-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This can be insufficient. 25.03.15 2:09, Monah Baki пишет: > I compiled it with --with-filedescriptors=65535, anything else that > can help? > > Thanks > > On Tue, Mar 24, 2015 at 4:07 PM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: Running out of filedescriptors is another problem. You > probably can re-build your squid with higher value of corresponding > parameter. > > > 25.03.15 2:05, Monah Baki пишет: >>>> Thanks Yuri for the URL. The company is a small ISP using >>>> policy based routing, so using WPAD or GPO isn't feasible. >>>> >>>> If the cause of the server running out of file descriptions >>>> and giving the "assertion failed: store.cc:1885: "isEmpty()" >>>> error, I prefer to inform the enduser to fix his computer. >>>> >>>> Thanks Monah >>>> >>>> >>>> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov >>>> <yvoinov@xxxxxxxxx> wrote: Feel free fo look at this: >>>> >>>> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery >>>> >>>> >>>> 25.03.15 1:18, Monah Baki пишет: >>>>>>> Running squid 3.5.2 on Centos 6.6 >>>>>>> >>>>>>> ./configure --prefix=/home/cache >>>>>>> --enable-follow-x-forwarded-for --with-large-files >>>>>>> --enable-ssl --disable-ipv6 --enable-esi >>>>>>> --enable-kill-parent-hack --enable-snmp >>>>>>> --with-pthreads --with-filedescriptors=65535 >>>>>>> --enable-cachemgr-hostname=hostname >>>>>>> --enable-storeio=ufs,aufs,diskd,rock >>>>>>> >>>>>>> We have around 50 users. I am seeing hundreds of >>>>>>> thousands of the following: >>>>>>> >>>>>>> >>>>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user >>>>>>> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 >>>>>>> (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 >>>>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: on URL: >>>>>>> www.facebook.com:443 2015/03/24 14:57:34.946| SECURITY >>>>>>> ALERT: Host header forgery detected on >>>>>>> local=85.115.52.158:80 remote=196.245.252.34:36732 FD >>>>>>> 49 flags=33 (local IP does not match any domain IP) >>>>>>> >>>>>>> >>>>>>> Then after 2 hours, I get the message in my >>>>>>> cacahe.log: >>>>>>> >>>>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user >>>>>>> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 >>>>>>> (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 >>>>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: on URL: >>>>>>> www.facebook.com:443 2015/03/24 16:41:42.478| WARNING: >>>>>>> 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could >>>>>>> not parse headers from on disk object 2015/03/24 >>>>>>> 16:41:42.478| BUG 3279: HTTP reply without Date: >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->key: >>>>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 >>>>>>> 16:41:42.478| StoreEntry->next: 0 2015/03/24 >>>>>>> 16:41:42.478| StoreEntry->mem_obj: 0x1d56470 2015/03/24 >>>>>>> 16:41:42.478| StoreEntry->timestamp: -1 2015/03/24 >>>>>>> 16:41:42.478| StoreEntry->lastref: 1427211702 >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->expires: -1 >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->lastmod: -1 >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->swap_file_sz: 0 >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->refcount: 1 >>>>>>> 2015/03/24 16:41:42.478| StoreEntry->flags: >>>>>>> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->store_status: 1 2015/03/24 16:41:42.478| >>>>>>> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| >>>>>>> SECURITY ALERT: Host header forgery detected on >>>>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD >>>>>>> 20 flags=33 (local IP does not match any domain IP) >>>>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: By user agent: >>>>>>> WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY >>>>>>> ALERT: on URL: us-mg5.mail.yahoo.com:443 2015/03/24 >>>>>>> 16:41:42.772| SECURITY ALERT: Host header forgery >>>>>>> detected on local=85.115.52.158:80 >>>>>>> remote=197.255.252.34:44349 FD 20 flags=33 (local IP >>>>>>> does not match any domain IP) 2015/03/24 16:41:42.772| >>>>>>> SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>>>>> 2015/03/24 16:41:42.772| SECURITY ALERT: on URL: >>>>>>> csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY >>>>>>> ALERT: Host header forgery detected on >>>>>>> local=85.115.33.158:80 remote=197.255.252.34:13505 FD >>>>>>> 20 flags=33 (local IP does not match any domain IP) >>>>>>> 2015/03/24 16:41:42.800| SECURITY ALERT: By user agent: >>>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, >>>>>>> like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>>>> 16:41:42.800| SECURITY ALERT: on URL: >>>>>>> www.facebook.com:443 2015/03/24 16:41:43.115| SECURITY >>>>>>> ALERT: Host header forgery detected on >>>>>>> local=85.115.33.158:80 remote=197.255.252.34:13506 FD >>>>>>> 31 flags=33 (local IP does not match any domain IP) >>>>>>> 2015/03/24 16:41:43.115| SECURITY ALERT: By user agent: >>>>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, >>>>>>> like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>>>> 16:41:43.115| SECURITY ALERT: on URL: >>>>>>> www.facebook.com:443 2015/03/24 16:41:43.115| assertion >>>>>>> failed: store.cc:1885: "isEmpty()" >>>>>>> >>>>>>> >>>>>>> Then I get a message "running out of file descriptors", >>>>>>> for that I did the following: echo 1024 65535 > >>>>>>> /proc/sys/net/ipv4/ip_local_port_range echo 8192 > >>>>>>> /proc/sys/net/ipv4/tcp_max_syn_backlog >>>>>>> >>>>>>> In my /etc/security/limits.conf, added the following: * >>>>>>> - nofile 65535 >>>>>>> >>>>>>> >>>>>>> >>>>>>> My squid.conf >>>>>>> >>>>>>> # # Recommended minimum configuration: # >>>>>>> >>>>>>> # Example rule allowing access from your local >>>>>>> networks. # Adapt to list your (internal) IP networks >>>>>>> from where browsing # should be allowed acl localnet >>>>>>> src 10.0.0.0/8 # RFC1918 possible internal network >>>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible >>>>>>> internal network acl localnet src 192.168.0.0/16 # >>>>>>> RFC1918 possible internal network acl localnet src >>>>>>> fc00::/7 # RFC 4193 local private network range >>>>>>> acl localnet src fe80::/10 # RFC 4291 link-local >>>>>>> (directly plugged) machines acl blockeddomain >>>>>>> dstdomain "/home/cache/etc/blocked.domain.acl" >>>>>>> >>>>>>> acl SSL_ports port 443 acl Safe_ports port 80 # >>>>>>> http acl Safe_ports port 21 # ftp acl Safe_ports >>>>>>> port 443 # https acl Safe_ports port 70 # gopher >>>>>>> acl Safe_ports port 210 # wais acl Safe_ports >>>>>>> port 1025-65535 # unregistered ports acl Safe_ports >>>>>>> port 280 # http-mgmt acl Safe_ports port 488 >>>>>>> # gss-http acl Safe_ports port 591 # filemaker >>>>>>> acl Safe_ports port 777 # multiling http acl >>>>>>> CONNECT method CONNECT acl isnsnmp snmp_community >>>>>>> public >>>>>>> >>>>>>> # # Recommended minimum Access Permission >>>>>>> configuration: # # Deny requests to certain unsafe >>>>>>> ports http_access deny !Safe_ports >>>>>>> >>>>>>> # Deny CONNECT to other than secure SSL ports >>>>>>> http_access deny CONNECT !SSL_ports >>>>>>> >>>>>>> # Only allow cachemgr access from localhost >>>>>>> http_access allow localhost manager http_access deny >>>>>>> manager >>>>>>> >>>>>>> cachemgr_passwd password all >>>>>>> >>>>>>> # We strongly recommend the following be uncommented >>>>>>> to protect innocent # web applications running on the >>>>>>> proxy server who think the only # one who can access >>>>>>> services on "localhost" is a local user #http_access >>>>>>> deny to_localhost >>>>>>> >>>>>>> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM >>>>>>> YOUR CLIENTS # >>>>>>> >>>>>>> # Example rule allowing access from your local >>>>>>> networks. # Adapt localnet in the ACL section to list >>>>>>> your (internal) IP networks # from where browsing >>>>>>> should be allowed http_access deny blockeddomain >>>>>>> http_access allow localnet http_access allow localhost >>>>>>> snmp_access allow isnsnmp localnet >>>>>>> >>>>>>> # And finally deny all other access to this proxy >>>>>>> http_access deny all # snmp_access deny all >>>>>>> >>>>>>> # Squid normally listens to port 3128 http_port 3128 >>>>>>> http_port 3129 intercept snmp_port 3401 >>>>>>> >>>>>>> # Uncomment and adjust the following to add a disk >>>>>>> cache directory. #cache_dir ufs >>>>>>> /usr/local/squid/var/cache/squid 100 16 256 cache_dir >>>>>>> aufs /home/cache/var/cache/squid 350000 16 256 >>>>>>> >>>>>>> # Leave coredumps in the first cache dir coredump_dir >>>>>>> /usr/local/squid/var/cache/squid >>>>>>> >>>>>>> access_log daemon:/home/cache/var/logs/access.log >>>>>>> squid cache_log /home/cache/var/logs/cache.log >>>>>>> >>>>>>> >>>>>>> # # Add any of your own refresh_pattern entries above >>>>>>> these. # refresh_pattern ^ftp: 1440 20% >>>>>>> 10080 refresh_pattern ^gopher: 1440 0% 1440 >>>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>>>>> refresh_pattern . 0 20% 4320 >>>>>>> >>>>>>> half_closed_clients off # quick_abort_min 0 KB # >>>>>>> quick_abort_max 0 KB # vary_ignore_expire on # >>>>>>> reload_into_ims on # memory_pools off cache_mem 9216 >>>>>>> MB memory_cache_mode always >>>>>>> client_persistent_connections off >>>>>>> server_persistent_connections off visible_hostname >>>>>>> isn-phc-cache minimum_object_size 0 KB >>>>>>> maximum_object_size 96 MB maximum_object_size_in_memory >>>>>>> 1 MB memory_replacement_policy lru >>>>>>> cache_replacement_policy heap LFUDA quick_abort_min >>>>>>> 1024 KB quick_abort_max 2048 KB quick_abort_pct 90 >>>>>>> ipcache_size 10240 # ipcache_low 90 # ipcache_high 95 >>>>>>> cache_swap_low 98 cache_swap_high 100 # fqdncache_size >>>>>>> 16384 # retry_on_error on # offline_mode off >>>>>>> logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Was the thousands of thousands of SECURITY ALERT the >>>>>>> cause of this? >>>>>>> >>>>>>> >>>>>>> Thanks Monah >>>>>>> _______________________________________________ >>>>>>> squid-users mailing list >>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>> >>>>> _______________________________________________ >>>>> squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>> http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVEcS5AAoJENNXIZxhPexGOvsH/jIec++e3SnyfPy0nD6VOE/t SJS7Vx2N/O+2eL3kTcU2PqDMLwWtOEmtiG+eh1O4+BD7t2PbhO+RQ+nbO2lw7DfW JoM23L060gOGf0P1xmvGFnkTHDYhg7yre5OwX90etUC4iaRac9IHGXTWrmv1VyVd Ce9hHXScpStML0A338HFot8+yInF1vutoqEmZpO4FYwC25ylbsSgTc4EX6hk/IEE +mw4v+a7FqidaED8lzOYGjvR0uGmrkBAHgrNdnrBmQ/5ojolr1SqBQ7Ug/Q37Duh MKoRhqji+Z7i3AHVtTMN/UsktOH4/0BIai+iFDuwPd3ifOybNLNk4Z4n0RZ46Ys= =PNUx -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
