[squid-users] Squid 6.6 kick abandoning connections

Andrey K ankor2023 at gmail.com
Sat Jul 13 03:57:32 UTC 2024


Hello, Jonathan,

>> Does anyone know the path to this file "modified file
'src/client_side_request.cc" so I can test it with the patches application
if it doesn’t work no big deal I can just restore it to to prior and or use
an older boot environment

You can find it in the squid sources:
tar -tvzf squid-6.10.tar.gz | grep src/client_side_request.cc
-rw-rw-r-- kinkie/kinkie  77063 2024-06-08 16:28
squid-6.10/src/client_side_request.cc

Kind regards,
      Ankor

ср, 10 июл. 2024 г. в 03:31, <jonathanlee571 at gmail.com>:

> I found the older patch from 2017 I cant find the path to
> client_sid_request.cc in the pfsense filesystem
>
> Does anyone know the path to this file "modified file
> 'src/client_side_request.cc" so I can test it with the patches application
> if it doesn’t work no big deal I can just restore it to to prior and or use
> an older boot environment
>
>
>
>
> kick abandoning [connection]" message in cache.log
>
> This patch call quitAfterError() to force Squid to close the connection
> after
> writing a "Host header forgery" error response  instead of just logging a
> [misleading] "kick abandoning [connection]" message in cache.log.
>
> This is a Measurement Factory project
>
> === modified file 'src/client_side_request.cc'
> --- src/client_side_request.cc  2017-02-07 23:11:33 +0000
> +++ src/client_side_request.cc  2017-03-31 08:00:01 +0000
> @@ -564,40 +564,41 @@
>          debugs(85, 3, "SECURITY ALERT: Host header forgery detected on "
> << http->getConn()->clientConnection <<
>                 " (" << A << " does not match " << B << ") on URL: " <<
> http->request->effectiveRequestUri());
>
>          // NP: it is tempting to use 'flags.noCache' but that is all
> about READing cache data.
>          // The problems here are about WRITE for new cache content, which
> means flags.cachable
>          http->request->flags.cachable = false; // MUST NOT cache (for now)
>          // XXX: when we have updated the cache key to base on raw-IP +
> URI this cacheable limit can go.
>          http->request->flags.hierarchical = false; // MUST NOT pass to
> peers (for now)
>          // XXX: when we have sorted out the best way to relay requests
> properly to peers this hierarchical limit can go.
>          http->doCallouts();
>          return;
>      }
>
>      debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery
> detected on " <<
>             http->getConn()->clientConnection << " (" << A << " does not
> match " << B << ")");
>      if (const char *ua =
> http->request->header.getStr(Http::HdrType::USER_AGENT))
>          debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " <<
> ua);
>      debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " <<
> http->request->effectiveRequestUri());
>
>      // IP address validation for Host: failed. reject the connection.
> +    http->getConn()->quitAfterError(http->request);
>      clientStreamNode *node = (clientStreamNode
> *)http->client_stream.tail->prev->data;
>      clientReplyContext *repContext = dynamic_cast<clientReplyContext
> *>(node->data.getRaw());
>      assert (repContext);
>      repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
>                                  http->request->method, NULL,
>                                  http->getConn()->clientConnection->remote,
>                                  http->request,
>                                  NULL,
>  #if USE_AUTH
>                                  http->getConn() != NULL &&
> http->getConn()->getAuth() != NULL ?
>                                  http->getConn()->getAuth() :
> http->request->auth_user_request);
>  #else
>                                  NULL);
>  #endif
>      node = (clientStreamNode *)http->client_stream.tail->data;
>      clientStreamRead(node, http, node->readBuffer);
>  }
>
>  void
>  ClientRequestContext::hostHeaderVerify()
>
>
>
> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com>
> Sent: Monday, July 8, 2024 10:41 AM
> To: squid-users <squid-users at lists.squid-cache.org>
> Cc: Jonathan Lee <jonathanlee571 at gmail.com>
> Subject: Re: [squid-users] Squid 6.6 kick abandoning connections
>
> On 2024-07-08 12:31, Jonathan Lee wrote:
>
> > I can confirm I have no ipv6 our isp is ipv4 only and I have IPv6
> > disabled on the firewall and with layer 2 and 3 traffic
>
> This problem is not specific to any IP family/version.
>
> Alex.
>
>
> >> On Jul 8, 2024, at 09:15, Alex Rousskov <
> rousskov at measurement-factory.com> wrote:
> >>
> >> On 2024-07-05 21:07, Jonathan Lee wrote:
> >>
> >>> I am using Bump with certificates installed on devices does anyone
> know what this error is...
> >>> kick abandoning conn43723 local=192.168.1.1:3128
> >>> remote=192.168.1.5:52129 FD 178 flags=1
> >>
> >>
> >> This "kick abandoning" message marks a Squid problem or bug: Squid
> enters a seemingly impossible state. In some (but probably not all) cases,
> the client connection might become stuck (hopefully until some timeout
> closes it). In some (and possibly all) cases, Squid might immediately close
> the connection and nobody gets hurt. Code reporting this problem does not
> know how we got here and what will happen next.
> >>
> >> There were several incomplete/unfinished attempts to fix this problem,
> including two different patches posted at Bug 3715. I do not know whether
> either of them is safe and applies to Squid v6. Neither is a comprehensive
> solution.
> >> https://bugs.squid-cache.org/show_bug.cgi?id=3715
> >>
> >>
> >>> Does anyone know how to fix my last weird error I have with Squid
> >>> 6.6
> >>
> >> I do not know of a good configuration-based workaround. Squid code
> modifications are required to properly address this problem. Other errors
> may trigger this bug, so addressing those other errors may hide (and reduce
> the pressure to fix) this bug. Besides fixing those other errors (if any --
> I am aware that you have said that there are no other errors left, but
> perhaps you found other problems since then), these basic options apply:
> >>
> >> https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ
> >> id-feature-enhance-of-fix-something
> >>
> >> Alex.
> >>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240713/77f64bfa/attachment-0001.htm>


More information about the squid-users mailing list