[squid-users] TCP_RESET non http requests on port 80

Amos Jeffries squid3 at treenet.co.nz
Wed Aug 24 13:54:28 UTC 2016


On 25/08/2016 12:39 a.m., Omid Kosari wrote:
> This config works for dstdomain acl type
> 
> acl test dstdomain 123.com
> deny_info TCP_RESET test
> adapted_http_access deny test
> 
> 
> but it is not what i want . I want
> 
> acl status_400 http_status 400
> deny_info TCP_RESET status_400 
> adapted_http_access deny status_400 
> 
> OR
> 
> acl HTTP proto HTTP
> acl PORT_80 port 80 
> deny_info TCP_RESET PORT_80 !HTTP
> adapted_http_access deny PORT_80 !HTTP 
> 

Status code is only available in the response processing pathways.
So use "http_reply_access deny test". As Alex showed the generated
errors do go through that access control.


For better control Squid-4 will be needed, and also the
on_unsupported_protocol will need patching to be applied when HTTP
parser detects unsupported protocol on port 80 (or 3128). AFAIK it is
currently only done by SSL-Bump'ing code detecting non-TLS protocols on
port 443.

Amos



More information about the squid-users mailing list