Firewall: squid does not start when Single Sign-On is deactivated

linuxmuster / linuxmuster-base7

Mangement scripts for linuxmuster.net V7

GNU General Public License v3.0

13 stars 8 forks source link

Firewall: squid does not start when Single Sign-On is deactivated #89

Closed garblixa closed 4 years ago

garblixa commented 4 years ago

Since the implementation of /usr/local/etc/squid/pre-auth/50-linuxmuster.pre-auth.conf, squid no longer starts if you disable single sign-on on the firewall. 50-linuxmuster.pre-auth.conf should only be generated and active when SSO is enabled.

root@firewall:/usr/local/etc/squid/pre-auth # service squid start
Starting squid.
2020/03/13 13:14:42| Can't use proxy auth because no authentication schemes are fully configured.
2020/03/13 13:14:42| FATAL: ERROR: Invalid ACL: acl InternetAllowed external InternetAllowed

2020/03/13 13:14:42| Squid Cache (Version 4.9): Terminated abnormally.
CPU Usage: 0.012 seconds = 0.006 user + 0.006 sys
Maximum Resident Size: 64400 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid

https://ask.linuxmuster.net/t/v7-webui-internetsperre-fuer-schueler/4209/25

HappyBasher commented 4 years ago

SSO ist actived per default during setup. Deactivating it later in the webinterface does not affect squid restart as far as I see. Is this still an issue?

garblixa commented 4 years ago

It is still ann issue. Please check stop/starting squid on the OPNsense console. You will see that even if you stopped squid with the webinterface there is still a running squid. Thats why you cannot see any problem in the webinterface. But squid will not start again, once really stopped

HappyBasher commented 4 years ago

So I fear this will never be fixed by linuxmuster-base7. How does the server know when the firewall proxy sso setting is changed? This should be documented. We only can avoid this by not activating SSO by default. But this will break the design. It's more like an OPNsense issue, isn't it?

garblixa commented 4 years ago

That's right, it would have to be an OPNsense adjustment if you want it to be correct. So the OPNsense templates would have to be adapted so that 50-linuxpattern.pre-auth.conf is only generated when 20-negotiate.auth.conf, the SSO configuration, is written. I admit, this would not be easy. Alternatively, you could check from the LMN server to see if 20-negotiate.auth.conf is not empty, or contains the string "auth_param negotiate program" (then SSO is enabled), and only then write 50-linuxpattern.pre-auth.conf to OPNsense.

HappyBasher commented 4 years ago

This is too elaborate. Anyway, the configuration is only written once during setup. And there it fits. After that the server leaves the firewall alone. Monitoring the firewall for changes is out of the question. In case of deactivation of SSO the support must know what to do. Thanks for your contribution. I will link this thread to ask.linuxmuster.net and close this ticket. Related issue is #83.