Thanks Yuri for the URL. The company is a small ISP using policy based routing, so using WPAD or GPO isn't feasible. If the cause of the server running out of file descriptions and giving the "assertion failed: store.cc:1885: "isEmpty()" error, I prefer to inform the enduser to fix his computer. Thanks Monah On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Feel free fo look at this: > > http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery > > > 25.03.15 1:18, Monah Baki пишет: >> Running squid 3.5.2 on Centos 6.6 >> >> ./configure --prefix=/home/cache --enable-follow-x-forwarded-for >> --with-large-files --enable-ssl --disable-ipv6 --enable-esi >> --enable-kill-parent-hack --enable-snmp --with-pthreads >> --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname >> --enable-storeio=ufs,aufs,diskd,rock >> >> We have around 50 users. I am seeing hundreds of thousands of the >> following: >> >> >> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: >> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 14:57:34.910| SECURITY >> ALERT: on URL: www.facebook.com:443 2015/03/24 14:57:34.946| >> SECURITY ALERT: Host header forgery detected on >> local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33 >> (local IP does not match any domain IP) >> >> >> Then after 2 hours, I get the message in my cacahe.log: >> >> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: >> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.478| SECURITY >> ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:42.478| >> WARNING: 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could not >> parse headers from on disk object 2015/03/24 16:41:42.478| BUG >> 3279: HTTP reply without Date: 2015/03/24 16:41:42.478| >> StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 >> 16:41:42.478| StoreEntry->next: 0 2015/03/24 16:41:42.478| >> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| >> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| >> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| >> StoreEntry->expires: -1 2015/03/24 16:41:42.478| >> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| >> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| >> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| StoreEntry->flags: >> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478| >> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478| >> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478| >> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478| >> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478| >> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478| >> StoreEntry->store_status: 1 2015/03/24 16:41:42.478| >> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| SECURITY ALERT: >> Host header forgery detected on local=85.115.52.158:80 >> remote=197.255.252.34:44348 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.747| SECURITY ALERT: By user >> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY ALERT: on >> URL: us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY >> ALERT: Host header forgery detected on local=85.115.52.158:80 >> remote=197.255.252.34:44349 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.772| SECURITY ALERT: By user >> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.772| SECURITY ALERT: on >> URL: csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY ALERT: >> Host header forgery detected on local=85.115.33.158:80 >> remote=197.255.252.34:13505 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.800| SECURITY ALERT: By user >> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| >> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >> 16:41:43.115| SECURITY ALERT: Host header forgery detected on >> local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33 >> (local IP does not match any domain IP) 2015/03/24 16:41:43.115| >> SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) >> AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 >> Safari/536.6 2015/03/24 16:41:43.115| SECURITY ALERT: on URL: >> www.facebook.com:443 2015/03/24 16:41:43.115| assertion failed: >> store.cc:1885: "isEmpty()" >> >> >> Then I get a message "running out of file descriptors", for that I >> did the following: echo 1024 65535 > >> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > >> /proc/sys/net/ipv4/tcp_max_syn_backlog >> >> In my /etc/security/limits.conf, added