[squid-users] I am seeing the following in my cache.log

Monah Baki monahbaki at gmail.com
Tue Mar 24 20:05:57 UTC 2015 

Thanks Yuri for the URL. The company is a small ISP using policy based
routing, so using WPAD or GPO isn't feasible.

If the cause of the server running out of file descriptions and giving
the "assertion failed: store.cc:1885: "isEmpty()" error, I prefer to
inform the enduser to fix his computer.

Thanks
Monah


On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Feel free fo look at this:
>
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
>
> 25.03.15 1:18, Monah Baki пишет:
>> Running squid 3.5.2 on Centos 6.6
>>
>> ./configure --prefix=/home/cache --enable-follow-x-forwarded-for
>> --with-large-files --enable-ssl --disable-ipv6 --enable-esi
>> --enable-kill-parent-hack --enable-snmp --with-pthreads
>> --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname
>> --enable-storeio=ufs,aufs,diskd,rock
>>
>> We have around 50 users. I am seeing hundreds of thousands of the
>> following:
>>
>>
>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent:
>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 14:57:34.910| SECURITY
>> ALERT: on URL: www.facebook.com:443 2015/03/24 14:57:34.946|
>> SECURITY ALERT: Host header forgery detected on
>> local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33
>> (local IP does not match any domain IP)
>>
>>
>> Then after 2 hours, I get the message in my cacahe.log:
>>
>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent:
>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.478| SECURITY
>> ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:42.478|
>> WARNING: 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could not
>> parse headers from on disk object 2015/03/24 16:41:42.478| BUG
>> 3279: HTTP reply without Date: 2015/03/24 16:41:42.478|
>> StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24
>> 16:41:42.478| StoreEntry->next: 0 2015/03/24 16:41:42.478|
>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478|
>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478|
>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478|
>> StoreEntry->expires: -1 2015/03/24 16:41:42.478|
>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478|
>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478|
>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| StoreEntry->flags:
>> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478|
>> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478|
>> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478|
>> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478|
>> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478|
>> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478|
>> StoreEntry->store_status: 1 2015/03/24 16:41:42.478|
>> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| SECURITY ALERT:
>> Host header forgery detected on local=85.115.52.158:80
>> remote=197.255.252.34:44348 FD 20 flags=33 (local IP does not match
>> any domain IP) 2015/03/24 16:41:42.747| SECURITY ALERT: By user
>> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY ALERT: on
>> URL: us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY
>> ALERT: Host header forgery detected on local=85.115.52.158:80
>> remote=197.255.252.34:44349 FD 20 flags=33 (local IP does not match
>> any domain IP) 2015/03/24 16:41:42.772| SECURITY ALERT: By user
>> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.772| SECURITY ALERT: on
>> URL: csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY ALERT:
>> Host header forgery detected on local=85.115.33.158:80
>> remote=197.255.252.34:13505 FD 20 flags=33 (local IP does not match
>> any domain IP) 2015/03/24 16:41:42.800| SECURITY ALERT: By user
>> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800|
>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24
>> 16:41:43.115| SECURITY ALERT: Host header forgery detected on
>> local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33
>> (local IP does not match any domain IP) 2015/03/24 16:41:43.115|
>> SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1)
>> AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0
>> Safari/536.6 2015/03/24 16:41:43.115| SECURITY ALERT: on URL:
>> www.facebook.com:443 2015/03/24 16:41:43.115| assertion failed:
>> store.cc:1885: "isEmpty()"
>>
>>
>> Then I get a message "running out of file descriptors", for that I
>> did the following: echo 1024 65535 >
>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 >
