Squid starts even though it's disabled

[oparoz]

After a reboot on 16.1.16, I see this in the logs:

Jun  8 12:14:14 Empyrion squid[80295]: Squid Parent: will start 1 kids
Jun  8 12:14:14 Empyrion squid[80295]: Squid Parent: (squid-1) process 81024 started

And looking at the processes, I can see that squid is running even though it's not enabled in the GUI. It's not even showing up in the list of services.

[fichtner]

This is the cache directory creation on boot, but the "bang for the buck" ratio on this is very low: we'd have to read the XML configuration from a shell script:

https://github.com/opnsense/core/blob/master/src/opnsense/scripts/proxy/setup.sh

Patches welcome, leaving this open.

[fichtner]

Actually, it looks like an artefact of our early days. Try this:

# opnsense-patch bcb39d0 

[oparoz]

Unfortunately, that didn't fix the problem. Note that it's a new problem, I don't think this was present in 16.1.15

[fichtner]

Unlikely a regression...

• What is your contents of /etc/rc.conf.d/squid now?
• How do you verify it doesn't work?

[oparoz]

What is your contents of /etc/rc.conf.d/squid now?

That was easy...

squid_enable=YES

But that's not coherent with the rest of the system since Services: Diagnostics doesn't list the proxy and it's not enabled.

[fichtner]

That seems completely wrong...

What happens to that file when you run:

# configctl template reload OPNsense.Proxy

[oparoz]

Execute error

The system.log says:

Inline action failed with OPNsense.Proxy OPNsense/Proxy/squid.conf 'collections.OrderedDict object' has no attribute 'ipaddr' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 322, in generate     raise render_exception Exception: OPNsense.Proxy OPNsense/Proxy/squid.conf 'collections.OrderedDict object' has no attribute 'ipaddr'

[fichtner]

That means it won't ever generate a template, aha. This is something from the proxy model then.

I can also see that template reload on boot does not work for some reason or another. Will need to investigate further.

FWIW, I think the fix is ok, but something else is stuck, too.

[oparoz]

OK, found the problem with my particular setup.
Before turning it off, I was playing with the proxy interfaces and added one for an OpenVPN connection to see if I could have the proxy at a different point in the flow. That seems to create the error I posted above.

So this could easily be solved by blacklisting interfaces which cannot be used by the proxy.

[fichtner]

While I agree that further work needs to be done this isn't entirely related to Squid and the problem has been identified, so I consider this a success. :)

A lessing learned for handling templates and services and fallback behaviour. It needs a bit more internal discussion which sanity checks we can do and how we recover from templates being stuck. Thank you.

[fichtner]

https://forum.opnsense.org/index.php?topic=4446.0