I compiled it with --with-filedescriptors=65535, anything else that can help? Thanks On Tue, Mar 24, 2015 at 4:07 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Running out of filedescriptors is another problem. You probably can > re-build your squid with higher value of corresponding parameter. > > > 25.03.15 2:05, Monah Baki пишет: >> Thanks Yuri for the URL. The company is a small ISP using policy >> based routing, so using WPAD or GPO isn't feasible. >> >> If the cause of the server running out of file descriptions and >> giving the "assertion failed: store.cc:1885: "isEmpty()" error, I >> prefer to inform the enduser to fix his computer. >> >> Thanks Monah >> >> >> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov <yvoinov@xxxxxxxxx> >> wrote: Feel free fo look at this: >> >> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery >> >> >> 25.03.15 1:18, Monah Baki пишет: >>>>> Running squid 3.5.2 on Centos 6.6 >>>>> >>>>> ./configure --prefix=/home/cache >>>>> --enable-follow-x-forwarded-for --with-large-files >>>>> --enable-ssl --disable-ipv6 --enable-esi >>>>> --enable-kill-parent-hack --enable-snmp --with-pthreads >>>>> --with-filedescriptors=65535 >>>>> --enable-cachemgr-hostname=hostname >>>>> --enable-storeio=ufs,aufs,diskd,rock >>>>> >>>>> We have around 50 users. I am seeing hundreds of thousands of >>>>> the following: >>>>> >>>>> >>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: >>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>> 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443 >>>>> 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery >>>>> detected on local=85.115.52.158:80 >>>>> remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not >>>>> match any domain IP) >>>>> >>>>> >>>>> Then after 2 hours, I get the message in my cacahe.log: >>>>> >>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: >>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>> 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443 >>>>> 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches >>>>> 2015/03/24 16:41:42.478| Could not parse headers from on disk >>>>> object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without >>>>> Date: 2015/03/24 16:41:42.478| StoreEntry->key: >>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478| >>>>> StoreEntry->next: 0 2015/03/24 16:41:42.478| >>>>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| >>>>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| >>>>> StoreEntry->expires: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| >>>>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| >>>>> StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24 >>>>> 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24 >>>>> 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24 >>>>> 16:41:42.478| StoreEntry->store_status: 1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24 >>>>> 16:41:42.747| SECURITY ALERT: Host header forgery detected on >>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20 >>>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>>> 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: on URL: >>>>> us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY >>>>> ALERT: Host header forgery detected on >>>>> local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20 >>>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>>> 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL: >>>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY >>>>> ALERT: Host header forgery detected on >>>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20 >>>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>>> 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0 >>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| >>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >>>>> 16:41:43.115| SECURITY ALERT: Host header forgery detected >>>>> on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 >>>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>>> 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0 >>>>> (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >>>>> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:43.115| >>>>> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >>>>> 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()" >>>>> >>>>> >>>>> Then I get a message "running out of file descriptors", for >>>>> that I did the following: echo 1024 65535 > >>>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > >>>>> /proc/sys/net/ipv4/tcp_max_syn_backlog >>>>> >>>>> In my /etc/security/limits.conf, added the following: * - >>>>> nofile 65535 >>>>> >>>>> >>>>> >>>>> My squid.conf >>>>> >>>>> # # Recommended