Re: [squid-users] Fwd: trouble opening port on 3130/https_port from Amos Jeffries on 2013-10-07 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Oct 2013 17:06:26 +1300

On 8/10/2013 2:10 p.m., Gregory K. Spranger wrote:
> hi there .. here are my details:
>
> squid/OS details
>
> squid 3.3.9 compiled from source with:
>
> ./configure --prefix=/usr \
> --includedir=/usr/include \
> --datadir=/usr/share/squid \
> --bindir=/usr/sbin \
> --libexecdir=/usr/lib/squid \
> --localstatedir=/var/run/squid \
> --sysconfdir=/etc/squid \
> --with-default-user=squid \
> --with-logdir=/var/log/squid \
> --enable-ssl \
> --with-openssl=/usr/include/openssl/ \
> --enable-linux-netfilter
>
> using OS
>
> Linux version 2.6.18-348.1.1.el5
> (mockbuild_at_x86-010.build.bos.redhat.com) (gcc version 4.1.2 20080704
> (Red Hat 4.1.2-54)) #1 SMP F
> ri Dec 14 05:25:59 EST 2012
>
>
> my squid.conf is very simple
>
> debug_options ALL,6
> ssl_bump client-first all
> sslproxy_cert_error allow all
> #sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
> https_port 3130 transparent ssl-bump
> cert=/etc/squid/certs/squid-proxy.crt
> key=/etc/squid/certs/squid-proxy.key
> http_port 3128 transparent
> access_log /var/log/squid/access.log squid
> always_direct allow all
> cache deny all
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl port_443 port 443
> acl allowed_sites dstdomain "/etc/squid/allowed_domains"
> http_access allow http port_80 allowed_sites
> http_access allow https port_443 allowed_sites
> http_access deny all
> visible_hostname localhost
>
>
>
> but this is the error i am getting:
>
> 2013/10/07 20:50:00.237 kid1| tools.cc(619) leave_suid: leave_suid:
> PID 17862 giving up root, becoming 'squid'
> 2013/10/07 20:50:00.238 kid1| StartListening.cc(55) StartListening:
> opened listen local=0.0.0.0:3128 remote=[::] FD 11 flags=41
> 2013/10/07 20:50:00.238 kid1| AsyncCall.cc(85) ScheduleCall:
> StartListening.cc(56) will call
> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 11
> flags=41, err=0, HTTP Socket port=0x7c8e838) [call2]
> 2013/10/07 20:50:00.238 kid1| AsyncCall.cc(18) AsyncCall: The
> AsyncCall httpsAccept constructed, this=0x8233a20 [call3]
> 2013/10/07 20:50:00.238 kid1| AsyncCall.cc(18) AsyncCall: The
> AsyncCall clientListenerConnectionOpened constructed, this=0x8233aa0
> [call4]
> 2013/10/07 20:50:00.238 kid1| tools.cc(664) enter_suid: enter_suid:
> PID 17862 taking root privileges
> 2013/10/07 20:50:00.238 kid1| comm.cc(554) comm_openex: comm_openex:
> Attempt open socket for: 0.0.0.0:3130
> 2013/10/07 20:50:00.238 kid1| comm.cc(595) comm_openex: comm_openex:
> Opened socket local=0.0.0.0:3130 remote=[::] FD 12 flags=1 : family=2,
> type=1, protocol=6
> 2013/10/07 20:50:00.238 kid1| comm.cc(637) comm_init_opened:
> local=0.0.0.0:3130 remote=[::] FD 12 flags=1 is a new socket
> 2013/10/07 20:50:00.238 kid1| fd.cc(221) fd_open: fd_open() FD 12 HTTPS Socket
> 2013/10/07 20:50:00.238 kid1| commBind: Cannot bind socket FD 12 to
> 0.0.0.0:3130: (13) Permission denied
> 2013/10/07 20:50:00.238 kid1| comm.cc(1102) _comm_close: comm_close:
> start closing FD 12
> 2013/10/07 20:50:00.238 kid1| comm.cc(760) commUnsetFdTimeout: Remove
> timeout for FD 12
> 2013/10/07 20:50:00.238 kid1| comm.cc(955) commCallCloseHandlers:
> commCallCloseHandlers: FD 12
> 2013/10/07 20:50:00.238 kid1| AsyncCall.cc(18) AsyncCall: The
> AsyncCall comm_close_complete constructed, this=0x8233c60 [call5]
> 2013/10/07 20:50:00.238 kid1| AsyncCall.cc(85) ScheduleCall:
> comm.cc(1178) will call comm_close_complete(FD 12) [call5]
>
>
> 3128 opens up just fine and runs AOK .. just when i use https_port it
> seems to get shot down .. yes, i did check to make sure squid user can
> write to /var/run/squid -- not seeing that error .. yes, i made sure
> selinux isn't blocking the port ..
>
> sudo semanage port -l | grep 3130
> http_cache_port_t udp 3130, 11211
>
>
> but for some reason, it just wont work .. "funny" funny thing is i
> performed the "exact" same steps on a diff server that is suppose to
> be identical, and it worked AOK .. just for some reason this server
> doesn't like when i try to use port 3130 -- getting that nasty
> "permission denied" error and debug log doesn't seem to point me to
> root cause ..

semanage gives a hint: port 3130 permissions are for UDP (Squid ICP
protocol port). But HTTPS uses TCP protocol.

Amos
Received on Tue Oct 08 2013 - 04:06:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT