Dear Developers,
In our ISP setup we are running squid-2.5.STABLE1 cache in transparent mode
with "http_accel_with_proxy off". Since last few days our cache.log is
growing with
"proxy request denied in accel_only mode for xxx.xxx.xxx.xxx"
I took following steps to stop such an attack my system.
1> Denied direct connection to port 3128 from netfilter/iptables. but
request was comming to squid from transparent redirection only.
2> We taken tcpdump for the "host xxx.xxx.xxx.xxx and port www" and we did
replay those raw packet in our production machine with running squid in full
debug mode. There we figured out that form of request was following
GET http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1
HTTP/1.1
Host: www.Gustavo.com
Looking inside the code we found that flow does not satisfy line number 2622
in client_side.c
/* see if we running in Config2.Accel.on, if so got to convert it to URL */
else if (Config2.Accel.on && *url == '/') {
and flow go to its else part in
} else {
/* URL may be rewritten later, so make extra room */
url_sz = strlen(url) + Config.appendDomainLen + 5;
http->uri = xcalloc(url_sz, 1);
strcpy(http->uri, url);
http->flags.accel = 0;
}
Here is sets flags.accel to 0. And after this point this request is treated
as it was a direct connection request to squid.
My proposal to overcome this situation is can this code be little modified
and netfilter help can be taken for making decision about acceleration.
} else {
/* URL may be rewritten later, so make extra room */
url_sz = strlen(url) + Config.appendDomainLen + 5;
http->uri = xcalloc(url_sz, 1);
strcpy(http->uri, url);
getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz);
http->flags.accel = myaddr(conn->me)) ? 1 : 0;
... ... ...
int myaddr(struct sockaddr_in inet_addr)
{
/* returns true if passed inet_addr is any of __THIS__ host ip address */
}
... ... ...
Does this extra getsockopt and one conditional setting of integer variable
impact your performance? Henrik? From my technical point of view it is
feasible as logs about "proxy access denied ..." is generating false
information too. As this is not proxy request but it is accelerated and
invalid request; Am I right?
Thankx,
-- Sumit
Received on Sat Feb 07 2004 - 09:05:14 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:04 MST