[squid-users] Help to understand tcp_denied in access.log

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 14 14:08:18 UTC 2023 

On 4/14/23 06:36, andre.bolinhas at articatech.com wrote:

> The mechanism is http_access, the size of error page is around 500kb.

 >> Each TCP_DENIED request is consuming 400000+ bytes

If your custom error page is around 500KB, then we should not be 
surprised that the corresponding %<st values exceed 400000 bytes!


> The squid version is 5.8 and I'm not doing ssl bump for this domain.
> When you ask to " collect a packet trace" is put squid in debug mode? Squid
> -k debug?

No, I was thinking about something along these lines:

   tcpdump -s0 -w packet-trace.pcap ...

However, with your 500KB statement, there is no need for a packet trace 
because Squid is simply sending your large custom error responses to 
denied clients, as instructed. Mystery solved.

Please note that popular browsers will not display CONNECT error 
responses, but client behavior is client-dependent, so YMMV.

Do you want Squid to respond with your custom 500KB error page? If yes, 
there is nothing you need to do. Otherwise, please clarify what you want 
Squid to do instead.


HTH,

Alex.


> -----Mensagem original-----
> De: squid-users <squid-users-bounces at lists.squid-cache.org> Em Nome De Alex
> Rousskov
> Enviada: 14 de abril de 2023 04:01
> Para: squid-users at lists.squid-cache.org
> Assunto: Re: [squid-users] Help to understand tcp_denied in access.log
> 
> On 4/13/23 21:23, andre.bolinhas at articatech.com wrote:
> 
>> I'm seeing to many requests to website mainnet.infura.io, by analyzing
>> the access.log seams that the website is blocked
> 
> Which directive/mechanism blocks them (e.g., http_access,
> reply_body_max_size, ICAP/eCAP, etc.)?
> 
> 
>> Each TCP_DENIED request is consuming 400000+ bytes
> 
> Assuming you do not use huge custom TCP_DENIED error pages, I agree that
> these entries look suspicious, as if Squid denied access but continued
> to tunnel the traffic. The response times are fairly small, but probably
> large enough to transmit those amounts of data from a fast server.
> 
> Since most requests (for the affected domain) are problematic, can you
> collect a packet trace and see if you can confirm that these
> transactions transmit a lot of data from Squid to the client? If IPs are
> not enough, logging client TCP port (%>p) may help you match specific
> access.log entries with TCP connections in the packet trace...
> 
> 
> What Squid version are you using for this? Does SslBump affect the
> problematic transactions?
> 
> 
> Thank you,
> 
> Alex.
> 
> 
> 
>> but I also notice that the
>> request is consuming bandwidth, here a example
>> Squid access.log format.
>> %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a:%<p %mt
> mac="%>eui"
>> %note ua="%{User-Agent}>h" exterr="%err_code|%err_detail"
>>
>> Access.log request.
>> 1681099742.517     35 10.81.216.114 TCP_DENIED_ABORTED/407 41154 CONNECT
>> mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
>>
> category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
>> rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
>> exterr="ERR_CACHE_ACCESS_DENIED|-"
>>
>> 1681099742.575     41 10.81.216.114 TCP_DENIED/407 511819 CONNECT
>> mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
>>
> category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
>> rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
>> exterr="ERR_CACHE_ACCESS_DENIED|-"
>>
>> 1681099742.664     73 10.81.216.114 NONE/200 0 CONNECT
> mainnet.infura.io:443
>> HLBHO/tsyafiq HIER_NONE/-:- - mac="00:00:00:00:00:00"
>>
> category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
>> rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac
>> OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
>> Safari/537.36" exterr="-|-"
>>
>> 1681099742.685     20 10.81.216.114 TCP_DENIED_ABORTED/403 450655 CONNECT
>> mainnet.infura.io:443 HLBHO/tsyafiq HIER_NONE/-:- text/html
>> mac="00:00:00:00:00:00"
>>
> category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
>> rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="-" exterr="ERR_ACCESS_DENIED|-"
>>
>> Each TCP_DENIED request is consuming 400000+ bytes so at the end of the
> day
>> sometimes I have a total of 56k request to mainnet.infura.io consuming
>> around 15GB of bandwidth.
>>
>> My question is, assuming that %<st is the total size of reply, why
>> TCP_DENIED is taking a lot of bandwidth to block a website?
>>
>> Best regards
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list