>> /proc/sys/net/ipv4/tcp_max_syn_backlog
>>
>> In my /etc/security/limits.conf, added the following: * - nofile
>> 65535
>>
>>
>>
>> My squid.conf
>>
>> # # Recommended minimum configuration: #
>>
>> # Example rule allowing access from your local networks. # Adapt to
>> list your (internal) IP networks from where browsing # should be
>> allowed acl localnet src 10.0.0.0/8    # RFC1918 possible internal
>> network acl localnet src 172.16.0.0/12    # RFC1918 possible
>> internal network acl localnet src 192.168.0.0/16    # RFC1918
>> possible internal network acl localnet src fc00::/7       # RFC
>> 4193 local private network range acl localnet src fe80::/10      #
>> RFC 4291 link-local (directly plugged) machines acl blockeddomain
>> dstdomain "/home/cache/etc/blocked.domain.acl"
>>
>> acl SSL_ports port 443 acl Safe_ports port 80        # http acl
>> Safe_ports port 21        # ftp acl Safe_ports port 443        #
>> https acl Safe_ports port 70        # gopher acl Safe_ports port
>> 210        # wais acl Safe_ports port 1025-65535    # unregistered
>> ports acl Safe_ports port 280        # http-mgmt acl Safe_ports
>> port 488        # gss-http acl Safe_ports port 591        #
>> filemaker acl Safe_ports port 777        # multiling http acl
>> CONNECT method CONNECT acl isnsnmp snmp_community public
>>
>> # # Recommended minimum Access Permission configuration: # # Deny
>> requests to certain unsafe ports http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports http_access deny
>> CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost http_access allow
>> localhost manager http_access deny manager
>>
>> cachemgr_passwd password all
>>
>> # We strongly recommend the following be uncommented to protect
>> innocent # web applications running on the proxy server who think
>> the only # one who can access services on "localhost" is a local
>> user #http_access deny to_localhost
>>
>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>>
>> # Example rule allowing access from your local networks. # Adapt
>> localnet in the ACL section to list your (internal) IP networks #
>> from where browsing should be allowed http_access deny
>> blockeddomain http_access allow localnet http_access allow
>> localhost snmp_access allow isnsnmp localnet
>>
>> # And finally deny all other access to this proxy http_access deny
>> all # snmp_access deny all
>>
>> # Squid normally listens to port 3128 http_port 3128 http_port 3129
>> intercept snmp_port 3401
>>
>> # Uncomment and adjust the following to add a disk cache
>> directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16
>> 256 cache_dir aufs /home/cache/var/cache/squid 350000 16 256
>>
>> # Leave coredumps in the first cache dir coredump_dir
>> /usr/local/squid/var/cache/squid
>>
>> access_log daemon:/home/cache/var/logs/access.log squid cache_log
>> /home/cache/var/logs/cache.log
>>
>>
>> # # Add any of your own refresh_pattern entries above these. #
>> refresh_pattern ^ftp:        1440    20%    10080 refresh_pattern
>> ^gopher:    1440    0%    1440 refresh_pattern -i (/cgi-bin/|\?) 0
>> 0%    0 refresh_pattern .        0    20%    4320
>>
>> half_closed_clients off # quick_abort_min 0 KB # quick_abort_max 0
>> KB # vary_ignore_expire on # reload_into_ims on # memory_pools off
>> cache_mem 9216 MB memory_cache_mode always
>> client_persistent_connections off server_persistent_connections
>> off visible_hostname isn-phc-cache minimum_object_size 0 KB
>> maximum_object_size 96 MB maximum_object_size_in_memory 1 MB
>> memory_replacement_policy lru cache_replacement_policy heap LFUDA
>> quick_abort_min 1024 KB quick_abort_max 2048 KB quick_abort_pct 90
>> ipcache_size 10240 # ipcache_low 90 # ipcache_high 95
>> cache_swap_low 98 cache_swap_high 100 # fqdncache_size 16384 #
>> retry_on_error on # offline_mode off logfile_rotate 10
>> dns_nameservers 8.8.8.8 41.78.211.30
>>
>>
>>
>>
>> Was the thousands of thousands of SECURITY ALERT the cause of
>> this?
>>
>>
>> Thanks Monah _______________________________________________
>> squid-users mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVEbnYAAoJENNXIZxhPexGMQgIAMICUhBRZMOIl96wFRHaUz+U
> mFOoHX+dSr5C6hh7mm44ZFq9pWYb8c4EEx+kp5olttpPVFh3cfpl8h8tY73DfWUD
> bWojvcQA+NqQ6rIvJcSAwOJ+bWXx3fPTUefGcAOJ+gZho90DyyLxy6vDSMt/0rnV
> GkpUCTT7r3w/EKQbavjRpAcnEdm0L/tSv70Tui+SlU4ksVn77yIoLJ6xD183B4U+
> 6Heg/x0sd2sMG6nx3452V7v5eaaQXAO3teby/VOUeRthuaFdJDTDn60j96h5Xc8Y
> MSXIbk5qBecRuhVKs6vt2gWC59LYvjNnpSyCv1NyF0PWADi5QPlUVvGxtfUHfHU=
> =5wYL
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list