Discussion:
[squid-users] Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/
i***@schroeffu.ch
2018-12-04 16:10:38 UTC
Permalink
Hi all,

my Squid 4.4 with SSL bump is crashing while trying to open this website: https://www.drcleaner.com/de/dr-cleaner/ (https://www.drcleaner.com/de/dr-cleaner/)
So, after trying open this site with SSL bump enabled, no Squid process is running anymore. Just. Dead.

What can I do for debug that properly better to report properly an issue?

SSL bump config:

http_port proxy02bs:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/xx.pem key=/etc/squid/certs/xx.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
always_direct allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all !domains_dont_sslbump
Latest words 'till the dead:

Dec 4 16:47:19 proxy02bs squid[1001]: assertion failed: http.cc:1530: "!Comm::MonitorsRead(serverConnection->fd)"
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 exited due to signal 6 with status 0
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 will not be restarted for 3600 seconds due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Exiting due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Removing PID file (/var/run/squid.pid)
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 666 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 786 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 855 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 923 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 995 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1004 (security_file_c) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1007 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1008 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1065 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Failed with result 'exit-code'.
Full syslog: https://pastebin.com/i9itZcZa (https://pastebin.com/i9itZcZa)
Full access.log: https://pastebin.com/Vc0A5sSG (https://pastebin.com/Vc0A5sSG)
Full cache.log: https://pastebin.com/xdi3RHqs (https://pastebin.com/xdi3RHqs)

Thanks for any help in advance
Schroeffu
z***@gmail.com
2018-12-05 00:31:39 UTC
Permalink
Hi,



Works “well” on my squid v 4.4 (patched) “ debian 9.



Although the site does not load well, squid does not die:



(
)



TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/403 684 GET https://s3-us-west-2.amazonaws.com/trustedsite-public/host/drcleaner.com/client.js - ORIGINAL_DST/52.218.200.72 application/xml

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/index.css - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/bootstrap.min.css - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery.screw.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/bg_pro.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/mobile.js - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-content/plugins/contact-form-7/includes/js/scripts.js? - ORIGINAL_DST/99.84.27.102 text/html

TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-includes/js/comment-reply.min.js? - ORIGINAL_DST/99.84.27.102 text/html



And over..



Please, see https://bugs.squid-cache.org/show_bug.cgi?id=4896



If your case is similar, there is a patch as a workaround.



HTH





De: squid-users <squid-users-***@lists.squid-cache.org> En nombre de ***@schroeffu.ch
Enviado el: martes, 4 de diciembre de 2018 13:11
Para: squid-***@lists.squid-cache.org
Asunto: [squid-users] Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/



Hi all,

my Squid 4.4 with SSL bump is crashing while trying to open this website: https://www.drcleaner.com/de/dr-cleaner/
So, after trying open this site with SSL bump enabled, no Squid process is running anymore. Just. Dead.

What can I do for debug that properly better to report properly an issue?

SSL bump config:

http_port proxy02bs:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/xx.pem key=/etc/squid/certs/xx.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
always_direct allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all !domains_dont_sslbump


Latest words 'till the dead:

Dec 4 16:47:19 proxy02bs squid[1001]: assertion failed: http.cc:1530: "!Comm::MonitorsRead(serverConnection->fd)"
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 exited due to signal 6 with status 0
Dec 4 16:47:19 proxy02bs squid[604]: Squid Parent: squid-1 process 1001 will not be restarted for 3600 seconds due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Exiting due to repeated, frequent failures
Dec 4 16:47:19 proxy02bs squid[604]: Removing PID file (/var/run/squid.pid)
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 666 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 786 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 855 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 923 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 995 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1004 (security_file_c) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1007 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1008 (ufdbgclient) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Killing process 1065 (pinger) with signal SIGKILL.
Dec 4 16:47:19 proxy02bs systemd[1]: squid.service: Failed with result 'exit-code'.


Full syslog: https://pastebin.com/i9itZcZa
Full access.log: https://pastebin.com/Vc0A5sSG
Full cache.log: https://pastebin.com/xdi3RHqs

Thanks for any help in advance
Schroeffu
i***@schroeffu.ch
2018-12-05 09:26:27 UTC
Permalink
Hi,
Works “well” on my squid v 4.4 (patched) “ debian 9.
(…)
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/403 684 GET
https://s3-us-west-2.amazonaws.com/trustedsite-public/host/drcleaner.com/client.js -
ORIGINAL_DST/52.218.200.72 application/xml
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/index.css -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/css/bootstrap.min.css -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery.screw.js -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/bg_pro.js -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/mobile.js -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET
https://cache.drcleaner.com/wp-content/plugins/contact-form-7/includes/js/scripts.js? -
ORIGINAL_DST/99.84.27.102 text/html
TCP_MISS/502 1609 GET https://cache.drcleaner.com/wp-includes/js/comment-reply.min.js? -
ORIGINAL_DST/99.84.27.102 text/html
And over..
Please, see https://bugs.squid-cache.org/show_bug.cgi?id=4896
If your case is similar, there is a patch as a workaround.
HTH
Your Squid 4.4 is patched with https://bugs.squid-cache.org/show_bug.cgi?id=4896 > SQUID-385-Comm_MonitorsRead-assertion-t3.patch ?
It seems exactly the issue I experienced.

I did recompile a testenvironment Squid with that patch, now the mentioned site is not killing my Squid anymore with SSL bump enabled. I am going to rollout the patched version this evening for our 20+ testusers on a pre-prod proxy. If there is any further issue, I'll comment the bugreport directly.

thanks
Schroeffu

Loading...