# Squid does not start



## nosferatu (Mar 14, 2017)

When I try to start squid it stucks and I cannot use the command line until I press `Ctrl+C`. There is no squid.pid on /var/run/squid and directory owned by squid.

ICAP Services running with no issue. I tested it before this error.

/dev/pf readable by squid.

I deinstalled and reinstalled the port. Still no luck.

My `squid -v`:

```
Squid Cache: Version 3.5.24
Service Name: squid
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe  -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib  -pthread  -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.0' 'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing  -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess' 'CPP=cpp' --enable-ltdl-convenience
```

My squid.conf:

```
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

icap_enable on

icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:13441/maskGZIP
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:13442/embedTracker

adaptation_access service_req allow all
adaptation_access service_resp allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow all

# Squid normally listens to port 3128
http_port 185.86.167.206:3129
http_port 185.86.167.206:3128 transparent

# Uncomment and adjust the following to add a disk cache directory.
```

My pf.conf:

```
rdr pass inet proto tcp from any to 185.86.167.206 port 0:3127 -> 185.86.167.206 port 3128
rdr pass inet proto tcp from any to 185.86.167.206 port 3130:10000 -> 185.86.167.206 port 3128

block in
pass in quick on em0
pass in quick on em1
pass out keep state
```

`truss service squid` onestart:
Go to pastebin

Thanks for help.


----------



## SirDice (Mar 14, 2017)

nosferatu said:


> ```
> rdr pass inet proto tcp from any to 185.86.167.206 port 0:3127 -> 185.86.167.206 port 3128
> rdr pass inet proto tcp from any to 185.86.167.206 port 3130:10000 -> 185.86.167.206 port 3128
> ```


These are never going to work.


```
Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.     
     [b]Redirections cannot reflect packets back through the interface they   
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.[/b]
```

And you've configured Squid to be transparant but your firewall rules don't reflect this and you're trying to use it non-tranparantly.


Please use something like Pastebin to paste huge amounts of output.


----------



## nosferatu (Mar 14, 2017)

But why won't squid start. I just read a configuration for pf on squid web page. If it is wrong I can fix it but is it the reason squid is not starting?


----------



## SirDice (Mar 14, 2017)

```
stat("/var/run/squid/squid.pid",0x7fffffffdbb0)  ERR#2 'No such file or directory'
```
Looks like there's no /var/run/squid/ and/or the squid user doesn't have permission to write there.


----------



## nosferatu (Mar 14, 2017)

SirDice said:


> Looks like there's no /var/run/squid/ and/or the squid user doesn't have permission to write there.



I tried `chown squid:squid squid` in /var/run but no difference. Should I do something different?


----------



## SirDice (Mar 14, 2017)

Do NOT change the ownership of /var/run/ or other daemons are going to have issues.


----------



## nosferatu (Mar 14, 2017)

SirDice said:


> Do NOT change the ownership of /var/run/ or other daemons are going to have issues.



Not /var/run but i changed ownership of /var/run/squid


----------



## SirDice (Mar 14, 2017)

Start Squid in foreground mode, with debugging enabled. That will provide better information, truss(1) output is really only useful if there's an issue with the application itself, it's not much help when debugging configuration issues.


----------



## nosferatu (Mar 14, 2017)

```
2017/03/14 16:21:05| Set Current Directory to /var/squid/cache
2017/03/14 16:21:05| Starting Squid Cache version 3.5.24 for amd64-portbld-freebsd11.0...
2017/03/14 16:21:05| Service Name: squid
2017/03/14 16:21:05| Process ID 49256
2017/03/14 16:21:05| Process Roles: master worker
2017/03/14 16:21:05| With 28557 file descriptors available
2017/03/14 16:21:05| Initializing IP Cache...
2017/03/14 16:21:05| DNS Socket created at [::], FD 8
2017/03/14 16:21:05| DNS Socket created at 0.0.0.0, FD 9
2017/03/14 16:21:05| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2017/03/14 16:21:05| Adding nameserver 8.8.4.4 from /etc/resolv.conf
2017/03/14 16:21:05| Logfile: opening log daemon:/var/log/squid/access.log
2017/03/14 16:21:05| Logfile Daemon: opening log /var/log/squid/access.log
2017/03/14 16:21:05| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/03/14 16:21:05| Store logging disabled
2017/03/14 16:21:05| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/03/14 16:21:05| Target number of buckets: 1008
2017/03/14 16:21:05| Using 8192 Store buckets
2017/03/14 16:21:05| Max Mem  size: 262144 KB
2017/03/14 16:21:05| Max Swap size: 0 KB
2017/03/14 16:21:05| Using Least Load store dir selection
2017/03/14 16:21:05| Set Current Directory to /var/squid/cache
2017/03/14 16:21:05| Finished loading MIME types and icons.
2017/03/14 16:21:05| HTCP Disabled.
```


----------

