Why do these errors occur in Squid?

G

gadzhikuliev2018-10-18 15:58:30

Squid

gadzhikuliev, 2018-10-18 15:58:30

There is a working Squid with authorization in Active Directory via Kerberos. I see users, I see the URLs they visited. But there are strange entries in the logs for the Squid working environment:
/var/log/squid/cache.log ext_kerberos_ldap_group_acl does
not start , but perhaps because I disabled IPv6 on the system. What does this message mean? 2018/10/18 14:49:30 kid1| helperOpenServers: Starting 1/600 'negotiate_kerberos_auth' processes

2018/10/18 14:48:19 kid1| helperOpenServers: Starting 0/600 'negotiate_kerberos_auth' processes
2018/10/18 14:48:19 kid1| helperStatefulOpenServers: No 'negotiate_kerberos_auth' processes needed.
2018/10/18 14:48:19 kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes
2018/10/18 14:48:19 kid1| commBind: Cannot bind socket FD 11 to [::1]: (99) Cannot assign requested address
2018/10/18 14:48:19 kid1| commBind: Cannot bind socket FD 12 to [::1]: (99) Cannot assign requested address
2018/10/18 14:48:19 kid1| ERROR: Failed to create helper child read FD: TCP [::1]
2018/10/18 14:48:19 kid1| WARNING: Cannot run '/usr/lib64/squid/ext_kerberos_ldap_group_acl' process.
2018/10/18 14:48:19 kid1| commBind: Cannot bind socket FD 13 to [::1]: (99) Cannot assign requested address
2018/10/18 14:48:19 kid1| commBind: Cannot bind socket FD 14 to [::1]: (99) Cannot assign requested address
2018/10/18 14:48:19 kid1| ERROR: Failed to create helper child read FD: TCP [::1]
2018/10/18 14:48:19 kid1| WARNING: Cannot run '/usr/lib64/squid/ext_kerberos_ldap_group_acl' process.
2018/10/18 14:49:21 kid1| Starting new negotiateauthenticator helpers...
2018/10/18 14:49:21 kid1| helperOpenServers: Starting 1/600 'negotiate_kerberos_auth' processes
2018/10/18 14:49:21 kid1| Starting new negotiateauthenticator helpers...
2018/10/18 14:49:21 kid1| helperOpenServers: Starting 1/600 'negotiate_kerberos_auth' processes
2018/10/18 14:49:21 kid1| Starting new negotiateauthenticator helpers...

cat /var/log/squid/access.log
Preliminarily cleared and went only to toster.ru. As I wrote, I went to the sites without problems, but for some reason it gives out a bunch of messages that there is no access.