the following: * - nofile >> 65535 >> >> >> >> My squid.conf >> >> # # Recommended minimum configuration: # >> >> # Example rule allowing access from your local networks. # Adapt to >> list your (internal) IP networks from where browsing # should be >> allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal >> network acl localnet src 172.16.0.0/12 # RFC1918 possible >> internal network acl localnet src 192.168.0.0/16 # RFC1918 >> possible internal network acl localnet src fc00::/7 # RFC >> 4193 local private network range acl localnet src fe80::/10 # >> RFC 4291 link-local (directly plugged) machines acl blockeddomain >> dstdomain "/home/cache/etc/blocked.domain.acl" >> >> acl SSL_ports port 443 acl Safe_ports port 80 # http acl >> Safe_ports port 21 # ftp acl Safe_ports port 443 # >> https acl Safe_ports port 70 # gopher acl Safe_ports port >> 210 # wais acl Safe_ports port 1025-65535 # unregistered >> ports acl Safe_ports port 280 # http-mgmt acl Safe_ports >> port 488 # gss-http acl Safe_ports port 591 # >> filemaker acl Safe_ports port 777 # multiling http acl >> CONNECT method CONNECT acl isnsnmp snmp_community public >> >> # # Recommended minimum Access Permission configuration: # # Deny >> requests to certain unsafe ports http_access deny !Safe_ports >> >> # Deny CONNECT to other than secure SSL ports http_access deny >> CONNECT !SSL_ports >> >> # Only allow cachemgr access from localhost http_access allow >> localhost manager http_access deny manager >> >> cachemgr_passwd password all >> >> # We strongly recommend the following be uncommented to protect >> innocent # web applications running on the proxy server who think >> the only # one who can access services on "localhost" is a local >> user #http_access deny to_localhost >> >> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS >> # >> >> # Example rule allowing access from your local networks. # Adapt >> localnet in the ACL section to list your (internal) IP networks # >> from where browsing should be allowed http_access deny >> blockeddomain http_access allow localnet http_access allow >> localhost snmp_access allow isnsnmp localnet >> >> # And finally deny all other access to this proxy http_access deny >> all # snmp_access deny all >> >> # Squid normally listens to port 3128 http_port 3128 http_port 3129 >> intercept snmp_port 3401 >> >> # Uncomment and adjust the following to add a disk cache >> directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 >> 256 cache_dir aufs /home/cache/var/cache/squid 350000 16 256 >> >> # Leave coredumps in the first cache dir coredump_dir >> /usr/local/squid/var/cache/squid >> >> access_log daemon:/home/cache/var/logs/access.log squid cache_log >> /home/cache/var/logs/cache.log >> >> >> # # Add any of your own refresh_pattern entries above these. # >> refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern >> ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 >> 0% 0 refresh_pattern . 0 20% 4320 >> >> half_closed_clients off # quick_abort_min 0 KB # quick_abort_max 0 >> KB # vary_ignore_expire on # reload_into_ims on # memory_pools off >> cache_mem 9216 MB memory_cache_mode always >> client_persistent_connections off server_persistent_connections >> off visible_hostname isn-phc-cache minimum_object_size 0 KB >> maximum_object_size 96 MB maximum_object_size_in_memory 1 MB >> memory_replacement_policy lru cache_replacement_policy heap LFUDA >> quick_abort_min 1024 KB quick_abort_max 2048 KB quick_abort_pct 90 >> ipcache_size 10240 # ipcache_low 90 # ipcache_high 95 >> cache_swap_low 98 cache_swap_high 100 # fqdncache_size 16384 # >> retry_on_error on # offline_mode off logfile_rotate 10 >> dns_nameservers 8.8.8.8 41.78.211.30 >> >> >> >> >> Was the thousands of thousands of SECURITY ALERT the cause of >> this? >> >> >> Thanks Monah _______________________________________________ >> squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVEbnYAAoJENNXIZxhPexGMQgIAMICUhBRZMOIl96wFRHaUz+U > mFOoHX+dSr5C6hh7mm44ZFq9pWYb8c4EEx+kp5olttpPVFh3cfpl8h8tY73DfWUD > bWojvcQA+NqQ6rIvJcSAwOJ+bWXx3fPTUefGcAOJ+gZho90DyyLxy6vDSMt/0rnV > GkpUCTT7r3w/EKQbavjRpAcnEdm0L/tSv70Tui+SlU4ksVn77yIoLJ6xD183B4U+ > 6Heg/x0sd2sMG6nx3452V7v5eaaQXAO3teby/VOUeRthuaFdJDTDn60j96h5Xc8Y > MSXIbk5qBecRuhVKs6vt2gWC59LYvjNnpSyCv1NyF0PWADi5QPlUVvGxtfUHfHU= > =5wYL > -----END PGP SIGNATURE----- > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
