I found the older patch from 2017 I cant find the path to client_sid_request.cc
in the pfsense filesystem
Does anyone know the path to this file "modified file
'src/client_side_request.cc" so I can test it with the patches application if
it doesn’t work no big deal I can just restore it to to prior and or use an
older boot environment
kick abandoning [connection]" message in cache.log
This patch call quitAfterError() to force Squid to close the connection after
writing a "Host header forgery" error response instead of just logging a
[misleading] "kick abandoning [connection]" message in cache.log.
This is a Measurement Factory project
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-02-07 23:11:33 +0000
+++ src/client_side_request.cc 2017-03-31 08:00:01 +0000
@@ -564,40 +564,41 @@
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " <<
http->getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " <<
http->request->effectiveRequestUri());
// NP: it is tempting to use 'flags.noCache' but that is all about
READing cache data.
// The problems here are about WRITE for new cache content, which
means flags.cachable
http->request->flags.cachable = false; // MUST NOT cache (for now)
// XXX: when we have updated the cache key to base on raw-IP + URI
this cacheable limit can go.
http->request->flags.hierarchical = false; // MUST NOT pass to peers
(for now)
// XXX: when we have sorted out the best way to relay requests
properly to peers this hierarchical limit can go.
http->doCallouts();
return;
}
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on
" <<
http->getConn()->clientConnection << " (" << A << " does not match
" << B << ")");
if (const char *ua =
http->request->header.getStr(Http::HdrType::USER_AGENT))
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " <<
http->request->effectiveRequestUri());
// IP address validation for Host: failed. reject the connection.
+ http->getConn()->quitAfterError(http->request);
clientStreamNode *node = (clientStreamNode
*)http->client_stream.tail->prev->data;
clientReplyContext *repContext = dynamic_cast<clientReplyContext
*>(node->data.getRaw());
assert (repContext);
repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
http->request->method, NULL,
http->getConn()->clientConnection->remote,
http->request,
NULL,
#if USE_AUTH
http->getConn() != NULL &&
http->getConn()->getAuth() != NULL ?
http->getConn()->getAuth() :
http->request->auth_user_request);
#else
NULL);
#endif
node = (clientStreamNode *)http->client_stream.tail->data;
clientStreamRead(node, http, node->readBuffer);
}
void
ClientRequestContext::hostHeaderVerify()
-----Original Message-----
From: Alex Rousskov <rouss...@measurement-factory.com>
Sent: Monday, July 8, 2024 10:41 AM
To: squid-users <squid-users@lists.squid-cache.org>
Cc: Jonathan Lee <jonathanlee...@gmail.com>
Subject: Re: [squid-users] Squid 6.6 kick abandoning connections
On 2024-07-08 12:31, Jonathan Lee wrote:
> I can confirm I have no ipv6 our isp is ipv4 only and I have IPv6
> disabled on the firewall and with layer 2 and 3 traffic
This problem is not specific to any IP family/version.
Alex.
>> On Jul 8, 2024, at 09:15, Alex Rousskov <rouss...@measurement-factory.com>
>> wrote:
>>
>> On 2024-07-05 21:07, Jonathan Lee wrote:
>>
>>> I am using Bump with certificates installed on devices does anyone know
>>> what this error is...
>>> kick abandoning conn43723 local=192.168.1.1:3128
>>> remote=192.168.1.5:52129 FD 178 flags=1
>>
>>
>> This "kick abandoning" message marks a Squid problem or bug: Squid enters a
>> seemingly impossible state. In some (but probably not all) cases, the client
>> connection might become stuck (hopefully until some timeout closes it). In
>> some (and possibly all) cases, Squid might immediately close the connection
>> and nobody gets hurt. Code reporting this problem does not know how we got
>> here and what will happen next.
>>
>> There were several incomplete/unfinished attempts to fix this problem,
>> including two different patches posted at Bug 3715. I do not know whether
>> either of them is safe and applies to Squid v6. Neither is a comprehensive
>> solution.
>> https://bugs.squid-cache.org/show_bug.cgi?id=3715
>>
>>
>>> Does anyone know how to fix my last weird error I have with Squid
>>> 6.6
>>
>> I do not know of a good configuration-based workaround. Squid code
>> modifications are required to properly address this problem. Other errors
>> may trigger this bug, so addressing those other errors may hide (and reduce
>> the pressure to fix) this bug. Besides fixing those other errors (if any --
>> I am aware that you have said that there are no other errors left, but
>> perhaps you found other problems since then), these basic options apply:
>>
>> https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ
>> id-feature-enhance-of-fix-something
>>
>> Alex.
>>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
