[squid-users] I am seeing the following in my cache.log

Yuri Voinov yvoinov at gmail.com
Tue Mar 24 19:24:08 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Feel free fo look at this:

http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery


25.03.15 1:18, Monah Baki пишет:
> Running squid 3.5.2 on Centos 6.6
> 
> ./configure --prefix=/home/cache --enable-follow-x-forwarded-for 
> --with-large-files --enable-ssl --disable-ipv6 --enable-esi 
> --enable-kill-parent-hack --enable-snmp --with-pthreads 
> --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname 
> --enable-storeio=ufs,aufs,diskd,rock
> 
> We have around 50 users. I am seeing hundreds of thousands of the
> following:
> 
> 
> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent:
> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) 
> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 14:57:34.910| SECURITY
> ALERT: on URL: www.facebook.com:443 2015/03/24 14:57:34.946|
> SECURITY ALERT: Host header forgery detected on
> local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33 
> (local IP does not match any domain IP)
> 
> 
> Then after 2 hours, I get the message in my cacahe.log:
> 
> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent:
> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) 
> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.478| SECURITY
> ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:42.478|
> WARNING: 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could not
> parse headers from on disk object 2015/03/24 16:41:42.478| BUG
> 3279: HTTP reply without Date: 2015/03/24 16:41:42.478|
> StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24
> 16:41:42.478| StoreEntry->next: 0 2015/03/24 16:41:42.478|
> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478|
> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478|
> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478|
> StoreEntry->expires: -1 2015/03/24 16:41:42.478|
> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478|
> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478|
> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| StoreEntry->flags:
> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478|
> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478|
> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478|
> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478|
> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478|
> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478|
> StoreEntry->store_status: 1 2015/03/24 16:41:42.478|
> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| SECURITY ALERT:
> Host header forgery detected on local=85.115.52.158:80
> remote=197.255.252.34:44348 FD 20 flags=33 (local IP does not match
> any domain IP) 2015/03/24 16:41:42.747| SECURITY ALERT: By user
> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY ALERT: on
> URL: us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY
> ALERT: Host header forgery detected on local=85.115.52.158:80
> remote=197.255.252.34:44349 FD 20 flags=33 (local IP does not match
> any domain IP) 2015/03/24 16:41:42.772| SECURITY ALERT: By user
> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.772| SECURITY ALERT: on
> URL: csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY ALERT:
> Host header forgery detected on local=85.115.33.158:80
> remote=197.255.252.34:13505 FD 20 flags=33 (local IP does not match
> any domain IP) 2015/03/24 16:41:42.800| SECURITY ALERT: By user
> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like
> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800|
> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24
> 16:41:43.115| SECURITY ALERT: Host header forgery detected on
> local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33 
> (local IP does not match any domain IP) 2015/03/24 16:41:43.115|
> SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1)
> AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0
> Safari/536.6 2015/03/24 16:41:43.115| SECURITY ALERT: on URL:
> www.facebook.com:443 2015/03/24 16:41:43.115| assertion failed:
> store.cc:1885: "isEmpty()"
> 
> 
> Then I get a message "running out of file descriptors", for that I
> did the following: echo 1024 65535 >
> /proc/sys/net/ipv4/ip_local_port_range echo 8192 >
> /proc/sys/net/ipv4/tcp_max_syn_backlog
> 
> In my /etc/security/limits.conf, added the following: * - nofile
