First of all, sorry for my English.
I’m testing NS7b2 in a real machine.
My server act as a gateway, DC and Proxy.
Everything worked fine until I created a profile that bypass the proxy filter for a specific group. After that, Squid service stopped and shared folders turned inaccessible.
Deleting that profile makes Squid to start again, but wrong permissions on shared folders still remains.
I reproduced this behavior twice in a real machine and once in Virtualbox.
Cheers.
install DC, file server, web proxy and web content filter;
configure DC to use 10.0.0.2;
create users;
create groups and put users inside them;
create folders for each group given group write permissions;
join Windows client and test folders permissions: everything is OK;
enable web proxy with transparent SSL;
test folders permissions: OK;
enable web content filter, enable antivirus, save and download Université
Toulouse in blacklists, edit default filter to block undesired contents,
create a new filter for a new profile, create a new profile for a specific
group in DC (in “Who” box choose group@server) and click submit button;
go to services: squid, squidclamav and c-icap are disabled and stopped;
go to Windows client and test folders permissions: every folder is
inaccessible.
I tried one more time, because i notice that nethserver-DC released a new
version, but i got same result.
Cheers,
Thank you @celiofk for your detailed report! I’ll try to reproduce this behavior. In the meanwhile I hope somebody in @dev_team has an idea about the origin of the problem.
Did you notice anything relevant message in the log files? Could you attach here some log excerpts?
Squid is stopped because squidGuard dies with a segfault.
You should find something like this inside the /var/log/messages:
Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 started
Sep 27 10:40:29 test kernel: squidGuard[10778]: segfault at ffffffff905c01a0 ip 00007f3f8f6dc782 sp 00007ffd94c39468 error 5 in libc-2.17.so[7f3f8f592000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10779]: segfault at ffffffffd981b1b8 ip 00007fa4d8937eec sp 00007fffc14c34b8 error 5 in libc-2.17.so[7fa4d87ed000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10781]: segfault at ffffffffb3ca91a0 ip 00007f8bb2dc5782 sp 00007ffc4d94cf38 error 5 in libc-2.17.so[7f8bb2c7b000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10780]: segfault at 23fd81b8 ip 00007f9b230f4eec sp 00007fff36b40398 error 4 in libc-2.17.so[7f9b22faa000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10782]: segfault at 4d3771a0 ip 00007f604c493782 sp 00007ffd7866c958 error 4 in libc-2.17.so[7f604c349000+1b7000]
Sep 27 10:40:29 test (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 exited with status 1
Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 will not be restarted due to repeated, frequent failures
Sep 27 10:40:29 test squid[10716]: Exiting due to repeated, frequent failures
Please check that clamd is running along with c-icap
systemctl status c-icap
systemctl status clamd@squidclamav
Today I tested SquidGuard.
It doesn’t crash anymore, but I noticed two points:
if antivirus is disabled, c-icap service doesn’t start and stay disabled
still enable filter is marked and submitted;
when create a profile for an ACL group with a custom filter that allow
all contents, all others groups can bypass the default filter content;
That’s it.
Cheers
OK, c-icap service was disabled and stopped, but in the web content filter page is marked enabled. If I need antivirus enabled to run web content filter, why is there an option to disable it?
Is this bug solved in NS7b2?
I’m having same problem in RC2: created a profile that release access to everything for some DC group and users, but all of them are blocked.
Cheers,