2

Basically I am just following this guide from AWS, but this guide uses Amazon Linux, but I need to use RHEL 8. I tested in Amazon linux, and it works fine. In RHEL8 also, Squid is able to start with the default config file that comes with the installation. When I change the config file to the one provided by Amazon, it fails to start as shown in error message below.

The config file is as below:

visible_hostname squid
cache deny all

# Log format and rotation
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %Sh/%<a %mt
logfile_rotate 10
debug_options rotate=10

# Handling HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites

# Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
http_access deny all

The service status shows below error:

[root@ip-172-16-67-62 squid]# systemctl status squid
● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-08-05 13:23:52 +08; 3min 48s ago
     Docs: man:squid(8)
  Process: 20320 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
  Process: 20315 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
 Main PID: 20322 (code=exited, status=1/FAILURE)

Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20340 started
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20340 exited with status 1
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20348 started
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20348 exited with status 1
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20356 started
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20356 exited with status 1
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20356 will not be restarted for 3600 seconds due to repeated, frequent failures
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Exiting due to repeated, frequent failures
Aug 05 13:23:52 ip-172-16-67-62 systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Aug 05 13:23:52 ip-172-16-67-62 systemd[1]: squid.service: Failed with result 'exit-code'.
[root@ip-172-16-67-62 squid]#

The logs shows the below error:

-- The start-up result is done.
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: will start 1 kids
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20324 started
Aug 05 13:23:51 ip-172-16-67-62 (squid-1)[20324]: FATAL: The /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB helpers are crashing too rapidly, need help!
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20324 exited with status 1

I made sure that the SSL certificates are generated, and squid services has permissions to access it. This is a CIS hardened image, so that could be one issue. Other than that, I am not sure what else to check.

screenslaver
  • 101
  • 3
  • 12

1 Answers1

0

I got this working with rhel8 ami with firewalld and selinux - the reason for firewalld is client is using STIG AMI with firewall enabled.

#!/bin/bash

# Apply the latest security patches
dnf update -y --security

# Install and start Squid
dnf install -y squid firewalld vim policycoreutils-python-utils
systemctl enable --now firewalld
sleep 5

# Enable firewalld redirects
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=3129
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=3130
firewall-cmd --runtime-to-permanent

cp -a /etc/squid /etc/squid_orig

# Create cache directories, set perms and set contexts
mkdir /var/spool/squid
mkdir /var/cache/squid
semanage fcontext -a -t squid_cache_t "/var/spool/squid(/.*)?"
restorecon -FRvv /var/spool/squid
chown -R squid:squid /var/spool/squid
chown -R squid:squid /var/cache/squid

# SELinux Configuration: Add additional squid ports to selinux
semanage port -a -t squid_port_t -p tcp 3129-3130

# Create a SSL certificate for the SslBump Squid module
mkdir /etc/squid/ssl
openssl genrsa -out /etc/squid/ssl/squid.key 4096
openssl req -new -key /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.csr -subj "/C=US/ST=VA/L=squid/O=squid/CN=squid"
openssl x509 -req -days 3650 -in /etc/squid/ssl/squid.csr -signkey /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.crt
cat /etc/squid/ssl/squid.key /etc/squid/ssl/squid.crt >> /etc/squid/ssl/squid.pem

chmod 600 /etc/squid/ssl/squid.pem
restorecon -FRvv /etc/squid/ssl/squid.pem

echo '.amazonaws.com' > /etc/squid/whitelist.txt
echo '.cloudfront.net' >> /etc/squid/whitelist.txt
# The following is for access to the RHUI repositories hosted in AWS.
echo '.aws.ce.redhat.com' >> /etc/squid/whitelist.txt

cat > /etc/squid/squid.conf << EOF

visible_hostname squid
cache deny all

# Log format and rotation
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %Sh/%<a %mt
logfile_rotate 10
debug_options rotate=10

# Handle HTTP requests
http_port 3128
http_port 3129 intercept

# Handle HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all

# Deny requests to proxy instance metadata
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata

# Filter HTTP requests based on the whitelist
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites

# Filter HTTPS requests based on the whitelist
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

http_access deny all
EOF

/usr/sbin/squid -k parse && /usr/sbin/squid -k reconfigure

/usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

# Start and enable squid
systemctl enable --now squid
jrock
  • 1