> Can you give any more information such as:
>
> 1. Which version of Squid is this?
>
> squidclamav-7.2 <https://freshports.org/www/squidclamav>
> squid_radius_auth-1.10 <https://freshports.org/www/squid_radius_auth>
> squid-5.8 <https://freshports.org/www/squid> c-icap-modules-0.5.5_1
> <https://freshports.org/www/c-icap-modules>
> 2. Which version of which Operating System is this running under?
> pfSense 23.05.1-Release (arm64)
> 3. What appears in Squid's log files preceding this report?
> Nothing out of the ordinary
n 11 10:29:15 kernel pid 4993 (squid), jid 0, uid 100: exited on
signal 6
Jun 11 10:29:15 (squid-1) 4993 FATAL: Received Segment
Violation...dying. listening port: 127.0.0.1:3128
Jun 11 10:23:13 kernel pid 43536 (squid), jid 0, uid 100: exited on
signal 6
Jun 11 10:23:05 (squid-1) 43536 FATAL: Received Segment
Violation...dying. connection: conn749025 local=192.168.1.1:3128
remote=192.168.1.5:59502 flags=1
Jun 11 10:19:00 sshguard 98282 Now monitoring attacks.
prior is just normal logs
> 4. What traffic was going through Squid at the time?
Facebook causes issues every time this occurs
>
> 5. Is this an isolated incident or do you see this more frequently?
This is not isolated it occurs often
>
> 6. Can you reproduce the problem (and if so, tell us how to do so)?
This can be reproduced by looking at Facebook reels for
10-15 minutes after it freezes restarts Squid and error resolves
I have tested many custom options they all do this with or without StoreID both
do the same thing.
CONFIG:
# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
tls-cafile=/usr/local/share/certs/ca-root-nss.crt
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
tls-cafile=/usr/local/share/certs/ca-root-nss.crt
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
tls-cafile=/usr/local/share/certs/ca-root-nss.crt
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname Lee_Family.home.arpa
cache_mgr jonathanlee...@gmail.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
/var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3
tls_outgoing_options
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 10
logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 192.168.1.0/27
forwarded_for transparent
httpd_suppress_version_string on
uri_whitespace strip
acl block_hours time 00:30-05:00
ssl_bump terminate all block_hours
http_access deny all block_hours
acl getmethod method GET
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
#tls_outgoing_options options=0x40000
request_header_access Accept-Ranges deny all
reply_header_access Accept-Ranges deny all
request_header_replace Accept-Ranges none
reply_header_replace Accept-Ranges none
tls_outgoing_options
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
acl HttpAccess dstdomain '/usr/local/pkg/http.access'
acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate'
acl rewritedoms dstdomain '/usr/local/pkg/desdom'
store_id_program /usr/local/libexec/squid/storeid_file_rewrite
/var/squid/storeid/storeid_rewrite.txt
store_id_children 10 startup=5 idle=1 concurrency=0
always_direct allow all
#store_id_access deny connect
store_id_access deny !getmethod
store_id_access allow rewritedoms
store_id_access deny all
refresh_all_ims on
reload_into_ims on
max_stale 20 years
minimum_expiry_time 0
refresh_pattern -i ^http.*squid.internal.* 43200 100% 79900 override-expire
override-lastmod ignore-reload ignore-no-store ignore-must-revalidate
ignore-private ignore-auth
#FACEBOOK
refresh_pattern ^https.*.facebook.com/* 10080 80% 43200
#FACEBOOK IMAGES
refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80%
43200
refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200
refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale
refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200
refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200
refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200
#FACEBOOK VIDEO
refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200
refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200
#APPLE STUFF
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$
0 80% 43200 refresh-ims
#apple update
refresh_pattern -i (download|adcdownload).apple.com/.*.(pkg|dmg) 4320 100% 43200
refresh_pattern -i appldnld.apple.com 129600 100% 129600
refresh_pattern -i phobos.apple.com 129600 100% 129600
refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600
# Updates: Windows
refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320
80% 43200 refresh-ims
refresh_pattern -i
windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200
refresh-ims
refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$
4320 80% 43200 refresh-ims
refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
4320 80% 43200
refresh_pattern -i
windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
4320 80% 43200
refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200
refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 100%
259200
refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100%
43200
refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320
100% 43200
refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 100%
43200
#windows update NEW UPDATE 0.04
refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600
refresh_pattern
([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf)
4320 100% 43200
refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
refresh_pattern -i
.update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100%
