Squid Proxy running inside DD with HD usb like a big cache

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3
Author Message
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Tue Feb 04, 2014 17:03    Post subject: Reply with quote
threehappypenguins wrote:
I think I'm way over my head. I installed Privoxy, and read the documentation... but I just don't understand its purpose. I finally figured out that with all these config files and whatever, I am dealing with Perl (which I know nothing about). So I was having trouble figuring out what to edit in order to make the logfile work (I think I want that working in Privoxy? It logs the same things as Squid? I don't know...). I don't even know whether I am supposed to use a forward slash or backslash. I think forward slash because of the example that it gives for the Unix directory.

Still a blank logfile.

I'm just ready to cry. I just want to log where a teenager is going (for a friend) what he is searching for (whether in Google or in Instagram), and what images he is looking at. My friend wants to gather information so he can decide what to do. He has 8 kids, so of course things can get really busy. But he needs to know what a particular teenager is doing online so he can deal with it.

I see Tomato has logging capabilities: http://tomato.groov.pl/wp-content/gallery/screenshots/web_usage.png

I'll have to drive over there again and flash ANOTHER firmware on it. My friend is already computer illiterate, so it will be difficult to explain what I am doing.


Not sure what router you got. For all models I support you can easily set this up with the integrated privoxy. Just turn on the adblocking feature, enable custom config, copy and paste the contents of the pre generated /tmp/privoxy.conf and change a few lines, in order to make it log to a file on an attached usb device.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Sponsor
auvenj
DD-WRT Novice


Joined: 02 Dec 2013
Posts: 10

PostPosted: Thu Jul 10, 2014 0:21    Post subject: Privoxy + Squid disk cache on high power router Reply with quote
Reading through this thread, there seems to be some disagreement over whether running squid on DD-WRT is advisable.

I have a Netgear R7000 with DD-WRT, dual core processor overclocked to 1.2 GHz so plenty of horsepower. It has a 1 TB USB3 spinning drive formatted EXT3 currently for NAS, but there's plenty of free space on the drive.

I'm currently running privoxy and love the ad blocking but would also like to put a large (10 Gig +) common browser cache for all my clients to share on the USB drive. I run some clients with their local browser disk cache disabled due to them running on flash sticks, SD cards & such or non-persistent live-DVDs. So having a common disk cache that could be shared by all of the clients seems like it would be useful.

Is it advisable to add squid to my DD-WRT Privoxy setup to provide caching? Or would that likely slow things down rather than speed them up?

If advisable, what's the right way to chain squid to privoxy so I don't lose privoxy's ad blocking?

Or is there a better way to accomplish this? Sure wish privoxy just had a "cache" option that could be turned on if caching is desired.
GLO
DD-WRT User


Joined: 19 Dec 2006
Posts: 204

PostPosted: Thu Nov 20, 2014 21:05    Post subject: Reply with quote
Im also curious if anyone is still setting this type of config up?
stalonge
DD-WRT Guru


Joined: 21 Jul 2006
Posts: 1936
Location: Fortaleza Ce Brazil

PostPosted: Thu Nov 20, 2014 21:54    Post subject: Reply with quote
<Kong> wrote:
threehappypenguins wrote:
I think I'm way over my head. I installed Privoxy, and read the documentation... but I just don't understand its purpose. I finally figured out that with all these config files and whatever, I am dealing with Perl (which I know nothing about). So I was having trouble figuring out what to edit in order to make the logfile work (I think I want that working in Privoxy? It logs the same things as Squid? I don't know...). I don't even know whether I am supposed to use a forward slash or backslash. I think forward slash because of the example that it gives for the Unix directory.

Still a blank logfile.

I'm just ready to cry. I just want to log where a teenager is going (for a friend) what he is searching for (whether in Google or in Instagram), and what images he is looking at. My friend wants to gather information so he can decide what to do. He has 8 kids, so of course things can get really busy. But he needs to know what a particular teenager is doing online so he can deal with it.

I see Tomato has logging capabilities: http://tomato.groov.pl/wp-content/gallery/screenshots/web_usage.png

I'll have to drive over there again and flash ANOTHER firmware on it. My friend is already computer illiterate, so it will be difficult to explain what I am doing.


Not sure what router you got. For all models I support you can easily set this up with the integrated privoxy. Just turn on the adblocking feature, enable custom config, copy and paste the contents of the pre generated /tmp/privoxy.conf and change a few lines, in order to make it log to a file on an attached usb device.




@ <Kong>

could you post the config to privoxy works in a HD usb that was already mounted by dd ?

thanks



Very Happy Very Happy

_________________
DDwrt ...it rocks ....

1 R7800 58627 K6.1 AP
1 R7800 53562 Samba FTP K4.9 STATION
1 WZR1750 58627 AP Webserver Samba Wireguard
2 TP link Archer C7v5 58179 Cli
1 DD x86_64 58389 Gateway Samba Ftp Webserver wireguard
1 MR9000 58627 Gateway Samba Ftp Webserver wireguard
1 WRX36 58627 Gateway Ftp Webserver wireguard
luluberlu64
DD-WRT Novice


Joined: 08 Dec 2014
Posts: 7

PostPosted: Fri Dec 12, 2014 10:01    Post subject: Reply with quote
Hello there !
I did follow different tutorial to install opkg and configure squid.conf. I manage to make it works, but when i am running :

Code:
/opt/etc/init.d/S80squid start
it returns me :
Quote:
-sh: /opt/etc/init.d/S80squid: not found


Any idea ?
luluberlu64
DD-WRT Novice


Joined: 08 Dec 2014
Posts: 7

PostPosted: Fri Dec 12, 2014 17:03    Post subject: Reply with quote
I can run squid via ssh, but impossible to run it from the command shell.

I tried differents commands :
Code:

#!
/tmp/mnt/sda2/opt/usr/sbin/squid

or

#!/opt/usr/sbin/squid


it alwayz returns me a segmentation fault.
netman74501
DD-WRT Novice


Joined: 11 Mar 2009
Posts: 6

PostPosted: Sun Jan 06, 2019 2:37    Post subject: Squid hosted on DD-WRT Reply with quote
I realize that this is a very old thread but, it is the second result on Google and pretty much the only result anywhere that I could find which asks how to setup Squid on DD-WRT itself -- not remotely. So, I created a guide on my blog and thought I'd copy it to here as well just in case people are still looking for this sort of thing.

-------------


This guide will show you how to setup a transparent Squid proxy with HTTPS support directly on DD-WRT. Let's dive right in!


Prerequisites

The only requirements are that you have a SSH connection and a working Optware installation. Visit the DD-WRT Optware page for additional information on installing Optware. In short, you need to mount /opt and run the bootstrap command. (Bootstrap may only be available in Kong builds.) How you mount /opt does not matter as long as the user nobody has read and write access. I won't go into too much detail but, I have used a CIFS mount for mine:

Code:

/sbin/insmod /lib/modules/`uname -r`/kernel/crypto/md4.ko
/sbin/insmod /lib/modules/`uname -r`/kernel/crypto/md5.ko
/sbin/insmod /lib/modules/`uname -r`/kernel/crypto/des_generic.ko
/sbin/insmod /lib/modules/`uname -r`/kernel/fs/fscache/fscache.ko
/sbin/insmod /lib/modules/`uname -r`/kernel/fs/cifs/cifs.ko
/bin/mount.cifs //192.168.x.x/ddwrt /opt -o uid=nobody,username=user,password=pass


NOTE: fscache.ko must be loaded before cifs.ko.

Getting Started

Once you have an SSH connection and Optware is properly functioning, install Squid. You may also want to install nano if you prefer nano over vi like I do:

Code:

opkg install squid
opkg install nano


Create Missing Directories

Now that we have Squid installed, we need to create a few directories before Squid will run. The default installation is a bit broken and needs the following directories to be created:

Code:

mkdir /dev/shm
chown nobody /dev/shm
mkdir /opt/var/run/
mkdir /opt/etc/squid/ssl
mkdir /opt/etc/squid/ssl/cacerts


<span style="color: #ff0000;">IMPORTANT:</span> As previously mentioned, make sure the user nobody has read and write access to all directories in /opt. If you are mounting via CIFS, ensure you use uid=nobody in your mount options. This will save you a lot of headaches.

