Re: [squid-users] commBind: Cannot bind socket error

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 May 2012 17:51:52 +1200

On 1/05/2012 1:36 a.m., Nick Howitt wrote:
> Hi,
> I am new to squid and I am trying to run in on my ClearOS 5.2 gateway
> where it is supplied as a pre-configured package. However, whenever I
> try to start it I lose all internet access. I would like to run it in
> transparent mode which is a menu option I have for it.
>
> My cache.log reads:
> 2012/04/25 12:51:06| Starting Squid Cache version 2.6.STABLE21 for
> i686-redhat-linux-gnu...
>
<snip>
> 2012/04/25 12:51:06| Accepting proxy HTTP connections at 0.0.0.0, port
> 3128, FD 13.

So squid is configured to listen on a wildcard port (*:3128) which binds
to every IP address the box has using a single open+listen operation.
This is successful.

Then Squid is *also* instructed to bind particular IP:port combinations ...

> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
> 192.168.3.1:3128: (98) Address already in use

... oops, *:3128 is already open ...

> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
> 192.168.2.1:3128: (98) Address already in use

... oops, *:3128 is already open ...

> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
> 127.0.0.1:3128: (98) Address already in use

... oops, *:3128 is already open ...

> At this point I lose internet access. and it does not change when I
> switch it to transparent mode. I am not aware of anything else running
> on port 3128 and netstat -an -t | grep 3128 shows nothing.

You configured Squid to open port 3128 four times. Only the first
attempt succeeds, the others clash with it.

Squid is operating with the wildcard port open for all traffic. BUT,
intercepted traffic cannot be received by the regular forward-proxy port
3128. Your requests passed to any IP and port 3128 are rejected as
malformed client->proxy requests (true, because they are client->origin
format requests).

>
> If it helps at all, this is my squid.conf:
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.0/8
> acl webconfig_lan src 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
> acl webconfig_to_lan dst 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow webconfig_to_lan

The above "allow webconfig_to_lan" rule opens your proxy to 4 out of the
5 most common proxy attacks
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

Oops.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Move your global allow rule down to here below the basic security
protections.

And consider carefully why you need it in the first place. There are no
accel mode ports configured. For an interception proxy you should be
able to depend on the src type ACL to operate correctly or you have
configured the interception rules wrong.

> http_access allow localhost
> http_access allow webconfig_lan
> http_access deny all
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> coredump_dir /var/spool/squid
> error_directory /etc/squid/errors
> follow_x_forwarded_for allow localhost
> http_port 192.168.3.1:3128 transparent
> http_port 192.168.2.1:3128 transparent
> http_port 127.0.0.1:3128 transparent
>
> Can anyone help me, please?

Please follow the advice in
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat#iptables_configuration

Additionally, why do you have three interception ports? and why is
127.0.0.1 involved?

Amos
Received on Tue May 01 2012 - 05:52:01 MDT

This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 12:00:05 MDT