<div dir="ltr"><div>Hello, <span style="color:rgb(31,31,31);font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:0.875rem">Jonathan,</span></div><div><span style="color:rgb(31,31,31);font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:0.875rem"><br></span></div><table cellpadding="0" class="gmail-cf gmail-gJ" style="border-collapse:collapse;margin-top:0px;width:auto;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;display:block"><tbody style="display:block"></tbody></table><div>>> Does anyone know the path to this file "modified file 'src/client_side_request.cc" so I can test it with the patches application if it doesn’t work no big deal I can just restore it to to prior and or use an older boot environment<br></div><br><div>You can find it in the squid sources:</div><div><font face="monospace">tar -tvzf squid-6.10.tar.gz | grep src/client_side_request.cc<br>-rw-rw-r-- kinkie/kinkie 77063 2024-06-08 16:28 squid-6.10/src/client_side_request.cc<br></font></div><div><br></div><div>Kind regards,</div><div> Ankor</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">ср, 10 июл. 2024 г. в 03:31, <<a href="mailto:jonathanlee571@gmail.com">jonathanlee571@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I found the older patch from 2017 I cant find the path to client_sid_request.cc in the pfsense filesystem <br>
<br>
Does anyone know the path to this file "modified file 'src/client_side_request.cc" so I can test it with the patches application if it doesn’t work no big deal I can just restore it to to prior and or use an older boot environment<br>
<br>
<br>
<br>
<br>
kick abandoning [connection]" message in cache.log<br>
<br>
This patch call quitAfterError() to force Squid to close the connection after<br>
writing a "Host header forgery" error response instead of just logging a<br>
[misleading] "kick abandoning [connection]" message in cache.log.<br>
<br>
This is a Measurement Factory project<br>
<br>
=== modified file 'src/client_side_request.cc'<br>
--- src/client_side_request.cc 2017-02-07 23:11:33 +0000<br>
+++ src/client_side_request.cc 2017-03-31 08:00:01 +0000<br>
@@ -564,40 +564,41 @@<br>
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<<br>
" (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());<br>
<br>
// NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.<br>
// The problems here are about WRITE for new cache content, which means flags.cachable<br>
http->request->flags.cachable = false; // MUST NOT cache (for now)<br>
// XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.<br>
http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)<br>
// XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.<br>
http->doCallouts();<br>
return;<br>
}<br>
<br>
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<<br>
http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");<br>
if (const char *ua = http->request->header.getStr(Http::HdrType::USER_AGENT))<br>
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);<br>
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri());<br>
<br>
// IP address validation for Host: failed. reject the connection.<br>
+ http->getConn()->quitAfterError(http->request);<br>
clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;<br>
clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());<br>
assert (repContext);<br>
repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,<br>
http->request->method, NULL,<br>
http->getConn()->clientConnection->remote,<br>
http->request,<br>
NULL,<br>
#if USE_AUTH<br>
http->getConn() != NULL && http->getConn()->getAuth() != NULL ?<br>
http->getConn()->getAuth() : http->request->auth_user_request);<br>
#else<br>
NULL);<br>
#endif<br>
node = (clientStreamNode *)http->client_stream.tail->data;<br>
clientStreamRead(node, http, node->readBuffer);<br>
}<br>
<br>
void<br>
ClientRequestContext::hostHeaderVerify()<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> <br>
Sent: Monday, July 8, 2024 10:41 AM<br>
To: squid-users <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Cc: Jonathan Lee <<a href="mailto:jonathanlee571@gmail.com" target="_blank">jonathanlee571@gmail.com</a>><br>
Subject: Re: [squid-users] Squid 6.6 kick abandoning connections<br>
<br>
On 2024-07-08 12:31, Jonathan Lee wrote:<br>
<br>
> I can confirm I have no ipv6 our isp is ipv4 only and I have IPv6 <br>
> disabled on the firewall and with layer 2 and 3 traffic<br>
<br>
This problem is not specific to any IP family/version.<br>
<br>
Alex.<br>
<br>
<br>
>> On Jul 8, 2024, at 09:15, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> wrote:<br>
>><br>
>> On 2024-07-05 21:07, Jonathan Lee wrote:<br>
>><br>
>>> I am using Bump with certificates installed on devices does anyone know what this error is...<br>
>>> kick abandoning conn43723 local=<a href="http://192.168.1.1:3128" rel="noreferrer" target="_blank">192.168.1.1:3128</a> <br>
>>> remote=<a href="http://192.168.1.5:52129" rel="noreferrer" target="_blank">192.168.1.5:52129</a> FD 178 flags=1<br>
>><br>
>><br>
>> This "kick abandoning" message marks a Squid problem or bug: Squid enters a seemingly impossible state. In some (but probably not all) cases, the client connection might become stuck (hopefully until some timeout closes it). In some (and possibly all) cases, Squid might immediately close the connection and nobody gets hurt. Code reporting this problem does not know how we got here and what will happen next.<br>
>><br>
>> There were several incomplete/unfinished attempts to fix this problem, including two different patches posted at Bug 3715. I do not know whether either of them is safe and applies to Squid v6. Neither is a comprehensive solution.<br>
>> <a href="https://bugs.squid-cache.org/show_bug.cgi?id=3715" rel="noreferrer" target="_blank">https://bugs.squid-cache.org/show_bug.cgi?id=3715</a><br>
>><br>
>><br>
>>> Does anyone know how to fix my last weird error I have with Squid <br>
>>> 6.6<br>
>><br>
>> I do not know of a good configuration-based workaround. Squid code modifications are required to properly address this problem. Other errors may trigger this bug, so addressing those other errors may hide (and reduce the pressure to fix) this bug. Besides fixing those other errors (if any -- I am aware that you have said that there are no other errors left, but perhaps you found other problems since then), these basic options apply:<br>
>><br>
>> <a href="https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ</a><br>
>> id-feature-enhance-of-fix-something<br>
>><br>
>> Alex.<br>
>><br>
<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>