Re: Binding Squid to reserved port (was: mac_portacl)



Nikolay Pavlov <quetzal@xxxxxxxxxxxx> wrote:

I am trying to implement reverse proxy using squid with mac_portacl,
but i have problem while binding squid to port 80.
Am i missed something?

Here is my mac_portacl variables:

# sysctl security.mac.portacl.
security.mac.portacl.enabled: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.port_high: 1023
security.mac.portacl.rules: uid:100:tcp:80

And squid user info:

# grep squid /etc/passwd
squid:*:100:100:squid caching-proxy pseudo
user:/usr/local/squid:/usr/sbin/nologin

Also here is cache.log:

2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for
i386-portbld-freebsd6.1...
2006/10/20 09:55:59| Process ID 6584
2006/10/20 09:55:59| With 11072 file descriptors available
2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5
2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from
/etc/resolv.conf
2006/10/20 09:55:59| User-Agent logging is disabled.
2006/10/20 09:55:59| Unlinkd pipe opened on FD 10
2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923
objects
2006/10/20 09:55:59| Target number of buckets: 393846
2006/10/20 09:55:59| Using 524288 Store buckets
2006/10/20 09:55:59| Max Mem size: 1048576 KB
2006/10/20 09:55:59| Max Swap size: 102400000 KB
2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY)
2006/10/20 09:55:59| Using Least Load store dir selection
2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache
2006/10/20 09:55:59| Loaded Icons.
2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13)
Permission denied
FATAL: Cannot open HTTP Port
Squid Cache (Version 2.5.STABLE14): Terminated abnormally.
CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys
Maximum Resident Size: 9528 KB
Page faults with physical i/o: 0

I assume you aren't starting Squid with root privileges?

If you aren't, you'll have to lower:
net.inet.ip.portrange.reservedhigh if you want
it to bind to port 80.

I don't use mac_portacl, but from the name I assume
security.mac.portacl.port_high does something similar.

Port redirection with your packet filter of choice
would be another option.

Followup-To: freebsd-questions@xxxxxxxxxxx set.

Fabian
--
http://www.fabiankeil.de/

Attachment: signature.asc
Description: PGP signature



Relevant Pages

  • transparent Squid + pf
    ... I am trying Transparent Squid with FreeBSD 6.2. ... rdr on $ext_if proto tcp from any to any port 80 -> ... packets going out through $ext_if with source ...
    (freebsd-questions)
  • Re: Squid not starting from rc in Jail, however works when run from root as command??
    ... Anyhow I'm trying to migrate config which was on an old SPARC server ... running Solaris 9 with a version of Squid got from the Blastwave repos ... 192.168.1.110, port 80, FD 13. ... and also Squid was built from ports too!! ...
    (freebsd-questions)
  • Re: Squid not starting from rc in Jail, however works when run from root as command??
    ... I've just built a new BSD server running on a Mini-ITX NAS chassis and it's working beautifully :-) ... Anyhow I'm trying to migrate config which was on an old SPARC server running Solaris 9 with a version of Squid got from the Blastwave repos and currently I'm having major issues with it. ... Because I built the system in a Jail I am using this syntax to bind the port to the IP address: ...
    (freebsd-questions)
  • Re: Should a "squid" user have a shell?
    ... The only reason I'm not using the squid port is because I found a ... that has detailed instructions on installing squid for an Enterprise ... this if you if you want to add extra configure settings not supported ...
    (freebsd-questions)
  • Re: SELinux security alert/Squid -
    ... connect to an alternative port, while going through their proxy, before. ... Well then should it not be possible to tell SELinux that this particular ... SELinux is preventing the squid daemon from connecting to network ... SELinux has denied the squid daemon from connecting to 8180. ...
    (Fedora)