[squid-users] Malformed HTTP on tproxy squid

Omid Kosari omidkosari at yahoo.com
Wed Aug 17 09:26:29 UTC 2016


Hi Eliezer,


Eliezer Croitoru-2 wrote
> If you know what domain or ip address causes and issue the first thing I
> can think about is bypassing the malicious traffic to allow other
> clients\users to reach the Internet.

Source ip may be 70% of our customers because it is a popular device so it
is not an option . Destination ip or domains are too much . 

Unfortunately because the requests are not normal http , so squid log does
not have the dst url/domain/ip so it is hard job to find them .
1- First i should keep looking the squid access.log to find client which has
such request . 
2-Then try to sniff that client from router. 
3-Separate normal requests from malformed . 
4-Find the destination from malformed requests.
5-Put that ip in router acl to exclude from tproxy routing to squid .

Nobody knows how many times this loop should be repeated because nobody
knows count of destinations .



Eliezer Croitoru-2 wrote
> And since squid is also being used as a http ACL enforcement tool
> malformed requests basically should be dropped and not bypassed
> automatically.

So then squid should be able to simply drop them.
Even it would be fine to have some patterns in iptables or something like
mod_security for apache etc which introduce by squid gurus to prevent these
kinds of problems .




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951p4678966.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list