Problema com cache_effective_user e cache_effective_group [RESOLVIDO]

maurolarrat
(usa Ubuntu)

Enviado em 09/05/2011 - 16:33h

Caros,

estou implementando um Squid e, durante meus testes iniciais com "squid -N -d1",
ocorreu este erro:

FATAL: getpwnam failed to find userid for effective user 'squid'
Squid Cache (Version 2.7.STABLE9): Terminated abnormally.
CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys
Maximum Resident Size: 5328 KB
Page faults with physical i/o: 0
Abortado

meu arquivo squid.conf :

# Proxy Transparente SQUID
#Create date: 09/05/2011


##################################################################################
# Configurações iniciais do SQUID
##################################################################################

# Porta SQUID.
http_port 192.168.0.1:3128

# Nome do Proxy visível no bloqueio.
visible_hostname TESTE

# E-mail que aparece para contato na página de bloqueio.
cache_mgr teste.ti@teste.com.br


##################################################################################
# Configurações dos LOGs do SQUID (aponte para /dev/null para não armazenar logs)
##################################################################################

cache_effective_user squid
cache_effective_group nobody

cache_log /etc/squid/logs/cache.log
cache_access_log /etc/squid/logs/access.log
cache_store_log none

##################################################################################
# Declaração das ACLs para identificação da intranet.
##################################################################################

acl All src 0/0 # Todos as redes possíveis.
acl Manager proto cache_object #
acl CONNECT method CONNECT #
acl localhost src 127.0.0.1/255.255.255.255 # Aponta para a máquina local.
acl INTRANET src 192.168.0.0/24 # Endereço da intranet.
acl INTRANETWRL src 192.168.1.0/24 # Endereço da intranet wireless.


##################################################################################
# Declaração das ACLs para liberação de portas.
##################################################################################

# Portas liberadas
acl SSL_ports port 443 # https
acl SSL_ports port 563 #
acl Safe_ports port 80 # http
acl Safe_ports port 22 # ftp
acl Safe_ports port 53 # DNS
acl Safe_ports port 210 # wais
acl Safe_ports port 70 # gopher
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 3456 # RECEITANET
acl Safe_ports port 95 # AND SAT
acl Safe_ports port 3307 # AND SAT
acl Safe_ports port 8080 # CONSULTA NÚMERO
acl Safe_ports port 587 # TURBOSITE SMTP
acl Safe_ports port 25 # TURBOSITE SMTP
acl Safe_ports port 110 # TURBOSITE POP3
acl Safe_ports port 993 # GMAIL IMAP
acl Safe_ports port 465 # GMAIL SMTP
acl Safe_ports port 5900 # VNC
acl Safe_ports port 5500 # VNC
acl Safe_ports port 5800 # VNC
acl Safe_ports port 30000 # BRADESCO
acl Safe_ports port 3128 # Squid
acl Safe_ports port 3388 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 1433 # Sisloc
acl Safe_ports port 1434 # Sisloc
acl Safe_ports port 47 # Sisloc
acl Safe_ports port 10001-10220 # VNC Sisloc
acl Safe_ports port 8080 # Câmeras GGB
acl Safe_ports port 8010 # Câmeras NG
acl Safe_ports port 5050 # Câmeras NG
acl Safe_ports port 6050 # Câmeras NG


http_access allow Manager localhost
http_access deny Manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow INTRANET
http_access allow INTRANETWRL
http_access deny All



Eu criei dois arquivos de logs e um diretório, diferente do padrão.
/etc/squid/logs/cache.log
/etc/squid/logs/access.log

Estou estudando pelo livro Squid: The Definitive Guide. Sou iniciante com squid e já tenho o iptables configurado e funcionando normalmente.

Gostaria de uma ajuda para criar estes usuários e configurar esta parte do squid, referente a este erro.


Valeu galera.

/bin/laden
(usa Void Linux)

Enviado em 09/05/2011 - 16:43h

1 - O usuario 'squid' existe no teu sistema?
2 - Se sim, ele tem permissão de acesso/leitura/escrita em '/etc/squid/logs'?

maurolarrat
(usa Ubuntu)

Enviado em 09/05/2011 - 16:58h

Não, eu não sei como criar o usuário, e configurar as permissões na pasta log e nos dois arquivos access.log e cache.log.

eu deduzo que seja simples, mas ainda estou estudando linux.

Se vc puder me ajudar nesse processo eu agradeço.

