Ubuntu
squidguard package

Squid 3.3.8 incompatible with squidGuard 1.5-4

Bug #1448149 reported by Deadwing
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
squid3 (Ubuntu)
Fix Released
Wishlist
Unassigned
Wily
Invalid
Undecided
Unassigned
squidguard (Ubuntu)
Fix Released
High
Unassigned
Wily
Triaged
Undecided
Unassigned

Bug Description

I had a working config on Ubuntu 14.10 Server with Squid 3.3.8 and squidGuard 1.5-2. I spun up a 15.04 Server box and installed both and copied over the .conf files. Squid works like a charm. squidGuard fails with:

2015/04/23 16:15:44 kid1| ERROR: URL-rewrite produces invalid request: GET ERR HTTP1.1

Googling this error led to others who also had this error in the past, and the case seemed to be that squidGuard is trying to use an unsupported method in Squid.

Squid 3.3.8 is almost 2 years old now, and Squid 3.5 is the stable branch. Could we PLEASE get something a little more current that works with squidGuard?

Revision history for this message
Deadwing (deadwing2005) wrote :

I should note that 14.10 shipped with squid 3.3.8 and squidGuard 1.5-2. 15.04 ships with squid 3.3.8 but squidGuard 1.5-4. The 1.5-4 changelog shows they made some changes to support squid 3.4 and how that was the new base version. No wonder 1.5-4 doesn't work with 3.3.8.

From Launchpad:

squidguard 1.5-4 source package in Ubuntu
Changelog
squidguard (1.5-4) unstable; urgency=medium

  * Fix for working with squid 3.4 and higher. Closes: #772831
  * Update dependency to squid3 (>= 3.4.0) because the new patch
      let squidguard only support newer versions of squid3 and
      don't support squid 2.7 anymore.

Revision history for this message
Deadwing (deadwing2005) wrote :

I emailed the maintainer and received this reply:

> Can you please confirm that the squidGuard 1.5-4 will or won't work with
> the shipping squid 3.3.8?

This is right. The problem was, that squid3 have changed its redirector
protocol several times. Until squid3 3.3.x older protocols were allowed.
But now with 3.4.0 only the newest protocol is supported in squid3. Because
squidguard cannot analyse which squid version is running I have made a
full cut and updated the code in squidguard to only work together with
3.4 and higher.

Sorry for these problems in Ubuntu.

Robie Basak (racb)
tags: added: upgrade-software-version
Changed in squid3 (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Robie Basak (racb) wrote :

We can update squid3 to >= 3.4.0 in Vivid+1, but Vivid will need to stay on what it is since we can't make a backwards-incompatible change to it after release. To fix Vivid, can we revert the change squidguard that bumped syntax to >= 3.4.0? Do we just need to revert the one commit (http://anonscm.debian.org/cgit/collab-maint/squidguard.git/commit/?id=19e5ee293c04c605eb927d45688d2f0583cf9680) or is there something else necessary too?

Changed in squidguard (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Robie Basak (racb) wrote :

Status is:

squid3: Wishlist item to move to >= 3.4.0 in Vivid+1; no bug in Vivid.
squidguard: "bug" in Vivid makes package unusable; no bug in Vivid+1 once squid3 is updated there.

Revision history for this message
Deadwing (deadwing2005) wrote :

Is there going to be some resolution to this or will we have to wait until 15.10?? Frankly, I find it bizarre that they're packaging an ancient version of squid3 with a bleeding-edge version of squidGuard. I would think that using Ubuntu Server as a web proxy would be a fairly common thing, and it's broken right from the start.

Revision history for this message
Robie Basak (racb) wrote :

If this can be fixed as I asked in comment #3, and the squidguard package is completely broken otherwise, then an update to 15.04 would be fine. Someone just needs to check this works, perform SRU verification, etc.

We should also look to add a dep8 test to squidguard to verify it works against the squid package shipped correctly. Having such a test would have prevented releasing with this situation.

> I would think that using Ubuntu Server as a web proxy would be a fairly common thing...

I think squid use is quite common, but apparently not squidguard.

Revision history for this message
Deadwing (deadwing2005) wrote :

Well, either squid has to move up to 3.4+ which you said is a non-starter, or squidGuard has to move back down to 1.5-2 which the Debian guys aren't likely to do. So that leaves us nowhere.

Revision history for this message
Robie Basak (racb) wrote :

As I said, I see no issue with updating the squidguard package 15.04 with a reversion of the patch I mentioned above, if as I understand the package is broken in 15.04 today and reverting the patch does actually fix the issue. Someone just needs to check this works, perform SRU verification, etc.

Revision history for this message
Deadwing (deadwing2005) wrote :

Here we are, 6 months later, and nothing has changed. 15.10 ships with the same incompatible Squid 3.3.8 and squidGuard 1.5-4. Unbelievable.

Revision history for this message
Thomas (t.c) wrote :

still exist in 16.04!!!!!!!