1539865841.991      1 172.31.10.129 TCP_DENIED/407 4220 CONNECT queuev4.vk.com:443 - HIER_NONE/- text/html
1539865842.936      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT yandex.ru:443 - HIER_NONE/- text/html
1539865843.129      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT yandex.ru:443 - HIER_NONE/- text/html
1539865843.229    288 172.31.10.129 TCP_TUNNEL/200 0 CONNECT yandex.ru:443 [email protected] HIER_DIRECT/5.255.255.50 -
1539865843.248      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT yandex.ru:443 - HIER_NONE/- text/html
1539865843.352    219 172.31.10.129 TCP_TUNNEL/200 0 CONNECT yandex.ru:443 [email protected] HIER_DIRECT/5.255.255.50 -
1539865848.022      1 172.31.10.129 TCP_DENIED/407 4907 GET http://prtg.domain.ru/api/status.json? - HIER_NONE/- text/html
1539865848.023      1 172.31.10.129 TCP_DENIED/407 4860 GET http://prtg.domain.ru/api/public/testlogin.htm? - HIER_NONE/- text/html
1539865848.034      0 172.31.10.129 TCP_DENIED/407 4883 GET http://prtg.domain.ru/controls/mapview.htm? - HIER_NONE/- text/html
1539865848.253    225 172.31.10.129 TCP_MISS/200 546 GET http://prtg.domain.ru/api/public/testlogin.htm? [email protected] HIER_DIRECT/172.31.4.63 text/html
1539865848.644    617 172.31.10.129 TCP_MISS/200 2146 GET http://prtg.domain.ru/api/status.json? [email protected] HIER_DIRECT/172.31.4.63 text/html
1539865848.705    666 172.31.10.129 TCP_MISS/200 2752 GET http://prtg.domain.ru/controls/mapview.htm? [email protected] HIER_DIRECT/172.31.4.63 text/html
1539865849.891      0 172.31.10.129 TCP_DENIED/407 4236 CONNECT favicon.yandex.net:443 - HIER_NONE/- text/html
1539865850.638      0 172.31.10.129 TCP_DENIED/407 4224 CONNECT dr.habracdn.net:443 - HIER_NONE/- text/html
1539865850.639      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT toster.ru:443 - HIER_NONE/- text/html
1539865850.639      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT toster.ru:443 - HIER_NONE/- text/html
1539865850.639      0 172.31.10.129 TCP_DENIED/407 4244 CONNECT fonts.googleapis.com:443 - HIER_NONE/- text/html
1539865850.639      0 172.31.10.129 TCP_DENIED/407 4232 CONNECT fonts.gstatic.com:443 - HIER_NONE/- text/html
1539865850.640      0 172.31.10.129 TCP_DENIED/407 4260 CONNECT www.google-analytics.com:443 - HIER_NONE/- text/html
1539865850.640      0 172.31.10.129 TCP_DENIED/407 4212 CONNECT mc.yandex.ru:443 - HIER_NONE/- text/html
1539865850.640      0 172.31.10.129 TCP_DENIED/407 4188 CONNECT vk.com:443 - HIER_NONE/- text/html
1539865851.705      0 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865851.746      0 172.31.10.129 TCP_DENIED/407 4232 CONNECT fonts.gstatic.com:443 - HIER_NONE/- text/html
1539865851.799      0 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865851.800      0 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865851.801      0 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865851.806      1 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865851.806      1 172.31.10.129 TCP_DENIED/407 4228 CONNECT habrastorage.org:443 - HIER_NONE/- text/html
1539865852.013      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.122      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.128      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.128      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.151      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.155      0 172.31.10.129 TCP_DENIED/407 4196 CONNECT hsto.org:443 - HIER_NONE/- text/html
1539865852.178      0 172.31.10.129 TCP_DENIED/407 4212 CONNECT mc.yandex.ru:443 - HIER_NONE/- text/html
1539865852.195      0 172.31.10.129 TCP_DENIED/407 4212 CONNECT mc.yandex.ru:443 - HIER_NONE/- text/html
1539865852.232      0 172.31.10.129 TCP_DENIED/407 4256 CONNECT stats.g.doubleclick.net:443 - HIER_NONE/- text/html
1539865852.233      0 172.31.10.129 TCP_DENIED/407 4260 CONNECT www.google-analytics.com:443 - HIER_NONE/- text/html
1539865852.302      0 172.31.10.129 TCP_DENIED/407 4244 CONNECT special.habrahabr.ru:443 - HIER_NONE/- text/html
1539865852.376      0 172.31.10.129 TCP_DENIED/407 4200 CONNECT adservice.google.ru:443 - HIER_NONE/- text/html
1539865852.376      0 172.31.10.129 TCP_DENIED/407 4204 CONNECT adservice.google.com:443 - HIER_NONE/- text/html
1539865852.428      0 172.31.10.129 TCP_DENIED/407 4284 CONNECT securepubads.g.doubleclick.net:443 - HIER_NONE/- text/html
1539865853.010      0 172.31.10.129 TCP_DENIED/407 4212 CONNECT an.yandex.ru:443 - HIER_NONE/- text/html
1539865853.927      0 172.31.10.129 TCP_DENIED/407 4264 CONNECT sec.api.browser.yandex.ru:443 - HIER_NONE/- text/html
1539865861.581   9775 172.31.10.129 TCP_TUNNEL/200 1431 CONNECT habrastorage.org:443 [email protected] HIER_DIRECT/95.213.152.170 -
1539865867.584  15458 172.31.10.129 TCP_TUNNEL/200 0 CONNECT hsto.org:443 [email protected] HIER_DIRECT/104.25.182.28 -
1539865867.587  15452 172.31.10.129 TCP_TUNNEL/200 0 CONNECT hsto.org:443 [email protected] HIER_DIRECT/104.25.182.28 -
1539865867.731  15572 172.31.10.129 TCP_TUNNEL/200 0 CONNECT hsto.org:443 [email protected] HIER_DIRECT/104.25.182.28 -
1539865867.731  15576 172.31.10.129 TCP_TUNNEL/200 0 CONNECT hsto.org:443 [email protected] HIER_DIRECT/104.25.182.28 -

Squid settings:

# Авторизация в Active Directory
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/[email protected]
auth_param negotiate children 600
auth_param negotiate keep_alive off

# external_acl, который отслеживает вхождение в группу
external_acl_type Internet ttl=300 negative_ttl=60 children-startup=5 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g "Domain Users" -D DOMAIN.RU

# Обязательная авторизация, без неё нет доступа!
acl auth proxy_auth REQUIRED

# ACL для пользоваталей AD
acl Internet_Access external Internet

/etc/sysconfig/squid

# default squid options
SQUID_OPTS=""

# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100

# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"

# Kerberos keytab file
KRB5_KTNAME="/etc/squid/squid.keytab"
export KRB5_KTNAME

I'm still trying to set up traffic redirection from Cisco ASA to Squid via WCCP, but I'm not sure if it somehow affected.
Thanks in advance for your replies.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2018-10-19
@CityCat4

2018/10/18 14:49:30 kid1| helperOpenServers: Starting 1/600 'negotiate_kerberos_auth' processes

One of the 600 allowed negotiate_kerberos_auth helpers is running
. It's not clear why squid stubbornly wants to bind to IPv6 analogue 127.0.