Hello, Jonathan,
>> Does anyone know the path to this file "modified file
'src/client_side_request.cc" so I can test it with the patches application
if it doesn’t work no big deal I can just restore it to to prior and or use
an older boot environment
You can find it in the squid sources:
tar -tvzf squid-6.10.tar.gz | grep src/client_side_request.cc
-rw-rw-r-- kinkie/kinkie 77063 2024-06-08 16:28
squid-6.10/src/client_side_request.cc
Kind regards,
Ankor
ср, 10 июл. 2024 г. в 03:31, <jonathanlee...@gmail.com>:
> I found the older patch from 2017 I cant find the path to
> client_sid_request.cc in the pfsense filesystem
>
> Does anyone know the path to this file "modified file
> 'src/client_side_request.cc" so I can test it with the patches application
> if it doesn’t work no big deal I can just restore it to to prior and or use
> an older boot environment
>
>
>
>
> kick abandoning [connection]" message in cache.log
>
> This patch call quitAfterError() to force Squid to close the connection
> after
> writing a "Host header forgery" error response instead of just logging a
> [misleading] "kick abandoning [connection]" message in cache.log.
>
> This is a Measurement Factory project
>
> === modified file 'src/client_side_request.cc'
> --- src/client_side_request.cc 2017-02-07 23:11:33 +0000
> +++ src/client_side_request.cc 2017-03-31 08:00:01 +0000
> @@ -564,40 +564,41 @@
> debugs(85, 3, "SECURITY ALERT: Host header forgery detected on "
> << http->getConn()->clientConnection <<
> " (" << A << " does not match " << B << ") on URL: " <<
> http->request->effectiveRequestUri());
>
> // NP: it is tempting to use 'flags.noCache' but that is all
> about READing cache data.
> // The problems here are about WRITE for new cache content, which
> means flags.cachable
> http->request->flags.cachable = false; // MUST NOT cache (for now)
> // XXX: when we have updated the cache key to base on raw-IP +
> URI this cacheable limit can go.
> http->request->flags.hierarchical = false; // MUST NOT pass to
> peers (for now)
> // XXX: when we have sorted out the best way to relay requests
> properly to peers this hierarchical limit can go.
> http->doCallouts();
> return;
> }
>
> debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery
> detected on " <<
> http->getConn()->clientConnection << " (" << A << " does not
> match " << B << ")");
> if (const char *ua =
> http->request->header.getStr(Http::HdrType::USER_AGENT))
> debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " <<
> ua);
> debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " <<
> http->request->effectiveRequestUri());
>
> // IP address validation for Host: failed. reject the connection.
> + http->getConn()->quitAfterError(http->request);
> clientStreamNode *node = (clientStreamNode
> *)http->client_stream.tail->prev->data;
> clientReplyContext *repContext = dynamic_cast<clientReplyContext
> *>(node->data.getRaw());
> assert (repContext);
> repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
> http->request->method, NULL,
> http->getConn()->clientConnection->remote,
> http->request,
> NULL,
> #if USE_AUTH
> http->getConn() != NULL &&
> http->getConn()->getAuth() != NULL ?
> http->getConn()->getAuth() :
> http->request->auth_user_request);
> #else
> NULL);
> #endif
> node = (clientStreamNode *)http->client_stream.tail->data;
> clientStreamRead(node, http, node->readBuffer);
> }
>
> void
> ClientRequestContext::hostHeaderVerify()
>
>
>
> -----Original Message-----
> From: Alex Rousskov <rouss...@measurement-factory.com>
> Sent: Monday, July 8, 2024 10:41 AM
> To: squid-users <squid-users@lists.squid-cache.org>
> Cc: Jonathan Lee <jonathanlee...@gmail.com>
> Subject: Re: [squid-users] Squid 6.6 kick abandoning connections
>
> On 2024-07-08 12:31, Jonathan Lee wrote:
>
> > I can confirm I have no ipv6 our isp is ipv4 only and I have IPv6
> > disabled on the firewall and with layer 2 and 3 traffic
>
> This problem is not specific to any IP family/version.
>
> Alex.
>
>
> >> On Jul 8, 2024, at 09:15, Alex Rousskov <
> rouss...@measurement-factory.com> wrote:
> >>
> >> On 2024-07-05 21:07, Jonathan Lee wrote:
> >>
> >>> I am using Bump with certificates installed on devices does anyone
> know what this error is...
> >>> kick abandoning conn43723 local=192.168.1.1:3128
> >>> remote=192.168.1.5:52129 FD 178 flags=1
> >>
> >>
> >> This "kick abandoning" message marks a Squid problem or bug: Squid
> enters a seemingly impossible state. In some (but probably not all) cases,
> the client connection might become stuck (hopefully until some timeout
> closes it). In some (and possibly all) cases, Squid might immediately close
> the connection and nobody gets hurt. Code reporting this problem does not
> know how we got here and what will happen next.
> >>
> >> There were several incomplete/unfinished attempts to fix this problem,
> including two different patches posted at Bug 3715. I do not know whether
> either of them is safe and applies to Squid v6. Neither is a comprehensive
> solution.
> >> https://bugs.squid-cache.org/show_bug.cgi?id=3715
> >>
> >>
> >>> Does anyone know how to fix my last weird error I have with Squid
> >>> 6.6
> >>
> >> I do not know of a good configuration-based workaround. Squid code
> modifications are required to properly address this problem. Other errors
> may trigger this bug, so addressing those other errors may hide (and reduce
> the pressure to fix) this bug. Besides fixing those other errors (if any --
> I am aware that you have said that there are no other errors left, but
> perhaps you found other problems since then), these basic options apply:
> >>
> >> https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squ
> >> id-feature-enhance-of-fix-something
> >>
> >> Alex.
> >>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
