[squid-users] I am seeing the following in my cache.log

Yuri Voinov yvoinov at gmail.com
Tue Mar 24 20:07:45 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Running out of filedescriptors is another problem. You probably can
re-build your squid with higher value of corresponding parameter.


25.03.15 2:05, Monah Baki пишет:
> Thanks Yuri for the URL. The company is a small ISP using policy
> based routing, so using WPAD or GPO isn't feasible.
> 
> If the cause of the server running out of file descriptions and
> giving the "assertion failed: store.cc:1885: "isEmpty()" error, I
> prefer to inform the enduser to fix his computer.
> 
> Thanks Monah
> 
> 
> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov at gmail.com>
> wrote: Feel free fo look at this:
> 
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
> 
> 
> 25.03.15 1:18, Monah Baki пишет:
>>>> Running squid 3.5.2 on Centos 6.6
>>>> 
>>>> ./configure --prefix=/home/cache
>>>> --enable-follow-x-forwarded-for --with-large-files
>>>> --enable-ssl --disable-ipv6 --enable-esi 
>>>> --enable-kill-parent-hack --enable-snmp --with-pthreads 
>>>> --with-filedescriptors=65535
>>>> --enable-cachemgr-hostname=hostname 
>>>> --enable-storeio=ufs,aufs,diskd,rock
>>>> 
>>>> We have around 50 users. I am seeing hundreds of thousands of
>>>> the following:
>>>> 
>>>> 
>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: 
>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>> 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443
>>>> 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery
>>>> detected on local=85.115.52.158:80
>>>> remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not
>>>> match any domain IP)
>>>> 
>>>> 
>>>> Then after 2 hours, I get the message in my cacahe.log:
>>>> 
>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: 
>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>> 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443
>>>> 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches
>>>> 2015/03/24 16:41:42.478| Could not parse headers from on disk
>>>> object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without
>>>> Date: 2015/03/24 16:41:42.478| StoreEntry->key:
>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478|
>>>> StoreEntry->next: 0 2015/03/24 16:41:42.478| 
>>>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| 
>>>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| 
>>>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| 
>>>> StoreEntry->expires: -1 2015/03/24 16:41:42.478| 
>>>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| 
>>>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| 
>>>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478|
>>>> StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24
>>>> 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24
>>>> 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24
>>>> 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24
>>>> 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24
>>>> 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24
>>>> 16:41:42.478| StoreEntry->store_status: 1 2015/03/24
>>>> 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24
>>>> 16:41:42.747| SECURITY ALERT: Host header forgery detected on
>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20
>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>> 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: on URL:
>>>> us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY 
>>>> ALERT: Host header forgery detected on
>>>> local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20
>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>> 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
>>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL:
>>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY
>>>> ALERT: Host header forgery detected on
>>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20
>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>> 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0
>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| 
>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 
>>>> 16:41:43.115| SECURITY ALERT: Host header forgery detected
>>>> on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31
>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>> 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0
>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:43.115|
>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24
>>>> 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()"
>>>> 
>>>> 
>>>> Then I get a message "running out of file descriptors", for
>>>> that I did the following: echo 1024 65535 > 
>>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > 
>>>> /proc/sys/net/ipv4/tcp_max_syn_backlog
>>>> 