525600
refresh_pattern -i
.windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100%
525600
refresh_pattern -i
.download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600
100% 525600
refresh_pattern -i
.ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100%
525600
refresh_pattern
([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.*
43200 100% 43200
refresh_pattern ([^.]+.)?.akamai.steamstatic.com/.*.* 43200 100% 43200
refresh_pattern -i ([^.]+.)?.adobe.com/.*.(zip|exe) 43200 100% 43200
refresh_pattern -i ([^.]+.)?.java.com/.*.(zip|exe) 43200 100% 43200
refresh_pattern -i ([^.]+.)?.sun.com/.*.(zip|exe) 43200 100% 43200
refresh_pattern -i ([^.]+.)?.oracle.com/.*.(zip|exe|tar.gz) 43200 100% 43200
refresh_pattern -i appldnld.apple.com 43200 100% 43200
refresh_pattern -i ([^.]+.)?apple.com/.*.(ipa) 43200 100% 43200
refresh_pattern -i ([^.]+.)?.google.com/.*.(exe|crx) 10080 80% 43200
refresh_pattern -i ([^.]+.)?g.static.com/.*.(exe|crx) 10080 80% 43200
acl https_login url_regex -i ^https.*(login|Login).*
cache deny https_login
range_offset_limit 512 MB windowsupdate
range_offset_limit 4 MB
range_offset_limit 0
quick_abort_min -1 KB
cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 512 MB
cache_dir diskd /var/squid/cache 64000 256 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
cache deny donotcache
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
#Remote proxies
# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129
1025-65535
acl sslports port 443 563 8080 5223 2197
acl purge method PURGE
acl connect method CONNECT
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
# SslBump Peek and Splice
# http://wiki.squid-cache.org/Features/SslPeekAndSplice
# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
# Match against the current step during ssl_bump evaluation [fast]
# Never matches and should not be used outside the ssl_bump context.
#
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting TLS Client Hello info.
# SslBump3: After getting TLS Server Hello info.
# These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
# they can be used there for custom configuration.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl banned_hosts src '/var/squid/acl/banned_hosts.acl'
acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
http_access allow localhost
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc
# Reverse Proxy settings
deny_info TCP_RESET allsrc
# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c
/usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 32 startup=8 idle=4 concurrency=0
# Custom options before auth
#host_verify_strict on
# These hosts are banned
http_access deny banned_hosts
# Always allow access to whitelist domains
http_access allow whitelist
# Block access to blacklist domains
http_access deny blacklist
# List of domains allowed to logging in to Google services
request_header_access X-GoogApps-Allowed-Domains deny all
request_header_add X-GoogApps-Allowed-Domains consumer_accounts
# Set YouTube safesearch restriction
acl youtubedst dstdomain -n www.youtube.com m.youtube.com
youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_access YouTube-Restrict deny all
request_header_add YouTube-Restrict none youtubedst
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
# Custom SSL/MITM options before auth
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd redacted! all
eui_lookup on
acl no_miss url_regex -i gateway.facebook.com/ws/realtime?
acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6
acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all
acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump'
acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump'
acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated
acl markedBumped note bumped true
url_rewrite_access deny markedBumped
#workers 3
read_ahead_gap 32 KB
#negative_ttl 1 second
#connect_timeout 30 seconds
#request_timeout 60 seconds
#half_closed_clients off
#shutdown_lifetime 10 seconds
#negative_dns_ttl 1 seconds
#ignore_unknown_nameservers on
#client_persistent_connections off
#server_persistent_connections off
#pipeline_prefetch 100
#acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'
#ssl_bump bump SSLIntercept
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav
bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all
> On Jun 11, 2024, at 10:41, Antony Stone <antony.st...@squid.open.source.it>
> wrote:
>
> On Tuesday 11 June 2024 at 19:24:43, Jonathan Lee wrote:
>
>> FATAL: Received Segment Violation...dying. connection: conn749025
>> local=192.168.1.1:3128 remote=192.168.1.5:59502 flags=1
>>
>> Does any know how to fix this??
>
> Can you give any more information such as:
>
> 1. Which version of Squid is this?
>
> 2. Which version of which Operating System is this running under?
>
> 3. What appears in Squid's log files preceding this report?
>
> 4. What traffic was going through Squid at the time?
>
> 5. Is this an isolated incident or do you see this more frequently?
>
> 6. Can you reproduce the problem (and if so, tell us how to do so)?
>
>
> The more information you can give us about your system, the more likely it is
> that we can understand what it might be doing.
>
>
> Antony.
>
> --
> "I estimate there's a world market for about five computers."
>
> - Thomas J Watson, Chairman of IBM
>
> Please reply to the list;
> please *don't* CC me.
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
