[squid-users] Malformed HTTP on tproxy squid
Omid Kosari
omidkosari at yahoo.com
Wed Aug 17 09:26:29 UTC 2016
Hi Eliezer,
Eliezer Croitoru-2 wrote
> If you know what domain or ip address causes and issue the first thing I
> can think about is bypassing the malicious traffic to allow other
> clients\users to reach the Internet.
Source ip may be 70% of our customers because it is a popular device so it
is not an option . Destination ip or domains are too much .
Unfortunately because the requests are not normal http , so squid log does
not have the dst url/domain/ip so it is hard job to find them .
1- First i should keep looking the squid access.log to find client which has
such request .
2-Then try to sniff that client from router.
3-Separate normal requests from malformed .
4-Find the destination from malformed requests.
5-Put that ip in router acl to exclude from tproxy routing to squid .
Nobody knows how many times this loop should be repeated because nobody
knows count of destinations .
Eliezer Croitoru-2 wrote
> And since squid is also being used as a http ACL enforcement tool
> malformed requests basically should be dropped and not bypassed
> automatically.
So then squid should be able to simply drop them.
Even it would be fine to have some patterns in iptables or something like
mod_security for apache etc which introduce by squid gurus to prevent these
kinds of problems .
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951p4678966.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list