Solved

Configuring squid -- Permission denied

Posted on 2004-04-03
19
9,896 Views
Last Modified: 2007-12-19
I'm trying to install and configure squid as the first step to installing DansGuardian to keep my 13-year-old son out of trouble. I'm doing this on a Red Hat 8 box, and I'm new to Linux.

I've gone through the install instructions and set the squid.conf as well as I understand based on the instructions in the quickstart file. When I try to run squid from the command line with this command
/usr/local/squid/sbin/squid -z

I get the following error:
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

When I manually created that directory and tried again, I got
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

followed by
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/01: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

the next time I try, followed by
FATAL: Failed to make swap directory /usr/local/squid/var/cache/00/02: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.

and so on. I've manually created directories up to 0F and it's now telling me it can't make ./00/10 when I run it.

Because the cache_dir line in the squid.conf file has 16 level-one directories and 256 level-two directories specified, I take this to mean I'm going to have to manually create 4096 directories to get through this, and that's obviously not correct.

I'm logged in as root, though the cache-effective_user line in the squid.conf file is set to nobody. (It won't let me set it as root.)

I've tried creating the nogroup group, to include nobody and squid as members, and set write permissions for that group for the /squid, /squid/var, /squid/var/cache, and /squid/var/cache/00 directories, but I'm still getting the error saying it can't make ./00/10.

What do I need to be doing differently, please?

Thanks.

-- b.r.t. (penguinista in training)
0
Comment
Question by:BarryTice
  • 11
  • 6
19 Comments
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751828
You don't create the cache directories manually. Run this command:
squid -z -F
(You may need to specify the full path to squid).

BTW: You should have posted a pointer to this question in your other question. I came across this almost by accident.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751831
You probably need to remove the dirs that you manually created before you run squid -z -F
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751834
Did you run the command as root user?
0
 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 250 total points
ID: 10751854
I just destroyed my own cache dir and tried to recreate it (and by doing so run into the same problem as you... But then I remembered that I had the same problems the first time I did this).

Create the top-level cache directory manually, then do a chown to the user/group that your squid daemon will be running as. You can find this in your squid.conf file as cache_effective_user and cache_effective_group. On my system this was squid and root, so I run the following command:
chmod squid.root /path/to/my/cache/dir
After that squid -z worked without any problems.

I should have remembered this right away... I promise to do a better job next time :-)
0
 
LVL 7

Author Comment

by:BarryTice
ID: 10752745
When I try to change the group permissions like this, I get an error:

[root@localhost root]# chmod squid.root /usr/local/squid/var/cache
chmod: invalid mode string: `squid.root'

Also, I seem to have two squid.conf files on my computer, as there's one at /etc/squid/squid.conf and another at /usr/local/squid/etc/squid.conf

Now I don't know what to do about this.

Thanks.

-- b.r.t.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10753337
Sorry, I was quoting the wrong command:

chown squid.root /path/to/...

The two squid config files are probably a result of two different squid installations on your system. It's possible that your Linux distribution already installed one in the / hierarchy (/etc, /usr/sbin, ...), and you compiled installed in in /usr/local (/usr/local/squid/etc, ...). Check to see if you have a program named squid in either /usr/sbin or /sbin.
You can actually search over your complete hard disk:

find / -name squid -print | grep bin

0
 
LVL 7

Author Comment

by:BarryTice
ID: 10753962
There are two squids, one in /usr/sbin and one in /usr/local/squid/sbin.

Which one should I be getting rid of (I'm guessing /usr/local/squid/sbin/squid) and is it safe to just delete the /usr/local/squid directory and everything underneath it?

-- b.r.t.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10753990
I would delete /usr/local/squid. From all the paths you've quoted so far, it looks like everything is under this directory. Once you've done that, you should be able to do everything you've done so far with /usr/sbin/squid
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Author Comment

by:BarryTice
ID: 10754085
OK. I've deleted /usr/local/squid.

Next I've done /usr/sbin/squid -z
It told me it was creating the swap directories. (Good!)
The next (and only) thing I remember from the quickstart file after that was that the next command would be /usr/sbin/squid

I've done that, too. But I don't know what to do from there. There is no man page (to speak of) for squid, and it seems I deleted all the instructions  I had installed with squid when I deleted /usr/local/squid. (D'oh!)

How do I get squid in a position so it's starting automatically so that I can get DansGuardian to work with it?

Thanks, khkremer. It's help like this that has made EE my No. 1 stop for answers for more than four years.

-- b.r.t.