My device does not create the /dev/shm/ directory so I create it and change the owner to nobody. You should check your device to see if the directory exists before doing this.

Certificates, Certificates and more Certificates

Now that we have our directories created, we need to initialize the certificate cache:

Code:

/opt/lib/squid/ssl_crtd -c -s /opt/etc/squid/ssl/ssl_db/


Next you will need to generate a self-signed root certificate and copy the certificate and key to /opt/etc/squid/ssl/. There are plenty of guides on how to generate your own certificate so, I will not be going into detail on this. However, if you need a place to start, you may visit the Squid Dynamic SSL Certificate Generation page where you can find a few clues as to the correct commands to use. Just be sure to have the certificate and key separated or change the Squid configuration file to point to a combined certificate and key file.

Squid doesn't come with any Global Root Certificates by default so you'll need to copy our own into /opt/etc/squid/ssl/cacerts/. There are several ways you can obtain Root Certificates. The easiest method is to copy them from /etc/ssl/certs/ on a Debian based system. You may also download them from Curl's CA Extract page.

Once you have your Root Certificate generated, create a DER certificate and import it into your web browser. Visit the Squid Dynamic SSL Certificate Generation page for additional information on creating the DER certificate.

Modern Ciphers

It's a good idea to generate a DH/EDH cipher and copy it to /opt/etc/squid/ssl/. This will help to harden your Squid connections. If you have a version of Squid less than 3.5.27, you may need to use a different directive in the Squid configuration file. Visit the link above to obtain the relevant directive.

Visit the Squid Modern DH/EDH Ciphers page for additional information.

If you don't want to use a modern cipher then you can skip this section but, be sure to change the Squid configuration file accordingly.

Squid Configuration File

Add the following configuration directives to the end of /opt/etc/squid/squid.conf:

Code:

# If you have 64 MB device RAM you can use 16 MB cache_mem, default is 8 MB
cache_mem 8 MB
maximum_object_size_in_memory 100 KB
maximum_object_size 32 MB

# Leave coredumps in the first cache dir
coredump_dir /opt/var/cache/squid

# Set the cache directory location and size
cache_dir aufs /opt/var/cache/squid 500 16 256

# Listen on port 3130 for https
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/etc/squid/ssl/cert.pem key=/opt/etc/squid/ssl/key.pem tls-dh=prime256v1:/opt/etc/squid/ssl/tls-dh.pem

# Listen on port 3129 for http
http_port 3129 intercept

# Squid normally listens to port 3128 for direct browser connections
# Squid refuses to run if port 3128 is missing - giving a "no forwarding proxy configured" error
http_port 3128

# Visit https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Troubleshooting for additional information on the following version differences
# For Squid 3.5.x only
sslcrtd_program /opt/lib/squid/ssl_crtd -s /opt/etc/squid/ssl/ssl_db -M 4MB
sslcrtd_children 5

# For Squid 4 and newer
#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_capath /opt/etc/squid/ssl/cacerts

# Replace this section with your own ssl_bump and acl rules
# Visit https://wiki.squid-cache.org/Features/SslPeekAndSplice for additional information
# NOTE: You should splice banking websites
acl step1 at_step SslBump1
acl excludeServerFromProxy ssl::server_name .example.org
ssl_bump peek step1
ssl_bump splice excludeServerFromProxy
ssl_bump stare all


The important parts here are the cache size, ports, rules and file paths. Ensure they are what you expect them to be before continuing. As there are so many possible configuration directives, I will not be going into further detail about the configuration directives and what they do. Visit the Squid Configuration Directives Documentation page for additional information.

