[squid-users] Get IP of denied request

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 26 19:11:01 UTC 2023 

On 2023-10-26 08:37, magri at web.de wrote:

> TL;DR: is there a way to get/log the resolved ip of a denied request?

TLDR: Bugs notwithstanding, use %<a.


> We have a rather large ip based malware blacklist (dst acl) and
> sometimes a destination is blocked inadvertantly because of a false
> positive entry in this list.
> This happens most often with CDNs where the ips of a destination change
> often and even move between different sites.
> 
> Because of this rapid change it's difficult to determine the blocked ip
> in hindsight when analyzing access problems and makes it impossible to
> correct the blacklist.
> 
> For normal requests the resolved and accessed ip is be logged with %<a,
> but that doesn't happen when the request is denied.


If a request was denied by a dst ACL based on its successfully resolved 
destination IP address but %<a was logged as "-", then it is a Squid bug 
that should be fixed IMO. Meanwhile, you can annotate every dst match 
and log that annotation. Here is an untested sketch:

     acl matchDst1 dst 127.0.0.1
     acl markDst1 note matched=127.0.0.1
     acl all-of dst1 matchDst1 markDst1
     http_access deny dst1

     acl matchDst2 dst 127.0.0.2
     acl markDst2 note matched=127.0.0.2
     acl all-of dst2 matchDst2 markDst2
     http_access deny dst2

     logformat myFormat ... matched_dst=%note{matched}
     access_log ...


The same thing with fewer lines (but with fewer ways to group dst1 and 
dst2 with other ACLs):

     acl matchDst1 dst 127.0.0.1
     acl markDst1 note matched=127.0.0.1
     http_access deny matchDst1 markDst1

     acl matchDst2 dst 127.0.0.2
     acl markDst2 note matched=127.0.0.2
     http_access deny matchDst2 markDst2

     logformat myFormat ... matched_dst=%note{matched}
     access_log ...

For long dst lists, the above approach will require scripting the 
generation of the corresponding squid.conf portions or include files, of 
course.


If a request was denied by a dst ACL because its destination IP address 
could not be resolved, then %<a should be logged as "-". I cannot think 
of a way to distinguish this case from other cases where %<a is "-". It 
feels like address resolution failures should be available via 
%err_detail, but I doubt Squid code populates that information in these 
cases. Another problem to fix!


HTH,

Alex.



> Is there any way to get the ip logged that was used in the dst-acl aside
> from debug logging? Maybe through some annotation mechanism?
> 
> Squid version is 6.2, as 6.4 crashes with assertion errors here, too.
> 
> thanks,
> Martin
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list