[squid-users] I am seeing the following in my cache.log
Monah Baki
monahbaki at gmail.com
Tue Mar 24 20:09:33 UTC 2015
I compiled it with --with-filedescriptors=65535, anything else that can help?
Thanks
On Tue, Mar 24, 2015 at 4:07 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Running out of filedescriptors is another problem. You probably can
> re-build your squid with higher value of corresponding parameter.
>
>
> 25.03.15 2:05, Monah Baki пишет:
>> Thanks Yuri for the URL. The company is a small ISP using policy
>> based routing, so using WPAD or GPO isn't feasible.
>>
>> If the cause of the server running out of file descriptions and
>> giving the "assertion failed: store.cc:1885: "isEmpty()" error, I
>> prefer to inform the enduser to fix his computer.
>>
>> Thanks Monah
>>
>>
>> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov at gmail.com>
>> wrote: Feel free fo look at this:
>>
>> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>>
>>
>> 25.03.15 1:18, Monah Baki пишет:
>>>>> Running squid 3.5.2 on Centos 6.6
>>>>>
>>>>> ./configure --prefix=/home/cache
>>>>> --enable-follow-x-forwarded-for --with-large-files
>>>>> --enable-ssl --disable-ipv6 --enable-esi
>>>>> --enable-kill-parent-hack --enable-snmp --with-pthreads
>>>>> --with-filedescriptors=65535
>>>>> --enable-cachemgr-hostname=hostname
>>>>> --enable-storeio=ufs,aufs,diskd,rock
>>>>>
>>>>> We have around 50 users. I am seeing hundreds of thousands of
>>>>> the following:
>>>>>
>>>>>
>>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent:
>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
>>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>>> 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443
>>>>> 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery
>>>>> detected on local=85.115.52.158:80
>>>>> remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not
>>>>> match any domain IP)
>>>>>
>>>>>
>>>>> Then after 2 hours, I get the message in my cacahe.log:
>>>>>
>>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent:
>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
>>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>>> 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443
>>>>> 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches
>>>>> 2015/03/24 16:41:42.478| Could not parse headers from on disk
>>>>> object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without
>>>>> Date: 2015/03/24 16:41:42.478| StoreEntry->key:
>>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478|
>>>>> StoreEntry->next: 0 2015/03/24 16:41:42.478|
>>>>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478|
>>>>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478|
>>>>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478|
>>>>> StoreEntry->expires: -1 2015/03/24 16:41:42.478|
>>>>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478|
>>>>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478|
>>>>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478|
>>>>> StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24
>>>>> 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24
>>>>> 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24
>>>>> 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24
>>>>> 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24
>>>>> 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24
>>>>> 16:41:42.478| StoreEntry->store_status: 1 2015/03/24
>>>>> 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24
>>>>> 16:41:42.747| SECURITY ALERT: Host header forgery detected on
>>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20
>>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>>> 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
>>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: on URL:
>>>>> us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY
>>>>> ALERT: Host header forgery detected on
>>>>> local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20
>>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>>> 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
>>>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL:
>>>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY
>>>>> ALERT: Host header forgery detected on
>>>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20
>>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>>> 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0
>>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800|
>>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24
>>>>> 16:41:43.115| SECURITY ALERT: Host header forgery detected
>>>>> on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31
>>>>> flags=33 (local IP does not match any domain IP) 2015/03/24
>>>>> 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0
>>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
>>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:43.115|
>>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24
>>>>> 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()"
>>>>>