Cache Building

Next, build the cache that Squid will use:

Code:

squid -z


You should receive similar output to the following:

Code:

2019/01/05 15:43:09 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:43:09 kid1| Creating missing swap directories
2019/01/05 15:43:09 kid1| /opt/var/cache/squid exists
2019/01/05 15:43:09 kid1| Making directories in /opt/var/cache/squid/00
2019/01/05 15:43:09 kid1| Making directories in /opt/var/cache/squid/01
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/02
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/03
2019/01/05 15:43:10 kid1| Making directories in /opt/var/cache/squid/04
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/05
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/06
2019/01/05 15:43:11 kid1| Making directories in /opt/var/cache/squid/07
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/08
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/09
2019/01/05 15:43:12 kid1| Making directories in /opt/var/cache/squid/0A
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0B
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0C
2019/01/05 15:43:13 kid1| Making directories in /opt/var/cache/squid/0D
2019/01/05 15:43:14 kid1| Making directories in /opt/var/cache/squid/0E
2019/01/05 15:43:14 kid1| Making directories in /opt/var/cache/squid/0F


If you do not get the above output, ensure that file permissions are correct and that /opt/var/cache/squid/ exists. REMEMBER: The user nobody must have read and write access.

The Virgin Voyage

Now it is finally time to try to start Squid. Let's start Squid in a special debugging mode so that we can see what is happening in case something goes wrong.

Code:

squid -d 1


You should receive output similar to the following:

Code:

2019/01/05 15:44:30 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:44:30 kid1| Starting Squid Cache version 3.5.27 for arm-openwrt-linux-gnu...
2019/01/05 15:44:30 kid1| Service Name: squid
2019/01/05 15:44:30 kid1| Process ID 23227
2019/01/05 15:44:30 kid1| Process Roles: worker
2019/01/05 15:44:30 kid1| With 1024 file descriptors available
2019/01/05 15:44:30 kid1| Initializing IP Cache...
2019/01/05 15:44:30 kid1| DNS Socket created at 0.0.0.0, FD 6
2019/01/05 15:44:30 kid1| Adding nameserver 192.168.x.x from /etc/resolv.conf
2019/01/05 15:44:30 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2019/01/05 15:44:30 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/01/05 15:44:30 kid1| Logfile: opening log stdio:/dev/null
2019/01/05 15:44:30 kid1| Swap maxSize 51200000 + 262144 KB, estimated 3958626 objects
2019/01/05 15:44:30 kid1| Target number of buckets: 197931
2019/01/05 15:44:30 kid1| Using 262144 Store buckets
2019/01/05 15:44:30 kid1| Max Mem size: 262144 KB
2019/01/05 15:44:30 kid1| Max Swap size: 51200000 KB
2019/01/05 15:44:30 kid1| Rebuilding storage in /opt/var/cache/squid (no log)
2019/01/05 15:44:30 kid1| Using Least Load store dir selection
2019/01/05 15:44:30 kid1| Set Current Directory to /opt/var/cache/squid
2019/01/05 15:44:30 kid1| Finished loading MIME types and icons.
2019/01/05 15:44:30 kid1| HTCP Disabled.
2019/01/05 15:44:30 kid1| Pinger socket opened on FD 25
2019/01/05 15:44:30 kid1| Squid plugin modules loaded: 0
2019/01/05 15:44:30 kid1| Adaptation support is off.
2019/01/05 15:44:30 kid1| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 21 flags=41
2019/01/05 15:44:30 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 22 flags=9
2019/01/05 15:44:30 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3130 remote=[::] FD 23 flags=41
2019/01/05 15:44:34 kid1| Done scanning /opt/var/cache/squid dir (0 entries)
2019/01/05 15:44:34 kid1| Finished rebuilding storage from disk.
2019/01/05 15:44:34 kid1| 0 Entries scanned
2019/01/05 15:44:34 kid1| 0 Invalid entries.
2019/01/05 15:44:34 kid1| 0 With invalid flags.
2019/01/05 15:44:34 kid1| 0 Objects loaded.
2019/01/05 15:44:34 kid1| 0 Objects expired.
2019/01/05 15:44:34 kid1| 0 Objects cancelled.
2019/01/05 15:44:34 kid1| 0 Duplicate URLs purged.
2019/01/05 15:44:34 kid1| 0 Swapfile clashes avoided.
2019/01/05 15:44:34 kid1| Took 4.61 seconds ( 0.00 objects/sec).
2019/01/05 15:44:34 kid1| Beginning Validation Procedure
2019/01/05 15:44:34 kid1| Completed Validation Procedure
2019/01/05 15:44:34 kid1| Validated 0 Entries
2019/01/05 15:44:34 kid1| store_swap_size = 0.00 KB
2019/01/05 15:44:35 kid1| storeLateRelease: released 0 objects


