[squid-users] I am seeing the following in my cache.log

Yuri Voinov yvoinov at gmail.com
Tue Mar 24 20:10:33 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This can be insufficient.

25.03.15 2:09, Monah Baki пишет:
> I compiled it with --with-filedescriptors=65535, anything else that
> can help?
> 
> Thanks
> 
> On Tue, Mar 24, 2015 at 4:07 PM, Yuri Voinov <yvoinov at gmail.com>
> wrote: Running out of filedescriptors is another problem. You
> probably can re-build your squid with higher value of corresponding
> parameter.
> 
> 
> 25.03.15 2:05, Monah Baki пишет:
>>>> Thanks Yuri for the URL. The company is a small ISP using
>>>> policy based routing, so using WPAD or GPO isn't feasible.
>>>> 
>>>> If the cause of the server running out of file descriptions
>>>> and giving the "assertion failed: store.cc:1885: "isEmpty()"
>>>> error, I prefer to inform the enduser to fix his computer.
>>>> 
>>>> Thanks Monah
>>>> 
>>>> 
>>>> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov
>>>> <yvoinov at gmail.com> wrote: Feel free fo look at this:
>>>> 
>>>> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>>>> 
>>>> 
>>>> 25.03.15 1:18, Monah Baki пишет:
>>>>>>> Running squid 3.5.2 on Centos 6.6
>>>>>>> 
>>>>>>> ./configure --prefix=/home/cache 
>>>>>>> --enable-follow-x-forwarded-for --with-large-files 
>>>>>>> --enable-ssl --disable-ipv6 --enable-esi 
>>>>>>> --enable-kill-parent-hack --enable-snmp
>>>>>>> --with-pthreads --with-filedescriptors=65535 
>>>>>>> --enable-cachemgr-hostname=hostname 
>>>>>>> --enable-storeio=ufs,aufs,diskd,rock
>>>>>>> 
>>>>>>> We have around 50 users. I am seeing hundreds of
>>>>>>> thousands of the following:
>>>>>>> 
>>>>>>> 
>>>>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user
>>>>>>> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6
>>>>>>> (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
>>>>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: on URL:
>>>>>>> www.facebook.com:443 2015/03/24 14:57:34.946| SECURITY
>>>>>>> ALERT: Host header forgery detected on
>>>>>>> local=85.115.52.158:80 remote=196.245.252.34:36732 FD
>>>>>>> 49 flags=33 (local IP does not match any domain IP)
>>>>>>> 
>>>>>>> 
>>>>>>> Then after 2 hours, I get the message in my
>>>>>>> cacahe.log:
>>>>>>> 
>>>>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user
>>>>>>> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6
>>>>>>> (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
>>>>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: on URL:
>>>>>>> www.facebook.com:443 2015/03/24 16:41:42.478| WARNING:
>>>>>>> 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could
>>>>>>> not parse headers from on disk object 2015/03/24
>>>>>>> 16:41:42.478| BUG 3279: HTTP reply without Date:
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->key: 
>>>>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24
>>>>>>> 16:41:42.478| StoreEntry->next: 0 2015/03/24
>>>>>>> 16:41:42.478| StoreEntry->mem_obj: 0x1d56470 2015/03/24
>>>>>>> 16:41:42.478| StoreEntry->timestamp: -1 2015/03/24
>>>>>>> 16:41:42.478| StoreEntry->lastref: 1427211702
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->expires: -1
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->lastmod: -1
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->swap_file_sz: 0
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->refcount: 1
>>>>>>> 2015/03/24 16:41:42.478| StoreEntry->flags:
>>>>>>> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->store_status: 1 2015/03/24 16:41:42.478|
>>>>>>> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747|
>>>>>>> SECURITY ALERT: Host header forgery detected on 
