[squid-users] Malformed HTTP on tproxy squid
Amos Jeffries
squid3 at treenet.co.nz
Wed Aug 17 15:02:04 UTC 2016
On 17/08/2016 9:26 p.m., Omid Kosari wrote:
> Hi Eliezer,
>
>
> Eliezer Croitoru-2 wrote
>> If you know what domain or ip address causes and issue the first thing I
>> can think about is bypassing the malicious traffic to allow other
>> clients\users to reach the Internet.
>
> Source ip may be 70% of our customers because it is a popular device so it
> is not an option . Destination ip or domains are too much .
>
> Unfortunately because the requests are not normal http , so squid log does
> not have the dst url/domain/ip so it is hard job to find them .
> 1- First i should keep looking the squid access.log to find client which has
> such request .
> 2-Then try to sniff that client from router.
> 3-Separate normal requests from malformed .
> 4-Find the destination from malformed requests.
> 5-Put that ip in router acl to exclude from tproxy routing to squid .
>
> Nobody knows how many times this loop should be repeated because nobody
> knows count of destinations .
>
Easier way:
logformat Xips %ts.%03tu %6tr %>a %>la %>ru
access_log stdio:/var/log/squid/xact.log Xips
Then just grep the xact.log file for the "error:invalid-request" URLs,
and see what the '>la' column IP address is.
If you want to automate it make a logging daemon script.
>
> Eliezer Croitoru-2 wrote
>> And since squid is also being used as a http ACL enforcement tool
>> malformed requests basically should be dropped and not bypassed
>> automatically.
>
> So then squid should be able to simply drop them.
> Even it would be fine to have some patterns in iptables or something like
> mod_security for apache etc which introduce by squid gurus to prevent these
> kinds of problems .
Your Squid is not even getting far enough to apply security rules to the
garbage traffic. It is basically just doing: accept() connection,
unmangle the NAT/TPROXY details, read(2) some bytes, try to parse - bam
generate and send error page, close the TCP connection and log the event.
About the only thing you could do to speed it up is locate the error
page templates (file paths: en/ERR_INVALID_REQ and
templates/ERR_INVALID_REQ) and remove their contents. Then restart Squid.
That should remove at least a few of the vprintf() syscalls that your
earlier trace showed as being a significant source of CPU load.
Amos
More information about the squid-users
mailing list