minimum configuration: # >>>>> >>>>> # Example rule allowing access from your local networks. # >>>>> Adapt to list your (internal) IP networks from where browsing >>>>> # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 >>>>> possible internal network acl localnet src 172.16.0.0/12 # >>>>> RFC1918 possible internal network acl localnet src >>>>> 192.168.0.0/16 # RFC1918 possible internal network acl >>>>> localnet src fc00::/7 # RFC 4193 local private network >>>>> range acl localnet src fe80::/10 # RFC 4291 link-local >>>>> (directly plugged) machines acl blockeddomain dstdomain >>>>> "/home/cache/etc/blocked.domain.acl" >>>>> >>>>> acl SSL_ports port 443 acl Safe_ports port 80 # http >>>>> acl Safe_ports port 21 # ftp acl Safe_ports port 443 >>>>> # https acl Safe_ports port 70 # gopher acl Safe_ports >>>>> port 210 # wais acl Safe_ports port 1025-65535 # >>>>> unregistered ports acl Safe_ports port 280 # http-mgmt >>>>> acl Safe_ports port 488 # gss-http acl Safe_ports port >>>>> 591 # filemaker acl Safe_ports port 777 # >>>>> multiling http acl CONNECT method CONNECT acl isnsnmp >>>>> snmp_community public >>>>> >>>>> # # Recommended minimum Access Permission configuration: # # >>>>> Deny requests to certain unsafe ports http_access deny >>>>> !Safe_ports >>>>> >>>>> # Deny CONNECT to other than secure SSL ports http_access >>>>> deny CONNECT !SSL_ports >>>>> >>>>> # Only allow cachemgr access from localhost http_access >>>>> allow localhost manager http_access deny manager >>>>> >>>>> cachemgr_passwd password all >>>>> >>>>> # We strongly recommend the following be uncommented to >>>>> protect innocent # web applications running on the proxy >>>>> server who think the only # one who can access services on >>>>> "localhost" is a local user #http_access deny to_localhost >>>>> >>>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR >>>>> CLIENTS # >>>>> >>>>> # Example rule allowing access from your local networks. # >>>>> Adapt localnet in the ACL section to list your (internal) IP >>>>> networks # from where browsing should be allowed http_access >>>>> deny blockeddomain http_access allow localnet http_access >>>>> allow localhost snmp_access allow isnsnmp localnet >>>>> >>>>> # And finally deny all other access to this proxy http_access >>>>> deny all # snmp_access deny all >>>>> >>>>> # Squid normally listens to port 3128 http_port 3128 >>>>> http_port 3129 intercept snmp_port 3401 >>>>> >>>>> # Uncomment and adjust the following to add a disk cache >>>>> directory. #cache_dir ufs /usr/local/squid/var/cache/squid >>>>> 100 16 256 cache_dir aufs /home/cache/var/cache/squid 350000 >>>>> 16 256 >>>>> >>>>> # Leave coredumps in the first cache dir coredump_dir >>>>> /usr/local/squid/var/cache/squid >>>>> >>>>> access_log daemon:/home/cache/var/logs/access.log squid >>>>> cache_log /home/cache/var/logs/cache.log >>>>> >>>>> >>>>> # # Add any of your own refresh_pattern entries above these. >>>>> # refresh_pattern ^ftp: 1440 20% 10080 >>>>> refresh_pattern ^gopher: 1440 0% 1440 >>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . >>>>> 0 20% 4320 >>>>> >>>>> half_closed_clients off # quick_abort_min 0 KB # >>>>> quick_abort_max 0 KB # vary_ignore_expire on # >>>>> reload_into_ims on # memory_pools off cache_mem 9216 MB >>>>> memory_cache_mode always client_persistent_connections off >>>>> server_persistent_connections off visible_hostname >>>>> isn-phc-cache minimum_object_size 0 KB maximum_object_size 96 >>>>> MB maximum_object_size_in_memory 1 MB >>>>> memory_replacement_policy lru cache_replacement_policy heap >>>>> LFUDA quick_abort_min 1024 KB quick_abort_max 2048 KB >>>>> quick_abort_pct 90 ipcache_size 10240 # ipcache_low 90 # >>>>> ipcache_high 95 cache_swap_low 98 cache_swap_high 100 # >>>>> fqdncache_size 16384 # retry_on_error on # offline_mode off >>>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 >>>>> >>>>> >>>>> >>>>> >>>>> Was the thousands of thousands of SECURITY ALERT the cause >>>>> of this? >>>>> >>>>> >>>>> Thanks Monah _______________________________________________ >>>>> squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>> >>> _______________________________________________ squid-users >>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVEcQRAAoJENNXIZxhPexGL2QIAJrNvdh/tvGcDjgUXl2nFC+B > 4NfZgnx75nBf8DXOtZuRDPqZl6xdAySxMt1JVPz1GWh0j1+zK5RV40qHXcB73iVd > UIYXZV/HJxYpXIFkjjp6Cs1BcMI9hVGgDVQD/aEiy58FXGeXidI7yP65Xf4KO2XC > vNi/E5ceuJS2HxaEPn92QIvFMGHKB3b+xCACpAk9pWkUKM4UpHOaXgYrpoIWyLx+ > +vimU0plLs9SBNaG6DQrq52A0sPO0LlsXHszuQ/DlT/vPJJYMks/Z7Qe2PuHgHOl > g61sspOAPpaSUZx6dhRuc9g8tclZ8TrxeFgXKl0pETKqYfVMBPlNRVTJn3Kgrrk= > =mERF > -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
