From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Testing 'squid 4.0.24' Date: Sun, 11 Mar 2018 15:44:13 +0100 Message-ID: In-Reply-To: <1520773546.3332.51.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2075923542646751534==" List-Id: --===============2075923542646751534== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On 11.03.2018 14:05, Michael Tremer wrote: > Hi, >=20 > okay that sounds interesting. So what problems can we expect when updating = to > squid 4? Good question... While "cleaning my soothsayer glass ball", ;-) I think it's still too early to say anything about that. Some problems with previous versions showed up only after a few days of continuous operation, so for now I think its the best to keep on testing. And if before we start thinking about upgrading, it would be great if someone else could test other - more complex - configurations, for example with AD-authentification, classroom extensions, etc. Perhaps something for a testing tree? Best, Matthias > -Michael >=20 > P.S. I do not think that we need that conntrack support for anything >=20 > On Sun, 2018-03-11 at 11:20 +0100, Matthias Fischer wrote: >> Hi, >>=20 >> FYI: >>=20 >> I added '--without-netfilter-conntrack' to configure options. Building >> with Core 118 was OK. Since yesterday, 'squid 4.0.24' is running on >> GREEN (non-transparent) and BLUE (transparent) without any further >> kernel messages, no seen problems so far. >>=20 >> Running addons/services: 'squidguard', 'sgraph', 'clamav', >> 'snort/guardian' (RED/BLUE), 'hostapd', 'wio', 'QoS', and 'privoxy'. >>=20 >> Overall performance seems to be a bit faster. We'll see. >>=20 >> Furthermore, while searching I found this 'squid-nabble' diskussion: >>=20 >> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-Development-Blo= g-td >> 4684900.html >>=20 >> ***SNIP*** >> On 25/02/18 06:26, Chase Wright wrote: >> > It's been nearly 2 years since there was a blog post about Squid 4.x >> > and I've noticed that the daily auto-generated Squid 3.5 stable branch >> > release last updated on "08 Dec 2017" >> >=20 >> > I've also noticed that the last two CVEs were only fixed in the 4.x >> > branch (2018) >> >=20 >> > Is the squid team planning to move 4.x to stable soon? >> >=20 >>=20 >> "Soon" yes. Those last few bugs proved to be extremely painful and slow >> to get fixed. >>=20 >> As of today we have one major bug unfixed, and some testing needed for >> checking the stability of the recent huge fixes. I'm just waiting on the >> backports of some small regressions already found before the next v4 >> beta package. >>=20 >> I am *hoping* not to have to release any more 3.5 packages. But that of >> course depends on what the timeline this final bug turns into. >>=20 >> Amos >> ***SNAP*** >>=20 >> Best, >> Matthias >>=20 >> On 10.03.2018 12:22, Matthias Fischer wrote: >> > Hi, >> >=20 >> > Found something...but since I don't have much experience with this: >> >=20 >> > What impact is to be expected when I translate 'squid 4.0.24' with the >> > configure option '--without-netfilter-conntrack'? >> >=20 >> > Help says: >> > "--without-netfilter-conntrack >> > Do not use Netfilter conntrack libraries for packet marking. A path to >> > alternative library location may be specified by using >> > --with-netfilter-conntrack=3DPATH. >> > Default: auto-detect." >> >=20 >> > I didn't find any further or helpful informations about the >> > (side-)effects when I turn this off. >> >=20 >> > Best, >> > Matthias >> >=20 >> > On 22.01.2018 14:30, Michael Tremer wrote: >> > > Okay, please keep an eye on squid 4 for us then. I am not following th= is >> > > very >> > > closely and have no idea what will change in squid 4. >> > >=20 >> > > Best, >> > > -Michael >> > >=20 >> > > On Sun, 2018-01-21 at 21:35 +0100, Matthias Fischer wrote: >> > > > On 21.01.2018 19:57, Michael Tremer wrote: >> > > > > Hello, >> > > > >=20 >> > > > > yes this is correct. >> > > > >=20 >> > > > > We don't allow an unprivileged user to load any kernel modules. >> > > >=20 >> > > > Ok, then my suspicion was right. >> > > >=20 >> > > > > What does squid need this for? Why are you playing around with squ= id >> > > > > 4? >> > > >=20 >> > > > 1. I don't know. 3.5.27 doesn't do this. >> > > > 2. As I wrote - just to keep in touch with their development. Once i= n a >> > > > while, 'squid 3' will be deprecated and I wanted to see what comes n= ext, >> > > > even though this may take a long time. Just being curious and the >> > > > 'Devel' was somehow bored. ;-) >> > > >=20 >> > > > > You should be able to load the module first and then start squid. >> > > >=20 >> > > > I'm not that curious - this was for testing and for testing only. >> > > >=20 >> > > > Best, >> > > > Matthias >> > > >=20 >> > > > > Best, >> > > > > -Michael >> > > > >=20 >> > > > > On Sun, 2018-01-21 at 01:50 +0100, Matthias Fischer wrote: >> > > > > > Hi, >> > > > > >=20 >> > > > > > Just to keep in touch, I tested 'squid 4.0.23' yesterday - it se= emed >> > > > > > to >> > > > > > run fine at first. But after a while I took a closer look at the >> > > > > > logs >> > > > > > and discovered a bunch of kernel messages within a few hours and= I >> > > > > > don't >> > > > > > know what exactly triggered these messages: >> > > > > >=20 >> > > > > > ... >> > > > > > 132 Time(s): grsec: denied kernel module auto-load of >> > > > > > nf_conntrack_netlink by uid 23 >> > > > > > ... >> > > > > >=20 >> > > > > > As far as I found out: "uid 23" =3D> squid-user, and the new squ= id >> > > > > > tried >> > > > > > to 'autoload' a module which 'grsec' didn't like. Is this a corr= ect >> > > > > > interpretation and has anyone some useable clue how to avoid thi= s? >> > > > > >=20 >> > > > > > Besides, after going back to '3.5.27' the messages didn't came b= ack >> > > > > > again. '4.0.22' didn't throw these messages, too. They changed >> > > > > > something >> > > > > > and I don't know what it is... >> > > > > >=20 >> > > > > > Thanks for all tips! >> > > > > >=20 >> > > > > > Best, >> > > > > > Matthias >> >=20 >> >=20 >>=20 >>=20 >=20 --===============2075923542646751534==--