View previous topic :: View next topic |
Author |
Message |
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Mon Mar 04, 2013 11:56 am Post subject: [Solved] Squid: ACL 'manager' already exists |
|
|
Sinse a copple of days my squid will not start anaymore. I get a errormessage:
Code: |
elmarotter@ZaphodBeeblebrox ~ $ sudo /etc/init.d/squid start
* Initializing cache directory /var/cache/squid ... [ !! ]
2013/03/04 12:48:51| aclParseAclLine: ACL 'manager' already exists with different type.
FATAL: Bungled squid.conf line 6: acl manager proto cache_object
Squid Cache (Version 3.2.6): Terminated abnormally.
CPU Usage: 0.022 seconds = 0.014 user + 0.008 sys
Maximum Resident Size: 31104 KB
Page faults with physical i/o: 0
* ERROR: squid failed to start
|
I havn't changed the script so I don't know whats wrong. I also don't know where the ACL 'manager' should have been made before.
Here are some configs:
Code: | elmarotter@ZaphodBeeblebrox ~ $ cat /etc/squid/squid.conf
debug_options ALL,1 33,2 28,9
#
# Recommended minimum configuration:
#
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/24
#acl localnet src 192.168.178.0/24
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl SSL_ports port 443 # RFC1918 possible internal network
acl Safe_ports port 80 # RFC1918 possible internal network
acl Safe_ports port 21 # RFC1918 possible internal network
acl CONNECT method CONNECT # RFC 4193 local private network range
acl Safe_ports port 443 # RFC 4291 link-local (directly plugged) machines
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535 # http
acl Safe_ports port 280 # ftp
acl Safe_ports port 488 # https
acl Safe_ports port 591 # gopher
acl Safe_ports port 777 # wais
#acl blockeddomain url_regex "/etc/squid/blocked.domains.acl"
#acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
#acl regex url_regex "/etc/squid/blocked.regex.acl"
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
#http_access deny regex
#http_access deny blockeddomain
http_access allow manager localhost
http_access allow localnet
# Deny requests to certain unsafe ports
http_access allow localhost
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny !Safe_ports
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny to_localhost
http_access deny all
# And finally deny all other access to this proxy
# Squid normally listens to port 3128
#http_port 3128
http_port 3128 intercept
#http_port 3129 transparent
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /opt/local/var/squid/cache 100 16 256
cache_dir ufs /var/cache/squid 100 16 256
#cache_mem = 256 MB
cache_mem 256 MB
cache_dir ufs /usr/tmp/squid/cache 50000 64 512
# Leave coredumps in the first cache dir
coredump_dir /usr/tmp/squid/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
#https_port 3129 intercept
#url_rewrite_program /etc/adzapper/wrapzap
#url_rewrite_children 10
cache_mgr name@domain.nl (mail deleted)
|
Code: |
elmarotter@ZaphodBeeblebrox ~ $ emerge -pv squid
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-proxy/squid-3.2.6 USE="ipv6 logrotate mysql pam samba sasl sqlite ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -ldap -nis (-pf-transparent) -postgres -qos -radius (-selinux) -snmp -ssl-crtd {-test} -tproxy" 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
|
Last edited by elmar283 on Sun Apr 14, 2013 6:58 am; edited 1 time in total |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Wed Mar 06, 2013 7:04 am Post subject: |
|
|
Remove that line and restart.
Code: |
acl manager proto cache_object
|
_________________ Hello 911? How are you? |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Wed Mar 06, 2013 5:01 pm Post subject: |
|
|
After deleting ALC 'manager' I get a new error and warning message:
Code: | 2013/03/06 17:59:19| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'.
2013/03/06 17:59:19| SECURITY NOTICE: Overriding config setting. Using 'all' instead.
2013/03/06 17:59:19| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2013/03/06 17:59:19| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '::/0' from the ACL named 'all'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2013/03/06 17:59:19| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2013/03/06 17:59:19| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'
2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'
2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'
2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable
2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'
squid: No running copy
|
I still ask myself the question what has changed in squid, sinse I didn't edit the config file. |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Thu Mar 07, 2013 6:41 am Post subject: |
|
|
Did you upgrade squid recently? _________________ Hello 911? How are you? |
|
Back to top |
|
|
oleo Tux's lil' helper
Joined: 09 Nov 2004 Posts: 117
|
Posted: Sat Mar 09, 2013 8:44 am Post subject: |
|
|
Hi all!
I've the same problem and I've recently upgraded squid.
I'm hard working on squid configuration in order to get it work but by now I still haven't find the solution.
Clients can only see HTTPS sites. Normal HTTP sites are blocked and squid say "Denied Access".
This is my squid configuration (I'm using squid+dansguardian)
Code: | acl erendil src 192.168.0.0/24
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_reply_access allow all
icp_access allow localhost
icp_access allow erendil
http_access allow localhost
http_access allow erendil
http_access deny all
icp_access deny all
http_port 192.168.0.1:3128 transparent
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 10 KB
maximum_object_size 8192 KB
access_log /var/log/squid/access.log squid
logfile_rotate 3
coredump_dir /var/cache/squid
acl CGI urlpath_regex cgi-bin \?
acl ASP urlpath_regex asp \?
acl PHP urlpath_regex php \?
acl JSP urlpath_regex jsp \?
cache deny CGI ASP PHP JSP
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
visible_hostname gandalf2
icp_port 3130
forwarded_for off
|
|
|
Back to top |
|
|
syn0ptik Apprentice
Joined: 09 Jan 2013 Posts: 267
|
Posted: Sat Mar 09, 2013 10:36 am Post subject: |
|
|
You not close all traffick with rule at the end of it.
Code: | #acl all src 0.0.0.0/0.0.0.0 |
|
|
Back to top |
|
|
oleo Tux's lil' helper
Joined: 09 Nov 2004 Posts: 117
|
Posted: Sun Mar 10, 2013 11:11 pm Post subject: |
|
|
This doesn't solve. |
|
Back to top |
|
|
Irom Tux's lil' helper
Joined: 07 Oct 2003 Posts: 95 Location: am arsch..
|
Posted: Sun Mar 17, 2013 12:35 am Post subject: |
|
|
http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid wrote: | From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. |
The messages went away for me after commenting out these three ACLs. As they came from a previous default configuration file I guess the config should be safe without any further changes. _________________ http://ftp.fukt.bsnet.se/pub/movies/stallman/ (Please watch this before you form an opinion about GNU)
https://apfelboymchen.net/gnu/ |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Sat Mar 23, 2013 6:03 pm Post subject: |
|
|
Yes I updated squid recently. That is when the problem occurred.
What I would like to know is:
- what has changed?
- is there some standard somewhere outsite the config file that enables these ACL's? |
|
Back to top |
|
|
dbishop Tux's lil' helper
Joined: 08 Dec 2007 Posts: 107
|
Posted: Sun Apr 14, 2013 3:03 am Post subject: |
|
|
Normally i would have expected a notice about this, since these lines were in the squid.conf by way of recommendation:
Code: |
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
|
Anyway, having been bitten by the same problem, I commented out the three offending lines. This made the terrifying errors go away and squid would start again:
Code: |
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
|
Not sure if dansguardian will start behaving again, but at least squid is starting now... |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Sun Apr 14, 2013 6:57 am Post subject: |
|
|
Thanks Irom. Your answer solves it. I will add [solved] to the topic. |
|
Back to top |
|
|
|