Terminate squid abnormally

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Terminate squid abnormally

leomessi983
hi
I have an intercepted squid proxy for HTTP and HTTPS requests in my network.
I use same DNS-Server on my clients and my squid server, but when my clients try to get HTTPS URLs they got error messages and can not open any URL.
Is there any configuration directive in squid to does not resolve requested URLs from client or use their resolved IP addresses?
In my squid server I got this error messages:


May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.28.38:52346 FD 524 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.28.38:52347 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.31.31:51567 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.31.31:51568 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 518: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 502: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 509: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 527: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 526: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:11985 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:11986 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:12069 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:56 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:56| SECURITY ALERT: Host header forgery detected on local=193.23.244.244:443 remote=217.11.23.195:59994 FD 534 flags=17 (local IP does not match any domain IP)
May 10 12:47:56 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:56| SECURITY ALERT: on URL: www.h7ftf4spvav27.com:443
May 10 12:47:57 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:57| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:57 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:57| Error negotiating SSL connection on FD 260: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Preparing for shutdown after 1786 requests
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Waiting 5 seconds for active connections to finish
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3128
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3129
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3130
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| WARNING: /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB #Hlpr3 exited
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Too few /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB processes are running (need 1/10)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Starting new helpers
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| helperOpenServers: Starting 1/10 'security_file_certgen' processes
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| WARNING: /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB #Hlpr4 exited
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Too few /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB processes are running (need 1/10)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| storeDirWriteCleanLogs: Starting...
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58|   Finished.  Wrote 0 entries.
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58|   Took 0.00 seconds (  0.00 entries/sec).
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| FATAL: The /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB helpers are crashing too rapidly, need help!
May 10 12:47:58 squid[] [user:alert:09]: FATAL: The /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB helpers are crashing too rapidly, need help!
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Squid Cache (Version 4.7): Terminated abnormally.
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Removing PID file (/var/run/squid.pid)
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Terminate squid abnormally

Alex Rousskov
On 5/10/20 2:58 PM, [hidden email] wrote:

> FATAL: The /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB helpers are crashing too rapidly, need help!

This fatal error needs your attention. Most likely, your certificate
generator cannot use its database, either because it was not initialized
or because the generator lacks permissions to access the database. Many
similar problems are triaged on this mailing list. You may want to
search for those emails.

Fixing this problem will not remove the "SECURITY ALERT" messages.


> Is there any configuration directive in squid to does not resolve
> requested URLs from client or use their resolved IP addresses?

There is not yet. It may be difficult to convince all the gatekeepers to
allow such directive(s), but it may possible to do so if Squid still
does not cache the response of the tainted transaction. If anybody wants
to make or sponsor the corresponding changes, I recommend starting with
posting an RFC on squid-dev.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users