[squid-users] Squid doesn't reload webpage like other clients do

Andrei lagged at gmail.com
Mon Oct 30 20:39:30 UTC 2017 

It's regarding active fingerprinting and mitigating attacks, not just it's
passive use. (Sorry for the dbl send)

On Oct 30, 2017 21:41, "Alex Rousskov" <rousskov at measurement-factory.com>
wrote:

> On 10/30/2017 12:15 PM, Andrei wrote:
> > You do realize that there's nothing "weird" about p0f, right?
>
> Right. I do not know why you had to ask though: There is nothing related
> to p0f (i.e., a passive traffic analysis tool) in my response. And the
> original question is probably unrelated to p0f as well since active
> connection resets are incompatible with the idea of passive analysis.
>
> Alex.
>
>
>
> > On Mon, Oct 30, 2017 at 11:22 AM, Alex Rousskov wrote:
> >
> >     On 10/30/2017 03:51 AM, Troiano Alessio wrote:
> >
> >     > I've squid 3.5.20 running on RHEL 7.4. I have a problem to access
> >     > some websites, for example www.nato.int <http://www.nato.int>.
> This website apply an
> >     > Anti-DDoS system that reset the first connection after the TCP
> 3-way
> >     > handshake (SYN/SYN-ACK/ACK/RST-ACK). All subsequent TCP connections
> >     > are accepted. The website administrator say's it is by design.
> >
> >
> >     > When I browse the site with squid proxy the browser receive an
> "Empty
> >     > Response" squid error page (HTTP error code 502 Bad Gateway) and
> >     > doesn't do the automatic retry:
> >
> >     This is by design as well :-).
> >
> >     We can change Squid behavior to retry connection resets, but I am
> sure
> >     that some folks will not like the new behavior because in _their_ use
> >     cases a retry is wasteful and/or painful. IMHO, the new behavior
> should
> >     be controlled by a configuration directive, possibly an ACL-driven
> one.
> >
> >     Quality patches implementing the above feature should be welcomed
> IMO.
> >     The tip of the relevant code is probably in ERR_ZERO_SIZE_OBJECT
> >     handling inside FwdState::fail(). There is a similar code that
> handles
> >     persistent connection races there already, but the zero-size reply
> code
> >     may need a new dedicated FwdState flag to prevent infinite retry
> loops
> >     when the origin server is broken (a much more typical use case than
> the
> >     weird attempt at DDoS mitigation that you have described above).
> >
> >     https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_
> add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171030/c6e5bd71/attachment.html>

More information about the squid-users mailing list