Issue the following command to check if Squid has successfully started:

Code:

ps | grep -i squid


This will give you output similar to:

Code:

23225 root 11236 S squid -d 1
23227 nobody 16680 S {squid} (squid-1) -d 1
23229 nobody 3452 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23230 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23231 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23232 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23233 nobody 3364 S {ssl_crtd} (ssl_crtd) -s /opt/etc/squid/ssl/ssl_db -M 4MB
23277 root 1196 S grep squid


If you do not get any output other than the grep line, then something is wrong with Squid. You should check the output from the previous squid -d 1 command for clues as to what went wrong.

iptables (Yay!)

NOTE: If you don't want to setup Squid to be a transparent proxy, then skip this step and configure your web browser's proxy settings to send traffic to port 3128. (You still need to open the port with the first iptables line from below.) You may also want to remove the relevant http_port/https_port lines from your configuration file for the other ports. Be aware that you'll lose the HTTPS proxy function as browsers do not yet have good support for direct communication to an HTTPS proxy. Hence why you should only be using one port with this type of configuration.

Now that we have Squid up and running, we can redirect our traffic to the correct port so that Squid can receive it. Be sure your configured ports match the redirection rule's ports. If you forward non-https traffic to Squid's https port, it will be refused. Also, make sure that you are using the correct interface -- in this case br0.

Issue the following commands to add the redirect rules using iptables:

Code:

iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -I INPUT -p tcp --dport 3129 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3130
iptables -I INPUT -p tcp --dport 3130 -j ACCEPT


Lift off!

You made it! Congratulations, you should now be able to happily browse the Internet at decent first-page-load speeds and blazing fast subsequent-page-load speeds. If you are unable to pleasantly browse the worldwide inter-webs, scroll to the Notes and Comments section at the end of this article for some useful hints.

Making it Permanent

At this point, you should have a fully functioning Squid installation. The only problem is, it is temporary. When you restart your router, Squid will not be started automatically and special directories will once again be missing.

To fix this, add the following to your startup script by opening your router's DD-WRT configuration page (usually at http://192.168.0.1) and navigating to the Administration Tab -&gt; Commands Tab.

Input the following into the Command Shell field:

Code:

/bin/mkdir /dev/shm
/bin/chown nobody /dev/shm
/opt/sbin/squid &amp;


Click on Save <span style="color: #ff0000;">Startup</span> to save your changes.

NOTE: If you are using a CIFS mount, you should add the relevant commands from the top of this article to your startup script as well.

After you have saved the startup script, input the following into the Command Shell field to add the iptables commands to the firewall script:

Code:

iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -I INPUT -p tcp --dport 3129 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3130
iptables -I INPUT -p tcp --dport 3130 -j ACCEPT


Click on Save <span style="color: #ff0000;">Firewall</span> to save your changes.

Finish Line!

Now it is time reboot and marvel at your work. If all is good, you should be able to browse the Internet without problems but, we still need to verify the proxy is actually working.

To do this, visit https://example.com in your web browser. Open the properties for the certificate of the website and look for your Root Certificate's information to be populated under the Issued by field. If your Root Certificate's information is not present, then your traffic is not being proxied correctly.

You'll also want to visit https://www.ssllabs.com/ssltest/viewMyClient.html. This site can tell you a lot about your connection to the outside world when it comes to certificate support. Visit https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Hardening for additional information on what to expect.</sup></sup>

Fine Tuning

Some fine tuning needs to be done after you have a working installation. You'll probably want to change the acl directives at the end of your Squid configuration file to be what you want.

Specifically, you need to change .example.org in the acl line to a banking website or a website that you do not want to be included in the proxy. You may add additional acl lines to exclude multiple sites.

