[squid-users] TCP_RESET non http requests on port 80
Amos Jeffries
squid3 at treenet.co.nz
Wed Aug 24 13:54:28 UTC 2016
On 25/08/2016 12:39 a.m., Omid Kosari wrote:
> This config works for dstdomain acl type
>
> acl test dstdomain 123.com
> deny_info TCP_RESET test
> adapted_http_access deny test
>
>
> but it is not what i want . I want
>
> acl status_400 http_status 400
> deny_info TCP_RESET status_400
> adapted_http_access deny status_400
>
> OR
>
> acl HTTP proto HTTP
> acl PORT_80 port 80
> deny_info TCP_RESET PORT_80 !HTTP
> adapted_http_access deny PORT_80 !HTTP
>
Status code is only available in the response processing pathways.
So use "http_reply_access deny test". As Alex showed the generated
errors do go through that access control.
For better control Squid-4 will be needed, and also the
on_unsupported_protocol will need patching to be applied when HTTP
parser detects unsupported protocol on port 80 (or 3128). AFAIK it is
currently only done by SSL-Bump'ing code detecting non-TLS protocols on
port 443.
Amos
More information about the squid-users
mailing list