[squid-users] I am seeing the following in my cache.log

Monah Baki monahbaki at gmail.com
Tue Mar 24 19:18:15 UTC 2015 

Running squid 3.5.2 on Centos 6.6

./configure --prefix=/home/cache --enable-follow-x-forwarded-for
--with-large-files --enable-ssl --disable-ipv6 --enable-esi
--enable-kill-parent-hack --enable-snmp --with-pthreads
--with-filedescriptors=65535 --enable-cachemgr-hostname=hostname
--enable-storeio=ufs,aufs,diskd,rock

We have around 50 users. I am seeing hundreds of thousands of the following:


2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
Chrome/20.0.1092.0 Safari/536.6
2015/03/24 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443
2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery detected
on local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33
(local IP does not match any domain IP)


Then after 2 hours, I get the message in my cacahe.log:

2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
Chrome/20.0.1092.0 Safari/536.6
2015/03/24 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443
2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches
2015/03/24 16:41:42.478| Could not parse headers from on disk object
2015/03/24 16:41:42.478| BUG 3279: HTTP reply without Date:
2015/03/24 16:41:42.478| StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC
2015/03/24 16:41:42.478| StoreEntry->next: 0
2015/03/24 16:41:42.478| StoreEntry->mem_obj: 0x1d56470
2015/03/24 16:41:42.478| StoreEntry->timestamp: -1
2015/03/24 16:41:42.478| StoreEntry->lastref: 1427211702
2015/03/24 16:41:42.478| StoreEntry->expires: -1
2015/03/24 16:41:42.478| StoreEntry->lastmod: -1
2015/03/24 16:41:42.478| StoreEntry->swap_file_sz: 0
2015/03/24 16:41:42.478| StoreEntry->refcount: 1
2015/03/24 16:41:42.478| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED
2015/03/24 16:41:42.478| StoreEntry->swap_dirn: -1
2015/03/24 16:41:42.478| StoreEntry->swap_filen: -1
2015/03/24 16:41:42.478| StoreEntry->lock_count: 2
2015/03/24 16:41:42.478| StoreEntry->mem_status: 0
2015/03/24 16:41:42.478| StoreEntry->ping_status: 2
2015/03/24 16:41:42.478| StoreEntry->store_status: 1
2015/03/24 16:41:42.478| StoreEntry->swap_status: 0
2015/03/24 16:41:42.747| SECURITY ALERT: Host header forgery detected
on local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20 flags=33
(local IP does not match any domain IP)
2015/03/24 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
2015/03/24 16:41:42.747| SECURITY ALERT: on URL: us-mg5.mail.yahoo.com:443
2015/03/24 16:41:42.772| SECURITY ALERT: Host header forgery detected
on local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20 flags=33
(local IP does not match any domain IP)
2015/03/24 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1
2015/03/24 16:41:42.772| SECURITY ALERT: on URL: csync.flickr.com:443
2015/03/24 16:41:42.800| SECURITY ALERT: Host header forgery detected
on local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20 flags=33
(local IP does not match any domain IP)
2015/03/24 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
Chrome/20.0.1092.0 Safari/536.6
2015/03/24 16:41:42.800| SECURITY ALERT: on URL: www.facebook.com:443
2015/03/24 16:41:43.115| SECURITY ALERT: Host header forgery detected
on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33
(local IP does not match any domain IP)
2015/03/24 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko)
Chrome/20.0.1092.0 Safari/536.6
2015/03/24 16:41:43.115| SECURITY ALERT: on URL: www.facebook.com:443
2015/03/24 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()"


Then I get a message "running out of file descriptors", for that I did
the following:
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
echo 8192 > /proc/sys/net/ipv4/tcp_max_syn_backlog

In my /etc/security/limits.conf, added the following:
* - nofile 65535



My squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl blockeddomain dstdomain "/home/cache/etc/blocked.domain.acl"

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl isnsnmp snmp_community public

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

cachemgr_passwd password all

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny blockeddomain
http_access allow localnet
http_access allow localhost
snmp_access allow isnsnmp localnet

# And finally deny all other access to this proxy
http_access deny all
# snmp_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
snmp_port 3401

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
cache_dir aufs /home/cache/var/cache/squid 350000 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

access_log daemon:/home/cache/var/logs/access.log squid
cache_log /home/cache/var/logs/cache.log


#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

half_closed_clients off
# quick_abort_min 0 KB
# quick_abort_max 0 KB
# vary_ignore_expire on
# reload_into_ims on
# memory_pools off
cache_mem 9216 MB
memory_cache_mode always
client_persistent_connections off
server_persistent_connections off
visible_hostname isn-phc-cache
minimum_object_size 0 KB
maximum_object_size 96 MB
maximum_object_size_in_memory 1 MB
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90
ipcache_size 10240
# ipcache_low 90
# ipcache_high 95
cache_swap_low 98
cache_swap_high 100
# fqdncache_size 16384
# retry_on_error on
# offline_mode off
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30




Was the thousands of thousands of SECURITY ALERT the cause of this?


Thanks
Monah

More information about the squid-users mailing list