>>>> In my /etc/security/limits.conf, added the following: * -
>>>> nofile 65535
>>>> 
>>>> 
>>>> 
>>>> My squid.conf
>>>> 
>>>> # # Recommended minimum configuration: #
>>>> 
>>>> # Example rule allowing access from your local networks. #
>>>> Adapt to list your (internal) IP networks from where browsing
>>>> # should be allowed acl localnet src 10.0.0.0/8    # RFC1918
>>>> possible internal network acl localnet src 172.16.0.0/12    #
>>>> RFC1918 possible internal network acl localnet src
>>>> 192.168.0.0/16    # RFC1918 possible internal network acl
>>>> localnet src fc00::/7       # RFC 4193 local private network
>>>> range acl localnet src fe80::/10      # RFC 4291 link-local
>>>> (directly plugged) machines acl blockeddomain dstdomain
>>>> "/home/cache/etc/blocked.domain.acl"
>>>> 
>>>> acl SSL_ports port 443 acl Safe_ports port 80        # http
>>>> acl Safe_ports port 21        # ftp acl Safe_ports port 443
>>>> # https acl Safe_ports port 70        # gopher acl Safe_ports
>>>> port 210        # wais acl Safe_ports port 1025-65535    #
>>>> unregistered ports acl Safe_ports port 280        # http-mgmt
>>>> acl Safe_ports port 488        # gss-http acl Safe_ports port
>>>> 591        # filemaker acl Safe_ports port 777        #
>>>> multiling http acl CONNECT method CONNECT acl isnsnmp
>>>> snmp_community public
>>>> 
>>>> # # Recommended minimum Access Permission configuration: # #
>>>> Deny requests to certain unsafe ports http_access deny
>>>> !Safe_ports
>>>> 
>>>> # Deny CONNECT to other than secure SSL ports http_access
>>>> deny CONNECT !SSL_ports
>>>> 
>>>> # Only allow cachemgr access from localhost http_access
>>>> allow localhost manager http_access deny manager
>>>> 
>>>> cachemgr_passwd password all
>>>> 
>>>> # We strongly recommend the following be uncommented to
>>>> protect innocent # web applications running on the proxy
>>>> server who think the only # one who can access services on
>>>> "localhost" is a local user #http_access deny to_localhost
>>>> 
>>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
>>>> CLIENTS #
>>>> 
>>>> # Example rule allowing access from your local networks. #
>>>> Adapt localnet in the ACL section to list your (internal) IP
>>>> networks # from where browsing should be allowed http_access
>>>> deny blockeddomain http_access allow localnet http_access
>>>> allow localhost snmp_access allow isnsnmp localnet
>>>> 
>>>> # And finally deny all other access to this proxy http_access
>>>> deny all # snmp_access deny all
>>>> 
>>>> # Squid normally listens to port 3128 http_port 3128
>>>> http_port 3129 intercept snmp_port 3401
>>>> 
>>>> # Uncomment and adjust the following to add a disk cache 
>>>> directory. #cache_dir ufs /usr/local/squid/var/cache/squid
>>>> 100 16 256 cache_dir aufs /home/cache/var/cache/squid 350000
>>>> 16 256
>>>> 
>>>> # Leave coredumps in the first cache dir coredump_dir 
>>>> /usr/local/squid/var/cache/squid
>>>> 
>>>> access_log daemon:/home/cache/var/logs/access.log squid
>>>> cache_log /home/cache/var/logs/cache.log
>>>> 
>>>> 
>>>> # # Add any of your own refresh_pattern entries above these.
>>>> # refresh_pattern ^ftp:        1440    20%    10080
>>>> refresh_pattern ^gopher:    1440    0%    1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0%    0 refresh_pattern .
>>>> 0    20%    4320
>>>> 
>>>> half_closed_clients off # quick_abort_min 0 KB #
>>>> quick_abort_max 0 KB # vary_ignore_expire on #
>>>> reload_into_ims on # memory_pools off cache_mem 9216 MB
>>>> memory_cache_mode always client_persistent_connections off
>>>> server_persistent_connections off visible_hostname
>>>> isn-phc-cache minimum_object_size 0 KB maximum_object_size 96
>>>> MB maximum_object_size_in_memory 1 MB 
>>>> memory_replacement_policy lru cache_replacement_policy heap
>>>> LFUDA quick_abort_min 1024 KB quick_abort_max 2048 KB
>>>> quick_abort_pct 90 ipcache_size 10240 # ipcache_low 90 #
>>>> ipcache_high 95 cache_swap_low 98 cache_swap_high 100 #
>>>> fqdncache_size 16384 # retry_on_error on # offline_mode off
>>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Was the thousands of thousands of SECURITY ALERT the cause
>>>> of this?
>>>> 
>>>> 
>>>> Thanks Monah _______________________________________________ 
>>>> squid-users mailing list squid-users at lists.squid-cache.org 
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVEcQRAAoJENNXIZxhPexGL2QIAJrNvdh/tvGcDjgUXl2nFC+B
4NfZgnx75nBf8DXOtZuRDPqZl6xdAySxMt1JVPz1GWh0j1+zK5RV40qHXcB73iVd
UIYXZV/HJxYpXIFkjjp6Cs1BcMI9hVGgDVQD/aEiy58FXGeXidI7yP65Xf4KO2XC
vNi/E5ceuJS2HxaEPn92QIvFMGHKB3b+xCACpAk9pWkUKM4UpHOaXgYrpoIWyLx+
+vimU0plLs9SBNaG6DQrq52A0sPO0LlsXHszuQ/DlT/vPJJYMks/Z7Qe2PuHgHOl
g61sspOAPpaSUZx6dhRuc9g8tclZ8TrxeFgXKl0pETKqYfVMBPlNRVTJn3Kgrrk=
=mERF
-----END PGP SIGNATURE-----


More information about the squid-users mailing list