/bin/laden
(usa Void Linux)

Enviado em 10/05/2011 - 00:19h

Bom estudo: http://www.guiafoca.org/
Ah, e não esqueça também: http://www.google.com/linux

maurolarrat
(usa Ubuntu)

Enviado em 10/05/2011 - 09:37h

Valeu!
criei tudo o que faltava com relação a usuário e grupo.

executei o squid sem erros como mostrado no script abaixo:

# Proxy Transparente SQUID
# Create date: 09/05/2011


##################################################################################
# Configurações iniciais do SQUID
##################################################################################

# Porta SQUID.
http_port 192.168.0.1:3128

# Nome do Proxy visível no bloqueio.
visible_hostname teste

# E-mail que aparece para contato na página de bloqueio.
cache_mgr teste.ti@teste.com.br


##################################################################################
# Configurações dos LOGs do SQUID (aponte para /dev/null para não armazenar logs)
##################################################################################

cache_effective_user squid
cache_effective_group gpsquid

cache_log /etc/squid/logs/cache.log
cache_access_log /etc/squid/logs/access.log
cache_store_log none

##################################################################################
# Declaração das ACLs para identificação da intranet.
##################################################################################

acl All src 0/0 # Todos as redes possíveis.
acl Manager proto cache_object #
acl CONNECT method CONNECT #
acl localhost src 127.0.0.1/255.255.255.255 # Aponta para a máquina local.
acl INTRANET src 192.168.0.0/24 # Endereço da intranet.
acl INTRANETWRL src 192.168.1.0/24 # Endereço da intranet wireless.


##################################################################################
# Declaração das ACLs para liberação de portas.
##################################################################################

# Portas liberadas
acl SSL_ports port 443 # https
acl SSL_ports port 563 #
acl Safe_ports port 80 # http
acl Safe_ports port 22 # ftp
acl Safe_ports port 53 # DNS
acl Safe_ports port 210 # wais
acl Safe_ports port 70 # gopher
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 3456 # RECEITANET
acl Safe_ports port 95 # AND SAT
acl Safe_ports port 3307 # AND SAT
acl Safe_ports port 8080 # CONSULTA NÚMERO
acl Safe_ports port 587 # TURBOSITE SMTP
acl Safe_ports port 25 # TURBOSITE SMTP
acl Safe_ports port 110 # TURBOSITE POP3
acl Safe_ports port 993 # GMAIL IMAP
acl Safe_ports port 465 # GMAIL SMTP
acl Safe_ports port 5900 # VNC
acl Safe_ports port 5500 # VNC
acl Safe_ports port 5800 # VNC
acl Safe_ports port 30000 # BRADESCO
acl Safe_ports port 3128 # Squid
acl Safe_ports port 3388 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 1433 # Sisloc
acl Safe_ports port 1434 # Sisloc
acl Safe_ports port 47 # Sisloc
acl Safe_ports port 10001-10220 # VNC Sisloc
acl Safe_ports port 8080 # Câmeras GGB
acl Safe_ports port 8010 # Câmeras NG
acl Safe_ports port 5050 # Câmeras NG
acl Safe_ports port 6050 # Câmeras NG


http_access allow Manager localhost
http_access deny Manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow INTRANET
http_access allow INTRANETWRL
http_access deny All



e a regra no iptables , primeiramente para testar o acesso pelo firewall:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128


Mas o acesso internet não ocorre... meu squid é beeeem simples, sem bloqueios ainda justamente para testes.


Pode me ajudar?

valeu!

korvoman
(usa Debian)

Enviado em 10/05/2011 - 09:51h

Toda requisição web, vai ser redirecionada por está regra:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

OUTPUT é voltada para a saída do servidor, um serviço de proxy, serviço de email.

PREROUTING é lida antes do INPUT. dá uma olhada no focagnulinux.

maurolarrat
(usa Ubuntu)

Enviado em 10/05/2011 - 10:32h

eu gostaria primeiro de testar o acesso com squid na máquina do firewall por isso usei o OUTPUT.

não tem jeito de fazer dessa forma?

korvoman
(usa Debian)

Enviado em 10/05/2011 - 19:20h

Eu não sou fã de Squid transparente. Eu pessoalmente prefiro proxy com detecção automática (wpad). Até mesmo para colocar autenticação e por tornar mais fácil administrar sites como conectividade social, seguradoras e afins.

Neste seu teste já poderia colocar o proxy no navegador do cliente