[squid-users] Introducing delay to HTTP 407 responses
Dan Charlesworth
dan at getbusi.com
Wed Sep 14 02:05:35 UTC 2016
I just want to throw my support behind seeking a solution to this problem. Luke’s clearly considered it in way more detail than anyone so far, myself included.
The affects the squids under my purview every day.
Best,
Dan
> On 14 Sep. 2016, at 10:18 am, squid-users at filter.luko.org wrote:
>
> Hi Squid users,
>
> Seeking advice on how to slow down 407 responses to broken Apple & MS
> clients, which seem to retry at very short intervals and quickly fill the
> access.log with garbage. The problem is very similar to this:
>
> http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html
>
> However the config below doesn't seem to slow down the response:
>
> acl delaydomains dstdomain .live.net .apple.com
> acl authresponse http_status 407
> external_acl_type delay ttl=0 negative_ttl=0 cache=0 %SRC /tmp/delay.pl
> acl delay external delay
> http_reply_access deny delaydomains authresponse delay
> http_reply_access allow all
>
> The helper is never asked by Squid to process the request. Just wondering
> if http_status ACLs can be used in http_reply_access?
>
> My other thinking, if this isn't possible, was to mark 407 responses with
> clientside_tos so they could be delayed/throttled with tc or iptables. Ie,
>
> acl authresponse http_status 407
> clientside_tos 0x20 authresponse
>
> However, auth response packets don't get the desired tos markings. Instead
> the following message appears in cache.log:
>
> 2016/09/13 11:35:43 kid1| WARNING: authresponse ACL is used in context
> without an HTTP response. Assuming mismatch.
>
> After reviewing
> http://lists.squid-cache.org/pipermail/squid-users/2016-May/010630.html it
> seems like this has cropped up before. The suggestion in that thread was to
> exclude 407 responses from the access log. Fortunately this works. But I'm
> wondering if there is a way to introduce delay into the 407 response itself?
> Partly to minimise load associated with serving broken clients, and also to
> maintain logging of actual intrusion attempts. Any suggestions?
>
> Luke
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list