How to debug squid ACLs
For tricky squid ACL troubleshooting situations, it is helpful to be able to see which access control entries a request matches and does not match. This information can be discovered easily using squid’s debugging facility.
Step 1: RTFM
check debug sections avaliable: http://wiki.squid-cache.org/KnowledgeBase/DebugSections
In this case, we can see that squid’s ACLs are managed by section 28.
Step 2: Make squid more chatty
Given the ACL section, we can tell squid to log more information about ACL traversal. We feed him the section (28) and the log level (3, or similar) in squid.conf (near the top usually).
Code:
debug_options 28,3
… and we tell the daemon to re-read the configuration:
service squid reload
Step 3: Test and evaluate
Now check the logs:
tail -f /var/log/squid/cache.log
Note: realistically you probably don’t want to tail the logs, you are best to try your failing web site then open the log with ‘less’ etc and do a search for you website.
In this example my blocklist had downloaded some unfiltered characters and ended up with a zero (”0”) on a line by itself. (Why they ended up there is a different conversation)
2015/01/07 15:51:42.237| ACL::checklistMatches: checking 'zeus_block_list' 2015/01/07 15:51:42.237| aclRegexData::match: checking 'mt0.google.com' 2015/01/07 15:51:42.237| aclRegexData::match: looking for '24b5' 2015/01/07 15:51:42.237| aclRegexData::match: looking for '0' 2015/01/07 15:51:42.238| aclRegexData::match: match '0' found in 'mt0.google.com' 2015/01/07 15:51:42.238| ACL::ChecklistMatches: result for 'zeus_block_list' is 1
Removing the zero from the
zeus_block_list
and reloading squid resolved the issue.
Note that true evaluations are represented by 1, while false evaluations are represented by 0.
Step 4: Post-troubleshooting cleanup
It is important to disable the debug_options when you are finished troubleshooting. They produce a copious amount of logging, and they can generally be a (disk space) liability when you aren’t using them.
To reverse the changes, simply comment out the debug_options line above, and reload squid.
Thanks to FreeBSD forums for the walk-through
Run MySQL in the foreground
Well actually it’s not in the foreground but to a log file, but if you tail / follow the logfile you could pretend it was the foreground :-)
mysqld_safe --log-error=/var/log/mysql.err
And perhaps you have imported a database for forensic investigation and you don’t know the database password, you can just skip the authentication:
mysqld_safe --skip-grant-tables --log-error=/var/log/mysql.err
SSH Forced commands from Web Page
Are you a paranoid nerd, who’s business requirements are very strict about IT security? No, well you may as well stop reading here.
Perhaps you have a business requirement to perform some random function on a server that only allows SSH access, but the rest of the business requires simple press button access to perform those functions?
Well with SSH force command wrappers, SSH keys and PHP you too can have simple click button access for the rest of the business!
Basically with a Linux apache server with PHP use the following code:
[Read More…]
Enable Apache’s inbuilt chroot functionality
This works on all versions of Apache webserver greater than 2.2.10.
I’ll presume you have a current working version of Apache serving files from /var/www/
mkdir -p /chroot/var/
Required for PHP5 compatibility:
mkdir -p /chroot/var/lib/php5 chown root:www-data /chroot/var/lib/php5 chmod 770 /chroot/var/lib/php5 cp /etc/localtime /chroot/etc/localtime cp -R /usr/share/zoneinfo /chroot/usr/share/zoneinfo cp -R /usr/share/apache2 /chroot/usr/share/apache2
mv /var/www /chroot/var/
To help with compatibility and user / sysadmin expectations
ln -s /chroot/var/www /var/www
Enable Apache’s in-built chroot (Debian)
echo "ChrootDir /chroot" > /etc/apache2/conf.d/chroot
Enable Apache’s in-built chroot (Redhat/CentOS/Fedora)
echo "ChrootDir /chroot" >> /etc/httpd/conf/httpd.conf semanage fcontext -a -t httpd_sys_content_t “/chroot/var/www(/.*)?”
service apache2 restart
Now test your damn website! Logfiles are your friend for troubleshooting any bugs :-)
Squid ICAP Syntax with F-Secure Internet Gate Keeper (IGK)
*** UPDATE September 2015 - This article has been updated with the correct syntax and confirmed working on Squid 3.3.8 ***
The doco for IGK is some what lacking for the ICAP settings but it does mention ” Refer to the documentation of the proxy for information on how to set it up”. That’s not very helpful so I contacted F-Secure technical support and asked them. This is the reply:
You will need to add these lines to Squid config file:
icap_enable on icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://[IP address of IGK]:1344/request adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=0 icap://[IP address of IGK]:1344/response adaptation_access service_resp allow all
Unfortunately that still doesn’t work for some unknown reason and I am only getting the error:
ErrPage: ERR_CANNOT_FORWARD
I don’t have anymore time to spend on this, I guess I’ll just use the F-Secure HTTP proxy as a parent proxy for squid.