Configuring squid -- Permission denied

I'm trying to install and configure squid as the first step to installing DansGuardian to keep my 13-year-old son out of trouble. I'm doing this on a Red Hat 8 box, and I'm new to Linux.

I've gone through the install instructions and set the squid.conf as well as I understand based on the instructions in the quickstart file. When I try to run squid from the command line with this command
/usr/local/squid/sbin/squid -z

I get the following error:
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

When I manually created that directory and tried again, I got
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

followed by
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/01: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

the next time I try, followed by
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/02: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

and so on. I've manually created directories up to 0F and it's now telling me it can't make ./00/10 when I run it.

Because the cache_dir line in the squid.conf file has 16 level-one directories and 256 level-two directories specified, I take this to mean I'm going to have to manually create 4096 directories to get through this, and that's obviously not correct.

I'm logged in as root, though the cache-effective_user line in the squid.conf file is set to nobody. (It won't let me set it as root.)

I've tried creating the nogroup group, to include nobody and squid as members, and set write permissions for that group for the /squid, /squid/var, /squid/var/cache, and /squid/var/cache/00 directories, but I'm still getting the error saying it can't make ./00/10.

What do I need to be doing differently, please?


-- b.r.t. (penguinista in training)
Who is Participating?
Karl Heinz KremerCommented:
I just destroyed my own cache dir and tried to recreate it (and by doing so run into the same problem as you... But then I remembered that I had the same problems the first time I did this).

Create the top-level cache directory manually, then do a chown to the user/group that your squid daemon will be running as. You can find this in your squid.conf file as cache_effective_user and cache_effective_group. On my system this was squid and root, so I run the following command:
chmod squid.root /path/to/my/cache/dir
After that squid -z worked without any problems.

I should have remembered this right away... I promise to do a better job next time :-)
Karl Heinz KremerCommented:
You don't create the cache directories manually. Run this command:
squid -z -F
(You may need to specify the full path to squid).

BTW: You should have posted a pointer to this question in your other question. I came across this almost by accident.
Karl Heinz KremerCommented:
You probably need to remove the dirs that you manually created before you run squid -z -F
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Karl Heinz KremerCommented:
Did you run the command as root user?
BarryTiceAuthor Commented:
When I try to change the group permissions like this, I get an error:

[root@localhost root]# chmod squid.root /usr/local/squid/var/cache
chmod: invalid mode string: `squid.root'

Also, I seem to have two squid.conf files on my computer, as there's one at /etc/squid/squid.conf and another at /usr/local/squid/etc/squid.conf

Now I don't know what to do about this.


-- b.r.t.
Karl Heinz KremerCommented:
Sorry, I was quoting the wrong command:

chown squid.root /path/to/...

The two squid config files are probably a result of two different squid installations on your system. It's possible that your Linux distribution already installed one in the / hierarchy (/etc, /usr/sbin, ...), and you compiled installed in in /usr/local (/usr/local/squid/etc, ...). Check to see if you have a program named squid in either /usr/sbin or /sbin.
You can actually search over your complete hard disk:

find / -name squid -print | grep bin

BarryTiceAuthor Commented:
There are two squids, one in /usr/sbin and one in /usr/local/squid/sbin.

Which one should I be getting rid of (I'm guessing /usr/local/squid/sbin/squid) and is it safe to just delete the /usr/local/squid directory and everything underneath it?

-- b.r.t.
Karl Heinz KremerCommented:
I would delete /usr/local/squid. From all the paths you've quoted so far, it looks like everything is under this directory. Once you've done that, you should be able to do everything you've done so far with /usr/sbin/squid
BarryTiceAuthor Commented:
OK. I've deleted /usr/local/squid.

Next I've done /usr/sbin/squid -z
It told me it was creating the swap directories. (Good!)
The next (and only) thing I remember from the quickstart file after that was that the next command would be /usr/sbin/squid

I've done that, too. But I don't know what to do from there. There is no man page (to speak of) for squid, and it seems I deleted all the instructions  I had installed with squid when I deleted /usr/local/squid. (D'oh!)

How do I get squid in a position so it's starting automatically so that I can get DansGuardian to work with it?

Thanks, khkremer. It's help like this that has made EE my No. 1 stop for answers for more than four years.

-- b.r.t.