>>>>>
>>>>> Then I get a message "running out of file descriptors", for
>>>>> that I did the following: echo 1024 65535 >
>>>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 >
>>>>> /proc/sys/net/ipv4/tcp_max_syn_backlog
>>>>>
>>>>> In my /etc/security/limits.conf, added the following: * -
>>>>> nofile 65535
>>>>>
>>>>>
>>>>>
>>>>> My squid.conf
>>>>>
>>>>> # # Recommended minimum configuration: #
>>>>>
>>>>> # Example rule allowing access from your local networks. #
>>>>> Adapt to list your (internal) IP networks from where browsing
>>>>> # should be allowed acl localnet src 10.0.0.0/8 # RFC1918
>>>>> possible internal network acl localnet src 172.16.0.0/12 #
>>>>> RFC1918 possible internal network acl localnet src
>>>>> 192.168.0.0/16 # RFC1918 possible internal network acl
>>>>> localnet src fc00::/7 # RFC 4193 local private network
>>>>> range acl localnet src fe80::/10 # RFC 4291 link-local
>>>>> (directly plugged) machines acl blockeddomain dstdomain
>>>>> "/home/cache/etc/blocked.domain.acl"
>>>>>
>>>>> acl SSL_ports port 443 acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp acl Safe_ports port 443
>>>>> # https acl Safe_ports port 70 # gopher acl Safe_ports
>>>>> port 210 # wais acl Safe_ports port 1025-65535 #
>>>>> unregistered ports acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http acl Safe_ports port
>>>>> 591 # filemaker acl Safe_ports port 777 #
>>>>> multiling http acl CONNECT method CONNECT acl isnsnmp
>>>>> snmp_community public
>>>>>
>>>>> # # Recommended minimum Access Permission configuration: # #
>>>>> Deny requests to certain unsafe ports http_access deny
>>>>> !Safe_ports
>>>>>
>>>>> # Deny CONNECT to other than secure SSL ports http_access
>>>>> deny CONNECT !SSL_ports
>>>>>
>>>>> # Only allow cachemgr access from localhost http_access
>>>>> allow localhost manager http_access deny manager
>>>>>
>>>>> cachemgr_passwd password all
>>>>>
>>>>> # We strongly recommend the following be uncommented to
>>>>> protect innocent # web applications running on the proxy
>>>>> server who think the only # one who can access services on
>>>>> "localhost" is a local user #http_access deny to_localhost
>>>>>
>>>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
>>>>> CLIENTS #
>>>>>
>>>>> # Example rule allowing access from your local networks. #
>>>>> Adapt localnet in the ACL section to list your (internal) IP
>>>>> networks # from where browsing should be allowed http_access
>>>>> deny blockeddomain http_access allow localnet http_access
>>>>> allow localhost snmp_access allow isnsnmp localnet
>>>>>
>>>>> # And finally deny all other access to this proxy http_access
>>>>> deny all # snmp_access deny all
>>>>>
>>>>> # Squid normally listens to port 3128 http_port 3128
>>>>> http_port 3129 intercept snmp_port 3401
>>>>>
>>>>> # Uncomment and adjust the following to add a disk cache
>>>>> directory. #cache_dir ufs /usr/local/squid/var/cache/squid
>>>>> 100 16 256 cache_dir aufs /home/cache/var/cache/squid 350000
>>>>> 16 256
>>>>>
>>>>> # Leave coredumps in the first cache dir coredump_dir
>>>>> /usr/local/squid/var/cache/squid
>>>>>
>>>>> access_log daemon:/home/cache/var/logs/access.log squid
>>>>> cache_log /home/cache/var/logs/cache.log
>>>>>
>>>>>
>>>>> # # Add any of your own refresh_pattern entries above these.
>>>>> # refresh_pattern ^ftp: 1440 20% 10080
>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern .
>>>>> 0 20% 4320
>>>>>
>>>>> half_closed_clients off # quick_abort_min 0 KB #
>>>>> quick_abort_max 0 KB # vary_ignore_expire on #
>>>>> reload_into_ims on # memory_pools off cache_mem 9216 MB
>>>>> memory_cache_mode always client_persistent_connections off
>>>>> server_persistent_connections off visible_hostname
>>>>> isn-phc-cache minimum_object_size 0 KB maximum_object_size 96
>>>>> MB maximum_object_size_in_memory 1 MB
>>>>> memory_replacement_policy lru cache_replacement_policy heap
>>>>> LFUDA quick_abort_min 1024 KB quick_abort_max 2048 KB
>>>>> quick_abort_pct 90 ipcache_size 10240 # ipcache_low 90 #
>>>>> ipcache_high 95 cache_swap_low 98 cache_swap_high 100 #
>>>>> fqdncache_size 16384 # retry_on_error on # offline_mode off
>>>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Was the thousands of thousands of SECURITY ALERT the cause
>>>>> of this?
>>>>>
>>>>>
>>>>> Thanks Monah _______________________________________________
>>>>> squid-users mailing list squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>> _______________________________________________ squid-users
>>> mailing list squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVEcQRAAoJENNXIZxhPexGL2QIAJrNvdh/tvGcDjgUXl2nFC+B
> 4NfZgnx75nBf8DXOtZuRDPqZl6xdAySxMt1JVPz1GWh0j1+zK5RV40qHXcB73iVd
> UIYXZV/HJxYpXIFkjjp6Cs1BcMI9hVGgDVQD/aEiy58FXGeXidI7yP65Xf4KO2XC
> vNi/E5ceuJS2HxaEPn92QIvFMGHKB3b+xCACpAk9pWkUKM4UpHOaXgYrpoIWyLx+
> +vimU0plLs9SBNaG6DQrq52A0sPO0LlsXHszuQ/DlT/vPJJYMks/Z7Qe2PuHgHOl
> g61sspOAPpaSUZx6dhRuc9g8tclZ8TrxeFgXKl0pETKqYfVMBPlNRVTJn3Kgrrk=
> =mERF
> -----END PGP SIGNATURE-----
More information about the squid-users
mailing list