Re: [squid-users] Squid not responding and 100% cpu from Nuno Fernandes on 2013-06-07 (squid-users)

From: Nuno Fernandes <npf-mlists_at_eurotux.com>
Date: Fri, 07 Jun 2013 09:48:12 +0100

Em Sexta, Junho de 7 de 2013 09:18 WEST, "Nuno Fernandes" <npf-mlists_at_eurotux.com> escreveu:

>
> Em Sexta, Junho de 7 de 2013 08:19 WEST, Amos Jeffries <squid3_at_treenet.co.nz> escreveu:
>
> > > 10.10.10.254 is the squid box. 3126 is the ssl intercept port.
> > >
> > > # grep 3126 /etc/sysconfig/iptables
> > > [0:0] -A PREROUTING -i vlan10 -s 10.10.10.4 -p tcp -m tcp --dport 443 -j REDIRECT --to-port 3126
> > >
> > > Only my ip address is forwarded to 3126... Here is the sslbump part of the conf.
> > >
> > > https_port 3126 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/etproxy/ssl/myCA.pem
> >
> > Funny story ...
> >
> > *if* Squid were actually being "transparent proxy" here the outgoing
> > details on these connections would be "source 10.10.10.4:random-port,
> > destination some-IP:443". And your rule would loop that connection back
> > into Squid.
> >
> > Unluckily for you "transparent" is currently an alias for "intercept"
> > and the Squid outgoing IP should not be 10.10.10.4. So the same
> > behaviour is being caused by something else more difficult to determin.
>
>
> Ok.. changed to intercept. Thanks for the heads up.
>
> >
> > > acl sslsniff src 10.10.10.4
> > > acl sslbumpbypass dst "/etc/etproxy/whitelist.https"
> > > acl broken_sites dstdomain .twitter.com
> > > acl broken_sites dstdomain .facebook.com
> > > always_direct allow sslsniff
> > > ssl_bump none sslbumpbypass
> > > ssl_bump none broken_sites
> > > ssl_bump server-first all
> > > sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/etproxy/ssl/ssl_db -M 4MB
> > > sslcrtd_children 5
> >
> > For starters check your configuration for the directive "via off" and
> > *remove* it. If it does not exist, please report that fact.
>
> It does not:
>
> # grep via /etc/etproxy/* -Ri
> #
>
> (/etc/etproxy is where my conf files are).
>
> > When that is done the broken requests should be rejected with a
> > forwarding loop error message and not DoS the machine while you are
> > testing for the source of the loop.
>
> I don't have any via directive so it seems that i hit some kind of issue. squid configure parameters are:
>
> Squid Cache: Version 3.3.5
> configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_gr
ou
> p,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'PKG_CONFIG_PATH=/usr/lib/pkgco
nf
> ig:/usr/share/pkgconfig' --enable-ltdl-convenience

After reading http://www.squid-cache.org/Versions/v3/3.3/cfgman/via.html i saw that "Requires: --enable-http-violations". In my configure i don't seem to find that flag. Nevertheless checking my cache.log i do see:

Via: 1.1 etfw.eurotux.com (squid)

Thanks,
Nuno Fernandes
Received on Fri Jun 07 2013 - 08:47:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 07 2013 - 12:00:06 MDT