[squid-users] Squid 6.6 kick abandoning connections

jonathanlee571 at gmail.com jonathanlee571 at gmail.com
Wed Jul 10 00:31:18 UTC 2024 

I found the older patch from 2017 I cant find the path to client_sid_request.cc in the pfsense filesystem 

Does anyone know the path to this file "modified file 'src/client_side_request.cc" so I can test it with the patches application if it doesn’t work no big deal I can just restore it to to prior and or use an older boot environment




kick abandoning [connection]" message in cache.log

This patch call quitAfterError() to force Squid to close the connection after
writing a "Host header forgery" error response  instead of just logging a
[misleading] "kick abandoning [connection]" message in cache.log.

This is a Measurement Factory project

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc	2017-02-07 23:11:33 +0000
+++ src/client_side_request.cc	2017-03-31 08:00:01 +0000
@@ -564,40 +564,41 @@
         debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
                " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());
 
         // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
         // The problems here are about WRITE for new cache content, which means flags.cachable
         http->request->flags.cachable = false; // MUST NOT cache (for now)
         // XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
         http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)
         // XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.
         http->doCallouts();
         return;
     }
 
     debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<
            http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");
     if (const char *ua = http->request->header.getStr(Http::HdrType::USER_AGENT))
         debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);
     debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri());
 
     // IP address validation for Host: failed. reject the connection.
+    http->getConn()->quitAfterError(http->request);
     clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
     clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
     assert (repContext);
     repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
                                 http->request->method, NULL,
                                 http->getConn()->clientConnection->remote,
                                 http->request,
                                 NULL,
 #if USE_AUTH
                                 http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
                                 http->getConn()->getAuth() : http->request->auth_user_request);
 #else
                                 NULL);
 #endif
     node = (clientStreamNode *)http->client_stream.tail->data;
     clientStreamRead(node, http, node->readBuffer);
 }
 
 void
 ClientRequestContext::hostHeaderVerify()



-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Monday, July 8, 2024 10:41 AM
To: squid-users <squid-users at lists.squid-cache.org>
Cc: Jonathan Lee <jonathanlee571 at gmail.com>
Subject: Re: [squid-users] Squid 6.6 kick abandoning connections

On 2024-07-08 12:31, Jonathan Lee wrote:

> I can confirm I have no ipv6 our isp is ipv4 only and I have IPv6 
> disabled on the firewall and with layer 2 and 3 traffic

This problem is not specific to any IP family/version.

Alex.


>> On Jul 8, 2024, at 09:15, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>>
>> On 2024-07-05 21:07, Jonathan Lee wrote:
>>
>>> I am using Bump with certificates installed on devices does anyone know what this error is...
>>> kick abandoning conn43723 local=192.168.1.1:3128 
>>> remote=192.168.1.5:52129 FD 178 flags=1
>>
>>
>> This "kick abandoning" message marks a Squid problem or bug: Squid enters a seemingly impossible state. In some (but probably not all) cases, the client connection might become stuck (hopefully until some timeout closes it). In some (and possibly all) cases, Squid might immediately close the connection and nobody gets hurt. Code reporting this problem does not know how we got here and what will happen next.
>>
>> There were several incomplete/unfinished attempts to fix this problem, including two different patches posted at Bug 3715. I do not know whether either of them is safe and applies to Squid v6. Neither is a comprehensive solution.
>> https://bugs.squid-cache.org/show_bug.cgi?id=3715
>>
>>
>>> Does anyone know how to fix my last weird error I have with Squid 
>>> 6.6
>>
>> I do not know of a good configuration-based workaround. Squid code modifications are required to properly address this problem. Other errors may trigger this bug, so addressing those other errors may hide (and reduce the pressure to fix) this bug. Besides fixing those other errors (if any -- I am aware that you have said that there are no other errors left, but perhaps you found other problems since then), these basic options apply:
>>
>> https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ
>> id-feature-enhance-of-fix-something
>>
>> Alex.
>>

More information about the squid-users mailing list