-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Running out of filedescriptors is another problem. You probably can re-build your squid with higher value of corresponding parameter. 25.03.15 2:05, Monah Baki пишет: > Thanks Yuri for the URL. The company is a small ISP using policy > based routing, so using WPAD or GPO isn't feasible. > > If the cause of the server running out of file descriptions and > giving the "assertion failed: store.cc:1885: "isEmpty()" error, I > prefer to inform the enduser to fix his computer. > > Thanks Monah > > > On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: Feel free fo look at this: > > http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery > > > 25.03.15 1:18, Monah Baki пишет: >>>> Running squid 3.5.2 on Centos 6.6 >>>> >>>> ./configure --prefix=/home/cache >>>> --enable-follow-x-forwarded-for --with-large-files >>>> --enable-ssl --disable-ipv6 --enable-esi >>>> --enable-kill-parent-hack --enable-snmp --with-pthreads >>>> --with-filedescriptors=65535 >>>> --enable-cachemgr-hostname=hostname >>>> --enable-storeio=ufs,aufs,diskd,rock >>>> >>>> We have around 50 users. I am seeing hundreds of thousands of >>>> the following: >>>> >>>> >>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: >>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>> 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443 >>>> 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery >>>> detected on local=85.115.52.158:80 >>>> remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not >>>> match any domain IP) >>>> >>>> >>>> Then after 2 hours, I get the message in my cacahe.log: >>>> >>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: >>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>> 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443 >>>> 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches >>>> 2015/03/24 16:41:42.478| Could not parse headers from on disk >>>> object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without >>>> Date: 2015/03/24 16:41:42.478| StoreEntry->key: >>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478| >>>> StoreEntry->next: 0 2015/03/24 16:41:42.478| >>>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| >>>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| >>>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| >>>> StoreEntry->expires: -1 2015/03/24 16:41:42.478| >>>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| >>>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| >>>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| >>>> StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 >>>> 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24 >>>> 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24 >>>> 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24 >>>> 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24 >>>> 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24 >>>> 16:41:42.478| StoreEntry->store_status: 1 2015/03/24 >>>> 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24 >>>> 16:41:42.747| SECURITY ALERT: Host header forgery detected on >>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20 >>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>> 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>> 2015/03/24 16:41:42.747| SECURITY ALERT: on URL: >>>> us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY >>>> ALERT: Host header forgery detected on >>>> local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20 >>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>> 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL: >>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY >>>> ALERT: Host header forgery detected on >>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20 >>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>> 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0 >>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| >>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >>>> 16:41:43.115| SECURITY ALERT: Host header forgery detected >>>> on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 >>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>> 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0 >>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:43.115| >>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >>>> 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()" >>>> >>>> >>>> Then I get a message "running out of file descriptors", for >>>> that I did the following: echo 1024 65535 > >>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > >>>> /proc/sys/net/ipv4/tcp_max_syn_backlog >>>> >>>> In my /etc/security/limits.conf, added the following: * - >>>> nofile 65535 >>>> >>>> >>>> >>>> My squid.conf >>>> >>>> # # Recommended minimum configuration: # >>>> >>>> # Example rule allowing access from your local networks. # >>>> Adapt to list your (internal) IP networks from where browsing >>>> # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 >>>> possible internal network acl localnet src 172.16.0.0/12 # >>>> RFC1918 possible internal network acl localnet src >>>> 192.168.0.0/16 # RFC1918 possible internal network acl >>>> localnet src fc00::/7 # RFC 4193 local private network >>>> range acl localnet src fe80::/10 # RFC 4291 link-local >>>> (directly plugged) machines acl blockeddomain dstdomain >>>> "/home/cache/etc/blocked.domain.acl" >>>> >>>> acl SSL_ports port 443 acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp acl Safe_ports port 443 >>>> # https acl Safe_ports port 70 # gopher acl Safe_ports >>>> port 210 # wais acl Safe_ports port 1025-65535 # >>>> unregistered ports acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http acl Safe_ports port >>>> 591 # filemaker acl Safe_ports port 777 # >>>> multiling http acl CONNECT method CONNECT acl isnsnmp >>>> snmp_community public >>>> >>>> # # Recommended minimum Access Permission configuration: # # >>>> Deny requests to certain unsafe ports http_access deny >>>> !Safe_ports >>>> >>>> # Deny CONNECT to other than secure SSL ports http_access >>>> deny CONNECT !SSL_ports >>>> >>>> # Only allow cachemgr access from localhost http_access >>>> allow localhost manager http_access deny manager >>>> >>>> cachemgr_passwd password all >>>> >>>> # We strongly recommend the following be uncommented to >>>> protect innocent # web applications running on the proxy >>>> server who think the only # one who can access services on >>>> "localhost" is a local user #http_access deny to_localhost >>>> >>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR >>>> CLIENTS # >>>> >>>> # Example rule allowing access from your local networks. # >>>> Adapt localnet in the ACL section to list your (internal) IP >>>> networks # from where browsing should be allowed http_access >>>> deny blockeddomain http_access allow localnet http_access >>>> allow localhost snmp_access allow isnsnmp localnet >>>> >>>> # And finally deny all other access to this proxy http_access >>>> deny all # snmp_access deny all >>>> >>>> # Squid normally listens to port 3128 http_port 3128 >>>> http_port 3129 intercept snmp_port 3401 >>>> >>>> # Uncomment and adjust the following to add a disk cache >>>> directory. #cache_dir ufs /usr/local/squid/var/cache/squid >>>> 100 16 256 cache_dir aufs /home/cache/var/cache/squid 350000 >>>> 16 256 >>>> >>>> # Leave coredumps in the first cache dir coredump_dir >>>> /usr/local/squid/var/cache/squid >>>> >>>> access_log daemon:/home/cache/var/logs/access.log squid >>>> cache_log /home/cache/var/logs/cache.log >>>> >>>> >>>> # # Add any of your own refresh_pattern entries above these. >>>> # refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . >>>> 0 20% 4320 >>>> >>>> half_closed_clients off # quick_abort_min 0 KB # >>>> quick_abort_max 0 KB # vary_ignore_expire on # >>>> reload_into_ims on # memory_pools off cache_mem 9216 MB >>>> memory_cache_mode always client_persistent_connections off >>>> server_persistent_connections off visible_hostname >>>> isn-phc-cache minimum_object_size 0 KB maximum_object_size 96 >>>> MB maximum_object_size_in_memory 1 MB >>>> memory_replacement_policy lru cache_replacement_policy heap >>>> LFUDA quick_abort_min 1024 KB quick_abort_max 2048 KB >>>> quick_abort_pct 90 ipcache_size 10240 # ipcache_low 90 # >>>> ipcache_high 95 cache_swap_low 98 cache_swap_high 100 # >>>> fqdncache_size 16384 # retry_on_error on # offline_mode off >>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 >>>> >>>> >>>> >>>> >>>> Was the thousands of thousands of SECURITY ALERT the cause >>>> of this? >>>> >>>> >>>> Thanks Monah _______________________________________________ >>>> squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>>> >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVEcQRAAoJENNXIZxhPexGL2QIAJrNvdh/tvGcDjgUXl2nFC+B 4NfZgnx75nBf8DXOtZuRDPqZl6xdAySxMt1JVPz1GWh0j1+zK5RV40qHXcB73iVd UIYXZV/HJxYpXIFkjjp6Cs1BcMI9hVGgDVQD/aEiy58FXGeXidI7yP65Xf4KO2XC vNi/E5ceuJS2HxaEPn92QIvFMGHKB3b+xCACpAk9pWkUKM4UpHOaXgYrpoIWyLx+ +vimU0plLs9SBNaG6DQrq52A0sPO0LlsXHszuQ/DlT/vPJJYMks/Z7Qe2PuHgHOl g61sspOAPpaSUZx6dhRuc9g8tclZ8TrxeFgXKl0pETKqYfVMBPlNRVTJn3Kgrrk= =mERF -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
