[squid-users] file descriptors leak
Yuri Voinov
yvoinov at gmail.com
Thu Nov 26 21:54:23 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
27.11.15 0:36, André Janna пишет:
>
> Assinatura
> Em 24/11/2015 00:54, Amos Jeffries escreveu:
>> FYI: unless you have a specific need for 3.5 you should be fine with
the 3.4 squid3 package that is available for Jesse from Debian
backports. The alternative is going the other way and upgrading right to
the latest 3.5 snapshot (and/or 4.0 snapshot) to see if it is one of the
CONNECT or TLS issues we have fixed recently.
> I'm using version 3.5 because 3.4 doesn't have ssl::server_name acl.
> Debian package is not built with openssl because of licensing issues
so I rebuilt Debian testing 3.5 source package on Debian Jessie.
> This Squid installation is in production now and cannot be easily
migrated. But I'll perform another installation for testing in the near
future.
>
>> Neither. So it is time to move away from lsof and start using packet
>> capture to get a full-body packet trace to find out what exact packets
>> are happening on at least one affected TCP connection.
>>
>> If possible identifying one of these connections from its SYN onwards
>> would be great, but if not then a 20min period of activity on an
>> existing one might still how more hints.
>>
> I did a test using a Windows laptop client with IP address
192.168.64.4, connected via wifi.
> I browsed a few https sites until triggering Squid "local IP does not
match any domain IP" error.
> This error appeared when I was trying to open Yahoo home page. Browser
redirected to https://br.yahoo.com/?p=us but page remained blank.
> Please note that this error appears randomly: opening the same site in
another browser tab succeeded.
>
> cache.log:
> 2015/11/26 13:54:45.471 kid1| SECURITY ALERT: Host header forgery
detected on local=206.190.56.191:443 remote=192.168.64.4:58887 FD 17244
flags=33 (local IP does not match any domain IP)
It's so commonplace that even Wiki long time ago there article:
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
> After a couple of minutes this connection disappeared from Windows
netstat command output. Afterward I powered off Windows laptop.
>
> Tcpdump on Squid box:
> 13:54:45.410907 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [S],
seq 1831867, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK],
length 0
> 13:54:45.411000 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags
[S.], seq 3695298276, ack 1831868, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
> 13:54:45.411630 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
ack 1, win 256, length 0
> 13:54:45.412490 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags
[P.], seq 1:185, ack 1, win 256, length 184
> 13:54:45.412573 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, length 0
> 13:54:55.439709 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:54:55.439761 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:05.439965 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:05.440022 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:15.445667 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:15.445737 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:25.447281 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:25.447351 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:35.494936 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:35.495005 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:45.491694 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:45.491761 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 13:55:55.492158 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags [.],
seq 184:185, ack 1, win 256, length 1
> 13:55:55.492208 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 185, win 237, options [nop,nop,sack 1 {184:185}], length 0
> 14:01:58.242748 IP 192.168.64.4.58887 > 206.190.56.191.443: Flags
[F.], seq 185, ack 1, win 256, length 0
> 14:01:58.279916 IP 206.190.56.191.443 > 192.168.64.4.58887: Flags [.],
ack 186, win 237, length 0
>
> Netstat output on Squid box:
> # date; netstat -tno | grep 192.168.64.4
> Thu Nov 26 13:59:40 BRST 2015
> tcp6 1 0 172.16.10.22:3126 192.168.64.4:58887
CLOSE_WAIT off (0.00/0/0)
>
> And after 2 hours and a half netstat output is still the same:
> # date; netstat -tno | grep 192.168.64.4
> Thu Nov 26 16:32:37 BRST 2015
> tcp6 1 0 172.16.10.22:3126 192.168.64.4:58887
CLOSE_WAIT off (0.00/0/0)
>
> Squid is still using the file descriptor.
> # date; lsof -n | grep 192.168.64.4
> Thu Nov 26 16:33:10 BRST 2015
> squid 29137 proxy *244u IPv6 13127035
0t0 TCP 172.16.10.22:3126->192.168.64.4:58887 (CLOSE_WAIT)
>
>
> Regards,
> André
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWV3+PAAoJENNXIZxhPexGAcgIAMLBGcWTKJW6sPkxj0sOQj5Y
jnvwElKpg/7r04QH02uA6NSv+/43aS7WtnMkjL+3OqaLIqee9jvBhzyMQZZBt3u+
kFvTnHHtlUPhno35GFpolWhpb74OoDG9e7VCDc6czbR5doaSxBqSCaC4JLlcNtTm
bxil6/4ZSupkh2cSVUvsJVC17Lir8SGfhKUOatIi29a8oCjUxKZs4J1VUOLC35vN
sajbij6f1ACVDkSWiYuI2rhAuWnsZAKuArXp+LrWjEpkYZbk1gvq1lEkEfIDg1QS
sJXD9pOoYEu7ui+tRCJYWOJbt3M8SqtvlXLWc6TojDeCVvnriD7Qs0nT8LuFqUE=
=aaMO
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list