[squid-users] Introducing delay to HTTP 407 responses

Eliezer Croitoru eliezer at ngtech.co.il
Wed Sep 14 13:51:20 UTC 2016 

Hey Luke,

Try to use the next line instead:
external_acl_type delay ttl=1 negative_ttl=0 cache=0 %SRC %SRCPORT %URI /tmp/delay.pl

And see what happens.
I do not know why the helper is not delaying but if you have a specific logic I can convert one of my scripts to support concurrency and do this delay.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of squid-users at filter.luko.org
Sent: Wednesday, September 14, 2016 3:18 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Introducing delay to HTTP 407 responses

Hi Squid users,

Seeking advice on how to slow down 407 responses to broken Apple & MS
clients, which seem to retry at very short intervals and quickly fill the
access.log with garbage.  The problem is very similar to this:

http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html

However the config below doesn't seem to slow down the response:

acl delaydomains dstdomain .live.net .apple.com
acl authresponse http_status 407
external_acl_type delay ttl=0 negative_ttl=0 cache=0 %SRC /tmp/delay.pl
acl delay external delay
http_reply_access deny delaydomains authresponse delay
http_reply_access allow all

The helper is never asked by Squid to process the request.  Just wondering
if http_status ACLs can be used in http_reply_access?

My other thinking, if this isn't possible, was to mark 407 responses with
clientside_tos so they could be delayed/throttled with tc or iptables.  Ie,

acl authresponse http_status 407
clientside_tos 0x20 authresponse

However, auth response packets don't get the desired tos markings.  Instead
the following message appears in cache.log:

2016/09/13 11:35:43 kid1| WARNING: authresponse ACL is used in context
without an HTTP response. Assuming mismatch.

After reviewing
http://lists.squid-cache.org/pipermail/squid-users/2016-May/010630.html it
seems like this has cropped up before.  The suggestion in that thread was to
exclude 407 responses from the access log.  Fortunately this works.  But I'm
wondering if there is a way to introduce delay into the 407 response itself?
Partly to minimise load associated with serving broken clients, and also to
maintain logging of actual intrusion attempts.  Any suggestions?

Luke


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list