> 65535
> 
> 
> 
> My squid.conf
> 
> # # Recommended minimum configuration: #
> 
> # Example rule allowing access from your local networks. # Adapt to
> list your (internal) IP networks from where browsing # should be
> allowed acl localnet src 10.0.0.0/8    # RFC1918 possible internal
> network acl localnet src 172.16.0.0/12    # RFC1918 possible
> internal network acl localnet src 192.168.0.0/16    # RFC1918
> possible internal network acl localnet src fc00::/7       # RFC
> 4193 local private network range acl localnet src fe80::/10      #
> RFC 4291 link-local (directly plugged) machines acl blockeddomain
> dstdomain "/home/cache/etc/blocked.domain.acl"
> 
> acl SSL_ports port 443 acl Safe_ports port 80        # http acl
> Safe_ports port 21        # ftp acl Safe_ports port 443        #
> https acl Safe_ports port 70        # gopher acl Safe_ports port
> 210        # wais acl Safe_ports port 1025-65535    # unregistered
> ports acl Safe_ports port 280        # http-mgmt acl Safe_ports
> port 488        # gss-http acl Safe_ports port 591        #
> filemaker acl Safe_ports port 777        # multiling http acl
> CONNECT method CONNECT acl isnsnmp snmp_community public
> 
> # # Recommended minimum Access Permission configuration: # # Deny
> requests to certain unsafe ports http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports http_access deny
> CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost http_access allow
> localhost manager http_access deny manager
> 
> cachemgr_passwd password all
> 
> # We strongly recommend the following be uncommented to protect
> innocent # web applications running on the proxy server who think
> the only # one who can access services on "localhost" is a local
> user #http_access deny to_localhost
> 
> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
> #
> 
> # Example rule allowing access from your local networks. # Adapt
> localnet in the ACL section to list your (internal) IP networks #
> from where browsing should be allowed http_access deny
> blockeddomain http_access allow localnet http_access allow
> localhost snmp_access allow isnsnmp localnet
> 
> # And finally deny all other access to this proxy http_access deny
> all # snmp_access deny all
> 
> # Squid normally listens to port 3128 http_port 3128 http_port 3129
> intercept snmp_port 3401
> 
> # Uncomment and adjust the following to add a disk cache
> directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16
> 256 cache_dir aufs /home/cache/var/cache/squid 350000 16 256
> 
> # Leave coredumps in the first cache dir coredump_dir
> /usr/local/squid/var/cache/squid
> 
> access_log daemon:/home/cache/var/logs/access.log squid cache_log
> /home/cache/var/logs/cache.log
> 
> 
> # # Add any of your own refresh_pattern entries above these. # 
> refresh_pattern ^ftp:        1440    20%    10080 refresh_pattern
> ^gopher:    1440    0%    1440 refresh_pattern -i (/cgi-bin/|\?) 0
> 0%    0 refresh_pattern .        0    20%    4320
> 
> half_closed_clients off # quick_abort_min 0 KB # quick_abort_max 0
> KB # vary_ignore_expire on # reload_into_ims on # memory_pools off 
> cache_mem 9216 MB memory_cache_mode always 
> client_persistent_connections off server_persistent_connections
> off visible_hostname isn-phc-cache minimum_object_size 0 KB 
> maximum_object_size 96 MB maximum_object_size_in_memory 1 MB 
> memory_replacement_policy lru cache_replacement_policy heap LFUDA 
> quick_abort_min 1024 KB quick_abort_max 2048 KB quick_abort_pct 90 
> ipcache_size 10240 # ipcache_low 90 # ipcache_high 95 
> cache_swap_low 98 cache_swap_high 100 # fqdncache_size 16384 #
> retry_on_error on # offline_mode off logfile_rotate 10 
> dns_nameservers 8.8.8.8 41.78.211.30
> 
> 
> 
> 
> Was the thousands of thousands of SECURITY ALERT the cause of
> this?
> 
> 
> Thanks Monah _______________________________________________ 
> squid-users mailing list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVEbnYAAoJENNXIZxhPexGMQgIAMICUhBRZMOIl96wFRHaUz+U
mFOoHX+dSr5C6hh7mm44ZFq9pWYb8c4EEx+kp5olttpPVFh3cfpl8h8tY73DfWUD
bWojvcQA+NqQ6rIvJcSAwOJ+bWXx3fPTUefGcAOJ+gZho90DyyLxy6vDSMt/0rnV
GkpUCTT7r3w/EKQbavjRpAcnEdm0L/tSv70Tui+SlU4ksVn77yIoLJ6xD183B4U+
6Heg/x0sd2sMG6nx3452V7v5eaaQXAO3teby/VOUeRthuaFdJDTDn60j96h5Xc8Y
MSXIbk5qBecRuhVKs6vt2gWC59LYvjNnpSyCv1NyF0PWADi5QPlUVvGxtfUHfHU=
=5wYL
-----END PGP SIGNATURE-----

More information about the squid-users mailing list