Bug 53011 – Squid does not start after being configured as a transparent proxy

Bug 53011 - Squid does not start after being configured as a transparent proxy


Summary:	Squid does not start after being configured as a transparent proxy

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Squid
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0
Assigned To:	Florian Best
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:
Blocks:	52578 54979
	Show dependency tree / graph

Reported:	2021-03-30 11:56 CEST by Julia Bremer
Modified:	2022-07-13 09:29 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	bremer: Patch_Available+

Attachments
squid.conf patch (5.19 KB, patch) 2021-03-31 14:15 CEST, Julia Bremer	Details \| Diff
actual squid.conf patch .. (636 bytes, patch) 2021-03-31 14:24 CEST, Julia Bremer	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2021-03-30 11:56:54 CEST

When configuring squid as a transparent proxy, squid is not able to start any more. 
In order to generate a valid URL to fetch some needed content, squid needs a port configured to receive normal forward-proxy traffic. 
In this case port 3128 is now used as a transparent port and cannot be used as such.
Adding an additional port in the squid.conf, e.g. 

http_port 3129

makes it so squid can be started again. 
Transparent proxy mode then works as expected.

To reproduce (UCS5 only):
univention-app install squid
echo "1" >/proc/sys/net/ipv4/ip_forward
ucr set squid/transparentproxy=yes
/etc/init.d/univention-firewall restart
/etc/init.d/squid restart

Logs:
Mär 30 11:47:47 p16 squid[13982]: ERROR: No forward-proxy ports configured.
Mär 30 11:47:47 p16 squid[13982]: Not currently OK to rewrite swap log.
Mär 30 11:47:47 p16 squid[13982]: storeDirWriteCleanLogs: Operation aborted.
Mär 30 11:47:47 p16 squid[13982]: FATAL: mimeLoadIcon: cannot parse internal URL: http://p16.jbp16.intranet:0/squid-internal-static/icons/silk/image.png

Docs:
https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts

Comment 1 Ingo Steuwer

2021-03-30 13:36:43 CEST

This is needed as soon as we have UCS@school for UCS 5.0.

Comment 3 Julia Bremer

2021-03-31 14:15:28 CEST

Created attachment 10677 [details]
squid.conf patch

Comment 4 Julia Bremer

2021-03-31 14:24:20 CEST

Created attachment 10678 [details]
actual squid.conf patch ..

Comment 5 Florian Best

2021-03-31 14:47:22 CEST

See also git:9d5891bb870705ea05ae976a1d21997756f46dcf which is related to the new behavior. It looks like it was broken in UCS 4.4 as well, but didn't came into effect because 'squid/virusscan'/'squid/contentscan' was set there?

Comment 6 Julia Bremer

2021-03-31 20:10:46 CEST

I tried to reproduce this in ucs4, the same error is shown
(ERROR: No forward-proxy ports configured),
but squid starts and works as a transparent proxy as expected.
I guess the older squid version did not try to fetch from any internal url as this version does?

Comment 7 Florian Best

2021-04-14 18:01:34 CEST

Fixed in (applied patch without typos):

univention-squid (13.0.3-1)
d4d1fe7d18e2 | Bug #53011: make sure squid starts when configured as transparent proxy

interim bug, no changelog required.

Comment 8 Julia Bremer

2021-04-24 15:31:56 CEST

Installation: OK
Squid runs after being configured as a transparent proxy: OK
Additional port opened if transparent proxy: OK

Verified

Comment 9 Florian Best

2021-05-25 16:02:39 CEST

UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".