: Reply with quote

Remove that line and restart.

Code:

acl manager proto cache_object

_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Wed Mar 06, 2013 5:01 pm    Post subject: Reply with quote

After deleting ALC 'manager' I get a new error and warning message:
Code:
2013/03/06 17:59:19| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'.
2013/03/06 17:59:19| SECURITY NOTICE: Overriding config setting. Using 'all' instead.
2013/03/06 17:59:19| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2013/03/06 17:59:19| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '::/0' from the ACL named 'all'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'
2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'
2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'
2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'
squid: No running copy


I still ask myself the question what has changed in squid, sinse I didn't edit the config file.
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Thu Mar 07, 2013 6:41 am    Post subject: Reply with quote

Did you upgrade squid recently?
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
oleo
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2004
Posts: 117

PostPosted: Sat Mar 09, 2013 8:44 am    Post subject: Reply with quote

Hi all!
I've the same problem and I've recently upgraded squid.
I'm hard working on squid configuration in order to get it work but by now I still haven't find the solution.

Clients can only see HTTPS sites. Normal HTTP sites are blocked and squid say "Denied Access".

This is my squid configuration (I'm using squid+dansguardian)
Code:
acl erendil   src 192.168.0.0/24                                                                                 
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_reply_access allow all
icp_access allow localhost
icp_access allow erendil
http_access allow localhost
http_access allow erendil
http_access deny all
icp_access deny all
http_port 192.168.0.1:3128 transparent
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 10 KB
maximum_object_size 8192 KB
access_log /var/log/squid/access.log squid
logfile_rotate 3
coredump_dir /var/cache/squid
acl CGI urlpath_regex cgi-bin \?
acl ASP urlpath_regex asp \?
acl PHP urlpath_regex php \?
acl JSP urlpath_regex jsp \?
cache deny CGI ASP PHP JSP
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user squid
cache_effective_group squid
visible_hostname gandalf2
icp_port 3130
forwarded_for off
Back to top
View user's profile Send private message
syn0ptik
Apprentice
Apprentice


Joined: 09 Jan 2013
Posts: 267

PostPosted: Sat Mar 09, 2013 10:36 am    Post subject: Reply with quote

You not close all traffick with rule at the end of it.
Code:
#acl all src 0.0.0.0/0.0.0.0
Back to top
View user's profile Send private message
oleo
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2004
Posts: 117

PostPosted: Sun Mar 10, 2013 11:11 pm    Post subject: Reply with quote

This doesn't solve. :(
Back to top
View user's profile Send private message
Irom
Tux's lil' helper
Tux's lil' helper


Joined: 07 Oct 2003
Posts: 95
Location: am arsch..

PostPosted: Sun Mar 17, 2013 12:35 am    Post subject: Reply with quote

http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid wrote:
From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

The messages went away for me after commenting out these three ACLs. As they came from a previous default configuration file I guess the config should be safe without any further changes.
_________________
http://ftp.fukt.bsnet.se/pub/movies/stallman/ (Please watch this before you form an opinion about GNU)
https://apfelboymchen.net/gnu/
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sat Mar 23, 2013 6:03 pm    Post subject: Reply with quote

Yes I updated squid recently. That is when the problem occurred.
What I would like to know is:
- what has changed?
- is there some standard somewhere outsite the config file that enables these ACL's?
Back to top
View user's profile Send private message
dbishop
Tux's lil' helper
Tux's lil' helper


Joined: 08 Dec 2007
Posts: 107

PostPosted: Sun Apr 14, 2013 3:03 am    Post subject: Reply with quote

Normally i would have expected a notice about this, since these lines were in the squid.conf by way of recommendation:

Code:

# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


Anyway, having been bitten by the same problem, I commented out the three offending lines. This made the terrifying errors go away and squid would start again:

Code:

#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


Not sure if dansguardian will start behaving again, but at least squid is starting now...
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sun Apr 14, 2013 6:57 am    Post subject: Reply with quote

Thanks Irom. Your answer solves it. I will add [solved] to the topic.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum