[squid-users] Introducing delay to HTTP 407 responses

Dan Charlesworth dan at getbusi.com
Wed Sep 14 02:05:35 UTC 2016


I just want to throw my support behind seeking a solution to this problem. Luke’s clearly considered it in way more detail than anyone so far, myself included.

The affects the squids under my purview every day.

Best,
Dan

> On 14 Sep. 2016, at 10:18 am, squid-users at filter.luko.org wrote:
> 
> Hi Squid users,
> 
> Seeking advice on how to slow down 407 responses to broken Apple & MS
> clients, which seem to retry at very short intervals and quickly fill the
> access.log with garbage.  The problem is very similar to this:
> 
> http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html
> 
> However the config below doesn't seem to slow down the response:
> 
> acl delaydomains dstdomain .live.net .apple.com
> acl authresponse http_status 407
> external_acl_type delay ttl=0 negative_ttl=0 cache=0 %SRC /tmp/delay.pl
> acl delay external delay
> http_reply_access deny delaydomains authresponse delay
> http_reply_access allow all
> 
> The helper is never asked by Squid to process the request.  Just wondering
> if http_status ACLs can be used in http_reply_access?
> 
> My other thinking, if this isn't possible, was to mark 407 responses with
> clientside_tos so they could be delayed/throttled with tc or iptables.  Ie,
> 
> acl authresponse http_status 407
> clientside_tos 0x20 authresponse
> 
> However, auth response packets don't get the desired tos markings.  Instead
> the following message appears in cache.log:
> 
> 2016/09/13 11:35:43 kid1| WARNING: authresponse ACL is used in context
> without an HTTP response. Assuming mismatch.
> 
> After reviewing
> http://lists.squid-cache.org/pipermail/squid-users/2016-May/010630.html it
> seems like this has cropped up before.  The suggestion in that thread was to
> exclude 407 responses from the access log.  Fortunately this works.  But I'm
> wondering if there is a way to introduce delay into the 407 response itself?
> Partly to minimise load associated with serving broken clients, and also to
> maintain logging of actual intrusion attempts.  Any suggestions?
> 
> Luke
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list