You may also want to enable logging. To do this, edit the configuration file and remove the following lines:

Code:

access_log none
cache_log /dev/null
cache_store_log stdio:/dev/null
logfile_rotate 0
logfile_daemon /dev/null


Create the /opt/var/logs/ directory:

Code:

mkdir /opt/var/logs


Next, add a cronjob to rotate the logs by visiting your router's DD-WRT configuration page (usually at http://192.168.0.1) and navigating to Administration Tab -&gt; Management Tab.

Input the following into the Cron section:

Code:

0 0 * * * /usr/local/squid/bin/squid -k rotate


Click on Save to save your changes. Reboot the router or run squid -k reconfigure to make your changes immediate.

Notes and Comments

The following commands are very useful when troubleshooting:

squid -k reconfigure
squid -k shutdown
ps | grep -i squid
killall squid

The following are only useful if you have logging enabled:

tail -n 50 -f /opt/var/logs/access.log
tail -n 50 -f /opt/var/logs/cache.log

If your browser displays warnings about the certificate not being trusted, you need to install your Self-Signed Root Certificate into the browser.

Issue the following command to allow a device to bypass the proxy altogether (you must replace [IPADDRESS]):

Code:

iptables -t nat -I PREROUTING -i br0 -s [IPADDRESS] -j ACCEPT


Delete an iptables entry by first viewing the list:

Code:

iptables -t nat --list --line-numbers


Then issue the following (you must replace # with the number of the rule you want to delete):

Code:

iptables -t nat -D PREROUTING #


Some errors Squid spits out are a little vague. If you receive a segmentation fault of any kind, it is most likely due to missing directories or incorrect permissions. Here is a list of errors I have ran across while installing Squid and the solutions to each:

Code:

FATAL: Failed to verify one of the swap directories, Check cache.log
for details. Run 'squid -z' to create swap directories
if needed, or if running Squid for the first time.


Check that the /var/cache/squid/ directory exists and that the user nobody has read and write access to it. Run squid -z if the directory is empty.

Code:

FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (2) No such file or directory


Check that the /dev/shm/ directory exists and that the user nobody has read and write access to it.

Code:

FATAL: Unable to open HTTPS Socket


For any errors similar to this one, check that Squid is not already running and that no other process is using any of Squid's ports (3128, 3129, 3130).

Code:

pinger: Initialising ICMP pinger ...
icmp_sock: (1) Operation not permitted
pinger: Unable to start ICMP pinger.
icmp_sock: (97) Address family not supported by protocol
pinger: Unable to start ICMPv6 pinger.
FATAL: pinger: Unable to open any ICMP sockets.


These error messages regard the ping utility. They can be safely ignored.

Code:

FATAL: Received Segment Violation...dying.


I'm not sure what this was about. It happened once when I issued the squid -k restart command. Regardless, the restart never works so, I just don't use it. I use squid -k shutdown instead and bring Squid back up with squid after about 30 seconds. (Squid waits 30 seconds before shutting down during a clean shutdown.)

Code:

BUG: Unexpected state while connecting to a cache_peer or origin server


I'm not sure of the cause of this error either. I received it when posting to the DD-WRT forums along with messages about the queue being overloaded and to increase the number of ssl_crtd processes in the configuration file. I did so to no avail and the Squid process finally died one of the times I attempted to issue the squid -k reconfigure command. For now, I deleted and rebuilt the ssl_db directory, then rebooted. The error seems to be gone.

Thanks for reading!

Links in this Article
https://wiki.dd-wrt.com/wiki/index.php/Optware
https://wiki.squid-cache.org/Features/DynamicSslCert
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
https://curl.haxx.se/docs/caextract.html
http://www.squid-cache.org/Doc/config/
https://www.ssllabs.com/ssltest/viewMyClient.html
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Hardening

Links of Interest
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Hardening
https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=80678&amp;postdays=0&amp;postorder=asc&amp;start=30&amp;sid=f60feaf2c1f415edc4e5a1e9382e45a3
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13448
Location: Netherlands

PostPosted: Sun Jan 06, 2019 9:07    Post subject: Reply with quote
Thanks, nice job!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum