<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
</head>
<body style="font-family:Arial;font-size:14px">
<p>I'm running Squid 3.5.10 on Debian Jessie and after some hours of execution it runs out of file descriptors.<br>
Squid is listening on port 3125, 3126 and 3127.<br>
Port 3126 is used for intercepting, via iptables redirect, https connections mostly from mobile devices like smartphones. On this port is active ssl-bump but I'm not decrypting https traffic, only "peek" to get https server host name.<br>
Port 3125 is used for intercepting http connections of the same mobile devices whose https traffic is intercepted on port 3126.<br>
Port 3127 is used for clients configured to use a proxy.<br>
Leaked file descriptors are all related to connection on port 3126 (https intercept ssl-bump).<br>
A sample output of lsof command gives:<br>
<br>
squid 32490 proxy 12u IPv6 4065613 0t0 TCP 172.16.10.22:3126->192.168.93.113:55815 (CLOSE_WAIT)<br>
squid 32490 proxy 14u IPv6 4097822 0t0 TCP 172.16.10.22:3126->192.168.90.207:52288 (ESTABLISHED)<br>
...<br>
<br>
where 172.16.10.22 is an IP address of my Squid installation and 192.168.x.x are mobile devices.<br>
Is seems that this condition is triggered by "local IP does not match any domain IP" error logged by Squid in cache.log, but I'm not sure if all stuck connections are caused by this kind of error.<br>
For the 2 connections of the sample above the related cache.log errors are:<br>
<br>
2015/11/21 12:57:51.229 kid1| SECURITY ALERT: Host header forgery detected on local=23.0.163.57:443 remote=192.168.93.113:55815 FD 12 flags=33 (local IP does not match any domain IP)<br>
2015/11/21 13:59:44.230 kid1| SECURITY ALERT: Host header forgery detected on local=198.144.127.162:443 remote=192.168.90.207:52288 FD 14 flags=33 (local IP does not match any domain IP)<br>
<br>
"lsof" sample output was taken more that 10 hours after Squid logged these errors and it shows that Squid is still holding connections open, using a lot of file descriptors.<br>
<br>
Regards,<br>
André<br>
<br>
<br>
--- my squid.conf ---<br>
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br>
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br>
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl CONNECT method CONNECT<br>
acl squid-internal-static url_regex ^http://nat-academico:3127/squid-internal-static/<br>
acl e2guardian localport 3127<br>
follow_x_forwarded_for allow localhost<br>
http_access allow squid-internal-static<br>
http_access allow localhost manager<br>
http_access deny manager<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br>
http_access deny to_localhost<br>
http_access allow localhost<br>
http_access allow localnet e2guardian<br>
include /etc/squid/transparent-blacklist.conf<br>
include /etc/squid/transparent-whitelist.conf<br>
http_access allow transparent-whitelist-http<br>
http_access deny transparent-blacklist-http<br>
http_access allow localnet<br>
http_access deny all<br>
http_port 3127<br>
http_port 3125 intercept<br>
https_port 3126 cert=/etc/ssl/certs/nat-academico.crt key=/etc/ssl/private/services.key intercept ssl-bump<br>
acl step1 at_step SslBump1<br>
ssl_bump peek step1 all<br>
ssl_bump splice transparent-whitelist-https<br>
ssl_bump terminate transparent-blacklist-https<br>
cache_dir ufs /var/spool/squid 10000 16 256<br>
coredump_dir /var/spool/squid<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
dns_v4_first on<br></p>
</body>
</html>