[squid-users] file descriptors leak

André Janna andre61 at brazcubas.br
Sun Nov 22 03:10:22 UTC 2015 

I'm running Squid 3.5.10 on Debian Jessie and after some hours of execution
it runs out of file descriptors.
Squid is listening on port 3125, 3126 and 3127.
Port 3126 is used for intercepting, via iptables redirect, https
connections mostly from mobile devices like smartphones. On this port is
active ssl-bump but I'm not decrypting https traffic, only "peek" to get
https server host name.
Port 3125 is used for intercepting http connections of the same mobile
devices whose https traffic is intercepted on port 3126.
Port 3127 is used for clients configured to use a proxy.
Leaked file descriptors are all related to connection on port 3126 (https
intercept ssl-bump).
A sample output of lsof command gives:

    squid     32490            proxy   12u    
IPv6            4065613       0t0        TCP
172.16.10.22:3126->192.168.93.113:55815 (CLOSE_WAIT)
    squid     32490            proxy   14u    
IPv6            4097822       0t0        TCP
172.16.10.22:3126->192.168.90.207:52288 (ESTABLISHED)
    ...

where 172.16.10.22 is an IP address of my Squid installation and
192.168.x.x are mobile devices.
Is seems that this condition is triggered by "local IP does not match any
domain IP" error logged by Squid in cache.log, but I'm not sure if all
stuck connections are caused by this kind of error.
For the 2 connections of the sample above the related cache.log errors are:

    2015/11/21 12:57:51.229 kid1| SECURITY ALERT: Host header forgery
detected on local=23.0.163.57:443 remote=192.168.93.113:55815 FD 12
flags=33 (local IP does not match any domain IP)
    2015/11/21 13:59:44.230 kid1| SECURITY ALERT: Host header forgery
detected on local=198.144.127.162:443 remote=192.168.90.207:52288 FD 14
flags=33 (local IP does not match any domain IP)

"lsof" sample output was taken more that 10 hours after Squid logged these
errors and it shows that Squid is still holding connections open, using a
lot of file descriptors.

Regards,
    André

--- my squid.conf ---
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
acl squid-internal-static url_regex
^http://nat-academico:3127/squid-internal-static/
acl e2guardian localport 3127
follow_x_forwarded_for allow localhost
http_access allow squid-internal-static
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow localnet e2guardian
include /etc/squid/transparent-blacklist.conf
include /etc/squid/transparent-whitelist.conf
http_access allow transparent-whitelist-http
http_access deny transparent-blacklist-http
http_access allow localnet
http_access deny all
http_port 3127
http_port 3125 intercept
https_port 3126 cert=/etc/ssl/certs/nat-academico.crt
key=/etc/ssl/private/services.key intercept ssl-bump
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump splice transparent-whitelist-https
ssl_bump terminate transparent-blacklist-https
cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%    
4320
dns_v4_first on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151122/e7d15635/attachment-0001.html>

More information about the squid-users mailing list