>>>>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD
>>>>>>> 20 flags=33 (local IP does not match any domain IP)
>>>>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: By user agent:
>>>>>>> WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY
>>>>>>> ALERT: on URL: us-mg5.mail.yahoo.com:443 2015/03/24
>>>>>>> 16:41:42.772| SECURITY ALERT: Host header forgery
>>>>>>> detected on local=85.115.52.158:80
>>>>>>> remote=197.255.252.34:44349 FD 20 flags=33 (local IP
>>>>>>> does not match any domain IP) 2015/03/24 16:41:42.772|
>>>>>>> SECURITY ALERT: By user agent: WNetCore/0.1.1.1 
>>>>>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL: 
>>>>>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY 
>>>>>>> ALERT: Host header forgery detected on 
>>>>>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD
>>>>>>> 20 flags=33 (local IP does not match any domain IP)
>>>>>>> 2015/03/24 16:41:42.800| SECURITY ALERT: By user agent:
>>>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML,
>>>>>>> like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>>>>> 16:41:42.800| SECURITY ALERT: on URL:
>>>>>>> www.facebook.com:443 2015/03/24 16:41:43.115| SECURITY
>>>>>>> ALERT: Host header forgery detected on
>>>>>>> local=85.115.33.158:80 remote=197.255.252.34:13506 FD
>>>>>>> 31 flags=33 (local IP does not match any domain IP)
>>>>>>> 2015/03/24 16:41:43.115| SECURITY ALERT: By user agent:
>>>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML,
>>>>>>> like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24
>>>>>>> 16:41:43.115| SECURITY ALERT: on URL:
>>>>>>> www.facebook.com:443 2015/03/24 16:41:43.115| assertion
>>>>>>> failed: store.cc:1885: "isEmpty()"
>>>>>>> 
>>>>>>> 
>>>>>>> Then I get a message "running out of file descriptors",
>>>>>>> for that I did the following: echo 1024 65535 > 
>>>>>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > 
>>>>>>> /proc/sys/net/ipv4/tcp_max_syn_backlog
>>>>>>> 
>>>>>>> In my /etc/security/limits.conf, added the following: *
>>>>>>> - nofile 65535
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> My squid.conf
>>>>>>> 
>>>>>>> # # Recommended minimum configuration: #
>>>>>>> 
>>>>>>> # Example rule allowing access from your local
>>>>>>> networks. # Adapt to list your (internal) IP networks
>>>>>>> from where browsing # should be allowed acl localnet
>>>>>>> src 10.0.0.0/8    # RFC1918 possible internal network
>>>>>>> acl localnet src 172.16.0.0/12    # RFC1918 possible
>>>>>>> internal network acl localnet src 192.168.0.0/16    #
>>>>>>> RFC1918 possible internal network acl localnet src
>>>>>>> fc00::/7       # RFC 4193 local private network range
>>>>>>> acl localnet src fe80::/10      # RFC 4291 link-local 
>>>>>>> (directly plugged) machines acl blockeddomain
>>>>>>> dstdomain "/home/cache/etc/blocked.domain.acl"
>>>>>>> 
>>>>>>> acl SSL_ports port 443 acl Safe_ports port 80        #
>>>>>>> http acl Safe_ports port 21        # ftp acl Safe_ports
>>>>>>> port 443 # https acl Safe_ports port 70        # gopher
>>>>>>> acl Safe_ports port 210        # wais acl Safe_ports
>>>>>>> port 1025-65535    # unregistered ports acl Safe_ports
>>>>>>> port 280        # http-mgmt acl Safe_ports port 488
>>>>>>> # gss-http acl Safe_ports port 591        # filemaker
>>>>>>> acl Safe_ports port 777        # multiling http acl
>>>>>>> CONNECT method CONNECT acl isnsnmp snmp_community
>>>>>>> public
>>>>>>> 
>>>>>>> # # Recommended minimum Access Permission
>>>>>>> configuration: # # Deny requests to certain unsafe
>>>>>>> ports http_access deny !Safe_ports
>>>>>>> 
>>>>>>> # Deny CONNECT to other than secure SSL ports
>>>>>>> http_access deny CONNECT !SSL_ports
>>>>>>> 