Thomas (t.c)
tags: added: xenial
tags: added: regression-release
Revision history for this message
Thomas (t.c) wrote :

I get the same Output in /var/log/squid3/cache.log:

2016/04/04 07:28:17 kid1| ERROR: URL-rewrite produces invalid request: GET ERR HTTP1.1

~# dpkg -l | grep squid
ii squid 3.3.8-1ubuntu17 amd64 dependency package from squid to squid3
ii squid-langpack 20150704-1 all Localized error pages for Squid
ii squid3 3.3.8-1ubuntu17 amd64 Full featured Web Proxy cache (HTTP proxy)
ii squid3-common 3.3.8-1ubuntu17 all Full featured Web Proxy cache (HTTP proxy) - common files
ii squidguard 1.5-5 amd64 filter and redirector plugin for Squid

Revision history for this message
Thomas (t.c) wrote :

We have seen the problem for now only, when using Webseites mit HTTPS.

Revision history for this message
Deadwing (deadwing2005) wrote :

Hilarious. Good thing it's traiged as a High Importance issue...

I've already long since moved on when I realized that they weren't serious about Ubuntu as a server platform. Maybe they figure that nobody uses Ubuntu Server for anything except Apache or nginx?

Revision history for this message
Jon Grimm (jgrimm) wrote :

Hi there,

https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691

with squid3 3.5.12-1ubuntu6

, just unblocked from migration, so should show in the xenial shortly.

Revision history for this message
Robie Basak (racb) wrote :

I believe this is fixed in Xenial now. For Wily, I'll leave a task open for squidguard, but no action for squid. It can be fixed if someone can address my comments in 3 and 8.

Changed in squid3 (Ubuntu):
status: Triaged → Fix Released
Changed in squid3 (Ubuntu Wily):
status: New → Invalid
Changed in squidguard (Ubuntu):
status: Triaged → Fix Released
Changed in squidguard (Ubuntu Wily):
status: New → Triaged
Revision history for this message
Thomas (t.c) wrote :
Download full text (5.1 KiB)

Sorry to say so, but squidgaurd is still not working:

It trys to redirect many times and never ends:
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17574 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17575 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17576 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17577 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17578 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17579 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17580 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17581 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17582 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17583 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17584 exited
2016/04/22 14:51:41 kid1| Too few redirector processes are running (need 1/20)
2016/04/22 14:51:41 kid1| Starting new helpers
2016/04/22 14:51:41 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2016/04/22 14:51:41 kid1| WARNING: redirector #Hlpr17585 exited
2016/04/22 14:51:41 kid1| Too few redirect...

Read more...

Revision history for this message
Thomas (t.c) wrote :

oh, I run under 16.04!
root@proxy:~# dpkg -l|grep squid
ii squid 3.5.12-1ubuntu7 amd64 Full featured Web Proxy cache (HTTP proxy)
ii squid-common 3.5.12-1ubuntu7 all Full featured Web Proxy cache (HTTP proxy) - common files
ii squid-langpack 20150704-1 all Localized error pages for Squid
ii squid3 3.5.12-1ubuntu7 all Dummy transitional package.
ii squidguard 1.5-5 amd64 filter and redirector plugin for Squid

Revision history for this message
Thomas (t.c) wrote :

can you pls add the affects to xenial?

Revision history for this message
Thomas (t.c) wrote :

possible is this the problem?

[ 580.953497] audit: type=1400 audit(1461329763.740:651721): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid//squidguard" pid=10372 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid"
[ 580.953505] audit: type=1400 audit(1461329763.740:651722): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid" pid=10372 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid//squidguard"
[ 580.953516] audit: type=1400 audit(1461329763.740:651723): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid//squidguard" pid=10372 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid"
[ 580.953520] audit: type=1400 audit(1461329763.740:651724): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid" pid=10372 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid//squidguard"
[ 580.953532] audit: type=1400 audit(1461329763.740:651725): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid//squidguard" name="/var/log/squid/cache.log" pid=10372 comm="squidGuard" requested_mask="ra" denied_mask="ra" fsuid=13 ouid=13
[ 580.953910] audit: type=1400 audit(1461329763.740:651726): apparmor="DENIED" operation="file_mprotect" profile="/usr/sbin/squid//squidguard" name="/usr/bin/squidGuard" pid=10370 comm="squidGuard" requested_mask="r" denied_mask="r" fsuid=13 ouid=0
[ 580.953966] audit: type=1400 audit(1461329763.740:651727): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/squid//squidguard" name="apparmor/.null" pid=10370 comm="squidGuard" requested_mask="w" denied_mask="w" fsuid=13 ouid=0
[ 580.957457] audit: type=1400 audit(1461329763.744:651728): apparmor="DENIED" operation="file_mprotect" profile="/usr/sbin/squid//squidguard" name="/usr/bin/squidGuard" pid=10372 comm="squidGuard" requested_mask="r" denied_mask="r" fsuid=13 ouid=0
[ 580.957472] audit: type=1400 audit(1461329763.744:651729): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/squid//squidguard" name="apparmor/.null" pid=10372 comm="squidGuard" requested_mask="w" denied_mask="w" fsuid=13 ouid=0
[ 580.957811] audit: type=1400 audit(1461329763.744:651730): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/squid//squidguard" pid=10374 comm="squidGuard" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/squid"

Any Hints?

Revision history for this message
Thomas (t.c) wrote :

but my redirect entry is

root@proxy:~# grep squidG /etc/squid/squid.conf
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.