# [Solved] Squid: ACL 'manager' already exists

## elmar283

Sinse a copple of days my squid will not start anaymore. I get a errormessage:

```

elmarotter@ZaphodBeeblebrox ~ $ sudo /etc/init.d/squid start

 * Initializing cache directory /var/cache/squid ...                                                                                                                                              [ !! ]

2013/03/04 12:48:51| aclParseAclLine: ACL 'manager' already exists with different type.

FATAL: Bungled squid.conf line 6: acl manager proto cache_object

Squid Cache (Version 3.2.6): Terminated abnormally.

CPU Usage: 0.022 seconds = 0.014 user + 0.008 sys

Maximum Resident Size: 31104 KB

Page faults with physical i/o: 0

 * ERROR: squid failed to start

```

I havn't changed the script so I don't know whats wrong. I also don't know where the ACL 'manager' should have been made before.

Here are some configs:

```
elmarotter@ZaphodBeeblebrox ~ $ cat /etc/squid/squid.conf

debug_options ALL,1 33,2 28,9

#

# Recommended minimum configuration:

#

#acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 192.168.0.0/24

#acl localnet src 192.168.178.0/24

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl SSL_ports port 443 # RFC1918 possible internal network

acl Safe_ports port 80 # RFC1918 possible internal network

acl Safe_ports port 21 # RFC1918 possible internal network

acl CONNECT method CONNECT # RFC 4193 local private network range

acl Safe_ports port 443 # RFC 4291 link-local (directly plugged) machines

acl Safe_ports port 70

acl Safe_ports port 210

acl Safe_ports port 1025-65535 # http

acl Safe_ports port 280 # ftp

acl Safe_ports port 488 # https

acl Safe_ports port 591 # gopher

acl Safe_ports port 777 # wais

#acl blockeddomain url_regex "/etc/squid/blocked.domains.acl"

#acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"

#acl regex url_regex "/etc/squid/blocked.regex.acl"

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

#http_access deny regex

#http_access deny blockeddomain

http_access allow manager localhost

http_access allow localnet

# Deny requests to certain unsafe ports

http_access allow localhost

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny manager

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

http_access deny !Safe_ports

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access deny to_localhost

http_access deny all

# And finally deny all other access to this proxy

# Squid normally listens to port 3128

#http_port 3128

http_port 3128 intercept

#http_port 3129 transparent

# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /opt/local/var/squid/cache 100 16 256

cache_dir ufs /var/cache/squid 100 16 256 

#cache_mem = 256 MB

cache_mem 256 MB

cache_dir ufs /usr/tmp/squid/cache 50000 64 512

# Leave coredumps in the first cache dir

coredump_dir /usr/tmp/squid/cache

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?) 0   0%   0

refresh_pattern .      0   20%   4320

cache_effective_user squid

cache_effective_group squid

#https_port 3129 intercept

#url_rewrite_program /etc/adzapper/wrapzap

#url_rewrite_children 10

cache_mgr name@domain.nl (mail deleted)

```

```

elmarotter@ZaphodBeeblebrox ~ $ emerge -pv squid

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-proxy/squid-3.2.6  USE="ipv6 logrotate mysql pam samba sasl sqlite ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -ldap -nis (-pf-transparent) -postgres -qos -radius (-selinux) -snmp -ssl-crtd {-test} -tproxy" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

```

Last edited by elmar283 on Sun Apr 14, 2013 6:58 am; edited 1 time in total

----------

## massimo

Remove that line and restart.

```

acl manager proto cache_object 

```

----------

## elmar283

After deleting ALC 'manager' I get a new error and warning message:

```
2013/03/06 17:59:19| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'.

2013/03/06 17:59:19| SECURITY NOTICE: Overriding config setting. Using 'all' instead.

2013/03/06 17:59:19| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'

2013/03/06 17:59:19| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '::/0' from the ACL named 'all'

2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

2013/03/06 17:59:19| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

2013/03/06 17:59:19| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

2013/03/06 17:59:19| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'

2013/03/06 17:59:19| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'

2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

2013/03/06 17:59:19| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

2013/03/06 17:59:19| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

2013/03/06 17:59:19| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

squid: No running copy

```

I still ask myself the question what has changed in squid, sinse I didn't edit the config file.

----------

## massimo

Did you upgrade squid recently?

----------

## oleo

Hi all!

I've the same problem and I've recently upgraded squid.

I'm hard working on squid configuration in order to get it work but by now I still haven't find the solution.

Clients can only see HTTPS sites. Normal HTTP sites are blocked and squid say "Denied Access".

This is my squid configuration (I'm using squid+dansguardian)

```
acl erendil   src 192.168.0.0/24                                                                                  

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl CONNECT method CONNECT

http_access allow localhost manager

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_reply_access allow all

icp_access allow localhost

icp_access allow erendil

http_access allow localhost

http_access allow erendil

http_access deny all

icp_access deny all

http_port 192.168.0.1:3128 transparent

cache_dir ufs /var/cache/squid 100 16 256

minimum_object_size 10 KB

maximum_object_size 8192 KB

access_log /var/log/squid/access.log squid

logfile_rotate 3

coredump_dir /var/cache/squid

acl CGI urlpath_regex cgi-bin \?

acl ASP urlpath_regex asp \?

acl PHP urlpath_regex php \?

acl JSP urlpath_regex jsp \?

cache deny CGI ASP PHP JSP

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_effective_user squid

cache_effective_group squid

visible_hostname gandalf2

icp_port 3130

forwarded_for off

```

----------

## syn0ptik

You not close all traffick with rule at the end of it.

```
#acl all src 0.0.0.0/0.0.0.0 
```

----------

## oleo

This doesn't solve.   :Sad: 

----------

## Irom

 *http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid wrote:*   

> From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. 

 

The messages went away for me after commenting out these three ACLs. As they came from a previous default configuration file I guess the config should be safe without any further changes.

----------

## elmar283

Yes I updated squid recently. That is when the problem occurred. 

What I would like to know is:

- what has changed?

- is there some standard somewhere outsite the config file that enables these ACL's?

----------

## dbishop

Normally i would have expected a notice about this, since these lines were in the squid.conf by way of recommendation:

```

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

```

Anyway, having been bitten by the same problem, I commented out the three offending lines. This made the terrifying errors go away and squid would start again:

```

#acl manager proto cache_object

#acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

```

Not sure if dansguardian will start behaving again, but at least squid is starting now...

----------

## elmar283

Thanks Irom.  Your answer solves it. I will add [solved] to the topic.

----------

