[squid-users] Introducing delay to HTTP 407 responses
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Sep 14 13:51:20 UTC 2016
Hey Luke,
Try to use the next line instead:
external_acl_type delay ttl=1 negative_ttl=0 cache=0 %SRC %SRCPORT %URI /tmp/delay.pl
And see what happens.
I do not know why the helper is not delaying but if you have a specific logic I can convert one of my scripts to support concurrency and do this delay.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of squid-users at filter.luko.org
Sent: Wednesday, September 14, 2016 3:18 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Introducing delay to HTTP 407 responses
Hi Squid users,
Seeking advice on how to slow down 407 responses to broken Apple & MS
clients, which seem to retry at very short intervals and quickly fill the
access.log with garbage. The problem is very similar to this:
http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html
However the config below doesn't seem to slow down the response:
acl delaydomains dstdomain .live.net .apple.com
acl authresponse http_status 407
external_acl_type delay ttl=0 negative_ttl=0 cache=0 %SRC /tmp/delay.pl
acl delay external delay
http_reply_access deny delaydomains authresponse delay
http_reply_access allow all
The helper is never asked by Squid to process the request. Just wondering
if http_status ACLs can be used in http_reply_access?
My other thinking, if this isn't possible, was to mark 407 responses with
clientside_tos so they could be delayed/throttled with tc or iptables. Ie,
acl authresponse http_status 407
clientside_tos 0x20 authresponse
However, auth response packets don't get the desired tos markings. Instead
the following message appears in cache.log:
2016/09/13 11:35:43 kid1| WARNING: authresponse ACL is used in context
without an HTTP response. Assuming mismatch.
After reviewing
http://lists.squid-cache.org/pipermail/squid-users/2016-May/010630.html it
seems like this has cropped up before. The suggestion in that thread was to
exclude 407 responses from the access log. Fortunately this works. But I'm
wondering if there is a way to introduce delay into the 407 response itself?
Partly to minimise load associated with serving broken clients, and also to
maintain logging of actual intrusion attempts. Any suggestions?
Luke
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list