Note: Points doubled.

p.s. How do I get my NumLock key to default to on? This is beginning to get to me.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10754250
You need to setup a proxy in your web browser. Use the hostname of the machine that runs squid (if it'f on the same machine, use localhost), and use the port number you've configured in squid (if you've not specified anything, it will use the default 3128). How you do this depends on the browser you are using. Here are some pointers for Mozilla:

Select "Edit>Preferences", then select "Advanced>Proxies". Select "Manual Proxy Configuration" and add this for the HTTP proxy:

HTTP Proxy: localhost - Port: 3128
Click on "Use these settings for SSL, FTP, ..."

If you get an "Access denied" error if you try to access a web page, you need to do a bit more Squid configuration.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10754275
Re: NumLock - here are some solutions: http://www.linuxgazette.com/node/view/395
0
 
LVL 7

Author Comment

by:BarryTice
ID: 10754492
Gee, you wouldn't think having numlock default to on would be so hard in Red Hat and so easy in KDE. Thanks for the link! I'll grab the C++ file and install that tomorrow.

Also, thanks for the Squid help. With my proxies all set to localhost and port 3128, I'm still getting Web pages, so it must be working, I guess. Now I just need to get DansGuardian installed and configured, and I'll be ready to go.

At that point, how do I keep my son from just going to his Mozilla preferences and connecting to the Internet directly rather than through the proxy? Is there a file somewhere that the preferences are kept in that I can make read-only for him? (At the moment I have the Mozilla directory owned by a "grownups" group, with no execute permissions for anyone outside the group. He can't launch it at all for the moment -- not that I think he's yet tried. I could do something similar with the preferences file, if that would work.)

-- b.r.t.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10755906
The default settings are in the user's home directory in a directory .mozilla. You need to keep this directory open, but you can protect the actual config file. You can find this by going to ~/.mozilla/<username>/<some random id>.slt/prefs.js
The file name can be slightly different (depending on the version of Mozilla). Just protect this file with chown and chmod
0
 
LVL 7

Author Comment

by:BarryTice
ID: 10762169
I was wrong, khkremer. With the proxies all set to localhost and port 3128, I'm getting "The connection was refused when attempting to contact [url]". If I reset the preferences to connect directly to the Internet, quit, and start again, I get web pages.

I've gone through the squid.conf file looking for anything that seems like it obviously needs to be changed, but nothing jumps out at me. (Everything is set as its default, the way it was when Anaconda installed it.)

If I were to guess, I suspect that the problem is just that though Squid is installed, I've never told it to start running. (To the best of my understanding, I haven't.)

I'm guessing that the way to do this is with a squid.sh script, but I'm not confident that I know where to put it so it runs on every boot (I'm guessing /lib, but I don't know that). Also, the squid FAQ (Q 3.6) talks about how to make Squid run on boot, but I fear it's a little over my head. I've begun down the path of trying to modify the sample shell script they give, but because my Squid isn't installed where they install it by default, I'm a bit lost.

Any suggestions?

FWIW, the sample script they provide is
==== BEGIN PASTE ====
        #!/bin/sh
        C=/usr/local/squid
        PATH=/usr/bin:$C/bin
        TZ=PST8PDT
        export PATH TZ
       
        # User to notify on restarts
        notify="root"

        # Squid command line options
        opts=""

        cd $C
        umask 022
        sleep 10
        while [ -f /var/run/nosquid ]; do
                sleep 1
        done
        /usr/bin/tail -20 $C/logs/cache.log \
                | Mail -s "Squid restart on `hostname` at `date`" $notify
        exec bin/squid -N $opts
===== END PASTE =====
but my squid is in /usr/bin rather than /usr/local/squid, and there's no squid directory in usr/bin.

Thanks again.

-- b.r.t.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10762329
Go to the RedHat menu and select "System Settings>Server Settings>Services".
Then make sure that "squid" is checked in all available runlevels. You can switch the runlevels under th e"Edit Runlevel" menu.

Then click on the "Start" button to start the squid service. The next time you reboot, it will be started automatically.

The default configuration only allows connections from localhost (which should work in your case). You can also allow all hosts on your network to access the squid proxy: Look for the line acl our_networks src ... and remove the comment character in front of it. Also, make sure that the network address is correct. Then uncomment the following line :
http_access allow our_networks
0
 
LVL 7

Author Comment

by:BarryTice
ID: 10788991
Sorry, khkremer, but I haven't had an opportunity to get back to this this week. My wife, uh, wasn't pleased with the amount of time I've been spending trying to configure this box, and I've spent time this week watching TV with her to make up for it. Also, I don't expect to get a chance to work on it until maybe Tuesday the 13th, as I'll be out of town for the weekend.

Thanks for the patience!

-- b.r.t.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10790409
That's OK, just don't forget to come back and let me know how it works.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now