Note: Points doubled.

p.s. How do I get my NumLock key to default to on? This is beginning to get to me.
Karl Heinz KremerCommented:
You need to setup a proxy in your web browser. Use the hostname of the machine that runs squid (if it'f on the same machine, use localhost), and use the port number you've configured in squid (if you've not specified anything, it will use the default 3128). How you do this depends on the browser you are using. Here are some pointers for Mozilla:

Select "Edit>Preferences", then select "Advanced>Proxies". Select "Manual Proxy Configuration" and add this for the HTTP proxy:

HTTP Proxy: localhost - Port: 3128
Click on "Use these settings for SSL, FTP, ..."

If you get an "Access denied" error if you try to access a web page, you need to do a bit more Squid configuration.
Karl Heinz KremerCommented:
Re: NumLock - here are some solutions:
BarryTiceAuthor Commented:
Gee, you wouldn't think having numlock default to on would be so hard in Red Hat and so easy in KDE. Thanks for the link! I'll grab the C++ file and install that tomorrow.

Also, thanks for the Squid help. With my proxies all set to localhost and port 3128, I'm still getting Web pages, so it must be working, I guess. Now I just need to get DansGuardian installed and configured, and I'll be ready to go.

At that point, how do I keep my son from just going to his Mozilla preferences and connecting to the Internet directly rather than through the proxy? Is there a file somewhere that the preferences are kept in that I can make read-only for him? (At the moment I have the Mozilla directory owned by a "grownups" group, with no execute permissions for anyone outside the group. He can't launch it at all for the moment -- not that I think he's yet tried. I could do something similar with the preferences file, if that would work.)

-- b.r.t.
Karl Heinz KremerCommented:
The default settings are in the user's home directory in a directory .mozilla. You need to keep this directory open, but you can protect the actual config file. You can find this by going to ~/.mozilla/<username>/<some random id>.slt/prefs.js
The file name can be slightly different (depending on the version of Mozilla). Just protect this file with chown and chmod
BarryTiceAuthor Commented:
I was wrong, khkremer. With the proxies all set to localhost and port 3128, I'm getting "The connection was refused when attempting to contact [url]". If I reset the preferences to connect directly to the Internet, quit, and start again, I get web pages.

I've gone through the squid.conf file looking for anything that seems like it obviously needs to be changed, but nothing jumps out at me. (Everything is set as its default, the way it was when Anaconda installed it.)

If I were to guess, I suspect that the problem is just that though Squid is installed, I've never told it to start running. (To the best of my understanding, I haven't.)

I'm guessing that the way to do this is with a script, but I'm not confident that I know where to put it so it runs on every boot (I'm guessing /lib, but I don't know that). Also, the squid FAQ (Q 3.6) talks about how to make Squid run on boot, but I fear it's a little over my head. I've begun down the path of trying to modify the sample shell script they give, but because my Squid isn't installed where they install it by default, I'm a bit lost.

Any suggestions?

FWIW, the sample script they provide is
==== BEGIN PASTE ====
        export PATH TZ
        # User to notify on restarts

        # Squid command line options

        cd $C
        umask 022
        sleep 10
        while [ -f /var/run/nosquid ]; do
                sleep 1
        /usr/bin/tail -20 $C/logs/cache.log \
                | Mail -s "Squid restart on `hostname` at `date`" $notify
        exec bin/squid -N $opts
===== END PASTE =====
but my squid is in /usr/bin rather than /usr/local/squid, and there's no squid directory in usr/bin.

Thanks again.

-- b.r.t.
Karl Heinz KremerCommented:
Go to the RedHat menu and select "System Settings>Server Settings>Services".
Then make sure that "squid" is checked in all available runlevels. You can switch the runlevels under th e"Edit Runlevel" menu.

Then click on the "Start" button to start the squid service. The next time you reboot, it will be started automatically.

The default configuration only allows connections from localhost (which should work in your case). You can also allow all hosts on your network to access the squid proxy: Look for the line acl our_networks src ... and remove the comment character in front of it. Also, make sure that the network address is correct. Then uncomment the following line :
http_access allow our_networks
BarryTiceAuthor Commented:
Sorry, khkremer, but I haven't had an opportunity to get back to this this week. My wife, uh, wasn't pleased with the amount of time I've been spending trying to configure this box, and I've spent time this week watching TV with her to make up for it. Also, I don't expect to get a chance to work on it until maybe Tuesday the 13th, as I'll be out of town for the weekend.

Thanks for the patience!

-- b.r.t.
Karl Heinz KremerCommented:
That's OK, just don't forget to come back and let me know how it works.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.