>>>>>>> # Only allow cachemgr access from localhost
>>>>>>> http_access allow localhost manager http_access deny
>>>>>>> manager
>>>>>>> 
>>>>>>> cachemgr_passwd password all
>>>>>>> 
>>>>>>> # We strongly recommend the following be uncommented
>>>>>>> to protect innocent # web applications running on the
>>>>>>> proxy server who think the only # one who can access
>>>>>>> services on "localhost" is a local user #http_access
>>>>>>> deny to_localhost
>>>>>>> 
>>>>>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM
>>>>>>> YOUR CLIENTS #
>>>>>>> 
>>>>>>> # Example rule allowing access from your local
>>>>>>> networks. # Adapt localnet in the ACL section to list
>>>>>>> your (internal) IP networks # from where browsing
>>>>>>> should be allowed http_access deny blockeddomain
>>>>>>> http_access allow localnet http_access allow localhost
>>>>>>> snmp_access allow isnsnmp localnet
>>>>>>> 
>>>>>>> # And finally deny all other access to this proxy
>>>>>>> http_access deny all # snmp_access deny all
>>>>>>> 
>>>>>>> # Squid normally listens to port 3128 http_port 3128 
>>>>>>> http_port 3129 intercept snmp_port 3401
>>>>>>> 
>>>>>>> # Uncomment and adjust the following to add a disk
>>>>>>> cache directory. #cache_dir ufs
>>>>>>> /usr/local/squid/var/cache/squid 100 16 256 cache_dir
>>>>>>> aufs /home/cache/var/cache/squid 350000 16 256
>>>>>>> 
>>>>>>> # Leave coredumps in the first cache dir coredump_dir 
>>>>>>> /usr/local/squid/var/cache/squid
>>>>>>> 
>>>>>>> access_log daemon:/home/cache/var/logs/access.log
>>>>>>> squid cache_log /home/cache/var/logs/cache.log
>>>>>>> 
>>>>>>> 
>>>>>>> # # Add any of your own refresh_pattern entries above
>>>>>>> these. # refresh_pattern ^ftp:        1440    20%
>>>>>>> 10080 refresh_pattern ^gopher:    1440    0%    1440 
>>>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0%    0
>>>>>>> refresh_pattern . 0    20%    4320
>>>>>>> 
>>>>>>> half_closed_clients off # quick_abort_min 0 KB # 
>>>>>>> quick_abort_max 0 KB # vary_ignore_expire on # 
>>>>>>> reload_into_ims on # memory_pools off cache_mem 9216
>>>>>>> MB memory_cache_mode always
>>>>>>> client_persistent_connections off 
>>>>>>> server_persistent_connections off visible_hostname 
>>>>>>> isn-phc-cache minimum_object_size 0 KB
>>>>>>> maximum_object_size 96 MB maximum_object_size_in_memory
>>>>>>> 1 MB memory_replacement_policy lru
>>>>>>> cache_replacement_policy heap LFUDA quick_abort_min
>>>>>>> 1024 KB quick_abort_max 2048 KB quick_abort_pct 90
>>>>>>> ipcache_size 10240 # ipcache_low 90 # ipcache_high 95
>>>>>>> cache_swap_low 98 cache_swap_high 100 # fqdncache_size
>>>>>>> 16384 # retry_on_error on # offline_mode off 
>>>>>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Was the thousands of thousands of SECURITY ALERT the
>>>>>>> cause of this?
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks Monah
>>>>>>> _______________________________________________ 
>>>>>>> squid-users mailing list
>>>>>>> squid-users at lists.squid-cache.org 
>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>> 
>>>>> _______________________________________________
>>>>> squid-users mailing list squid-users at lists.squid-cache.org 
>>>>> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVEcS5AAoJENNXIZxhPexGOvsH/jIec++e3SnyfPy0nD6VOE/t
SJS7Vx2N/O+2eL3kTcU2PqDMLwWtOEmtiG+eh1O4+BD7t2PbhO+RQ+nbO2lw7DfW
JoM23L060gOGf0P1xmvGFnkTHDYhg7yre5OwX90etUC4iaRac9IHGXTWrmv1VyVd
Ce9hHXScpStML0A338HFot8+yInF1vutoqEmZpO4FYwC25ylbsSgTc4EX6hk/IEE
+mw4v+a7FqidaED8lzOYGjvR0uGmrkBAHgrNdnrBmQ/5ojolr1SqBQ7Ug/Q37Duh
MKoRhqji+Z7i3AHVtTMN/UsktOH4/0BIai+iFDuwPd3ifOybNLNk4Z4n0RZ46Ys=
=PNUx
-----END PGP SIGNATURE-----

More information about the squid-users mailing list