Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

Schroeffu
Hi all,

my Squid 4.4 with SSL bump is crashing while trying to open this website: https://www.drcleaner.com/de/dr-cleaner/
So, after trying open this site with SSL bump enabled, no Squid process is running anymore. Just. Dead.

What can I do for debug that properly better to report properly an issue?

SSL bump config:

http_port proxy02bs:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/xx.pem key=/etc/squid/certs/xx.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
always_direct allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all !domains_dont_sslbump


Latest words 'till the dead:

Dec 4 16:47:19 proxy02bs squid[1001]: assertion failed: http.cc:1530: "!Comm::MonitorsRead(serverConnection->fd)"
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 exited due to signal 6 with status 0
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 will not be restarted for 3600 seconds due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Exiting due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Removing PID file (/var/run/squid.pid)
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 666 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 786 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 855 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 923 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 995 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1004 (security_file_c) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1007 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1008 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1065 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Failed with result 'exit-code'.


Full syslog: https://pastebin.com/i9itZcZa
Full access.log: https://pastebin.com/Vc0A5sSG
Full cache.log: https://pastebin.com/xdi3RHqs

Thanks for any help in advance
Schroeffu

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

ziprasidone146939277

Hi,

 

Works “well” on my squid v 4.4 (patched) “ debian 9.

 

Although the site does not load well, squid does not die:

 

(…)

 

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/403 684 GET https://s3-us-west-2.amazonaws.com/trustedsite-public/host/drcleaner.com/client.js - ORIGINAL_DST/52.218.200.72 application/xml

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/index.css - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/bootstrap.min.css - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery.screw.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/bg_pro.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/mobile.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-content/plugins/contact-form-7/includes/js/scripts.js? - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-includes/js/comment-reply.min.js? - ORIGINAL_DST/99.84.27.102 text/html

 

And over..

 

Please, see https://bugs.squid-cache.org/show_bug.cgi?id=4896

 

If your case is similar, there is a patch as a workaround.

 

HTH

 

 

De: squid-users <[hidden email]> En nombre de [hidden email]
Enviado el: martes, 4 de diciembre de 2018 13:11
Para: [hidden email]
Asunto: [squid-users] Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

 

Hi all,

my Squid 4.4 with SSL bump is crashing while trying to open this website: https://www.drcleaner.com/de/dr-cleaner/
So, after trying open this site with SSL bump enabled, no Squid process is running anymore. Just. Dead.

What can I do for debug that properly better to report properly an issue?

SSL bump config:

http_port proxy02bs:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/xx.pem key=/etc/squid/certs/xx.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
always_direct allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all !domains_dont_sslbump


Latest words 'till the dead:

Dec 4 16:47:19 proxy02bs squid[1001]: assertion failed: http.cc:1530: "!Comm::MonitorsRead(serverConnection->fd)"
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 exited due to signal 6 with status 0
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 will not be restarted for 3600 seconds due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Exiting due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Removing PID file (/var/run/squid.pid)
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 666 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 786 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 855 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 923 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 995 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1004 (security_file_c) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1007 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1008 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1065 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Failed with result 'exit-code'.


Full syslog: https://pastebin.com/i9itZcZa
Full access.log: https://pastebin.com/Vc0A5sSG
Full cache.log: https://pastebin.com/xdi3RHqs

Thanks for any help in advance
Schroeffu


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

Schroeffu
> Hi,
>
> Works “well” on my squid v 4.4 (patched) “ debian 9.
>
> Although the site does not load well, squid does not die:
>
> (…)
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/403 684 GET
> https://s3-us-west-2.amazonaws.com/trustedsite-public/host/drcleaner.com/client.js -
> ORIGINAL_DST/52.218.200.72 application/xml
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/index.css -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/bootstrap.min.css -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery.screw.js -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/bg_pro.js -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/mobile.js -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET
> https://cache.drcleaner.com/wp-content/plugins/contact-form-7/includes/js/scripts.js? -
> ORIGINAL_DST/99.84.27.102 text/html
>
> TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-includes/js/comment-reply.min.js? -
> ORIGINAL_DST/99.84.27.102 text/html
>
> And over..
>
> Please, see https://bugs.squid-cache.org/show_bug.cgi?id=4896
>
> If your case is similar, there is a patch as a workaround.
>
> HTH
>

Your Squid 4.4 is patched with https://bugs.squid-cache.org/show_bug.cgi?id=4896 > SQUID-385-Comm_MonitorsRead-assertion-t3.patch ?
It seems exactly the issue I experienced.

I did recompile a testenvironment Squid with that patch, now the mentioned site is not killing my Squid anymore with SSL bump enabled. I am going to rollout the patched version this evening for our 20+ testusers on a pre-prod proxy. If there is any further issue, I'll comment the bugreport directly.

thanks
Schroeffu
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users