Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
On 10/31/2012 05:07 AM, Amm wrote: I have a redirector which blocks certain sites. But in squid logs there is no way to indicate if redirector blocked it. On 10/31/2012 06:36 AM, Amm wrote: I suppose as of now there is no solution. But thanks again. Hi Amm, There is a solution, but it requires switching from a url_rewriter script to an eCAP adapter. Adapters can set annotations (name:value tags) that Squid can log via %adapt::last_h logformat code. Adapters can even block URIs using native Squid blocking functionality with configurable error responses and content negotiation (as if http_access was denied). Adapters have access to more information and add less overhead. However, eCAP adapters are more difficult to write and have other cons so it is difficult to say whether you should wait for helper interface to gain annotations support or switch to eCAP. For more details, see http://wiki.squid-cache.org/Features/eCAP http://wiki.squid-cache.org/SquidFaq/ContentAdaptation HTH, Alex.
Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
- Original Message - From: Alex Rousskov rouss...@measurement-factory.com Hi Amm, There is a solution, but it requires switching from a url_rewriter script to an eCAP adapter. Adapters can set annotations (name:value tags) that Squid can log via %adapt::last_h logformat code. Thanks for suggestion. But writing ecap adapter is difficult for me Currently I figured out a way to identify the blocks by url_redirect_program. Since redirection is to a static page, size of that page is same. So squid always logs same size and also mostly picks it up from cache, hence it also shows REFRESH_UNMODIFIED. Ofcourse not exactly a right way to identify. Regards, Amm.
[squid-users] add DENIED tag by redirector for easy identification in logfile
Hi I wanted to know if url_rewrite_program can add a TAG for logging. I have a redirector which blocks certain sites. But in squid logs there is no way to indicate if redirector blocked it. As per this, there is already a tag called DENIED when request is rejected by acl. http://wiki.squid-cache.org/SquidFaq/SquidLogs#access.log I would like that redirector should also have ability to add a tag, say same one, DENIED. So that its easy to identify the blocked requests (either by acl or by redirector) Similar feature already exists for external_acl_type: http://www.squid-cache.org/Doc/config/external_acl_type/ which says: tag =Apply a tag to a request (for both ERR and OK results) So can redirector do the same? Thanks in advance, Amm
Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
On 1/11/2012 12:07 a.m., Amm wrote: Hi I wanted to know if url_rewrite_program can add a TAG for logging. Not for tags output by the helper program itself. I am currently working on a project to clean up and combining the Squid helper interfaces such that for example; url_rewrite_program and external_acl_type helpers can return the same set of key=value details and have them do/mean the same things. If you are interested in sponsoring any code development towards that please contact me off-list about payment details. I have a redirector which blocks certain sites. But in squid logs there is no way to indicate if redirector blocked it. NOTE: redirectors do not block anything. They redirect. Possibly to a location which does not exist, or a page containing the word blocked. As per this, there is already a tag called DENIED when request is rejected by acl. http://wiki.squid-cache.org/SquidFaq/SquidLogs#access.log I would like that redirector should also have ability to add a tag, say same one, DENIED. Um, REDIRECT tag is documented 6 lines above DENIED. Please upgrade to Squid-3.2 where this logging is available by default already. Or re-build your Squid with the -DLOG_TCP_REDIRECTS compiler flag. In all Squid whether they use that tag or not Squid will log a 301, 302, 303, or 307 status code along with NONE/- as the server contacted if url_rewrite_program redirected the request. If there is anything else in the upstream server field it means the 3xx status logged was generated by that server, not by Squid. If you are confusing re-write operation with redirect. Then of course nothing is logged, because all Squid did was alter the *text* of the URL before fetching it. No redirect was done. So that its easy to identify the blocked requests (either by acl or by redirector) access controls (ACLs): * deny permission to access a requested resource * block the request from accessing the resource redirectors: * redirect to an alternative resource. * do not block the response Similar feature already exists for external_acl_type: http://www.squid-cache.org/Doc/config/external_acl_type/ which says: tag =Apply a tag to a request (for both ERR and OK results) So can redirector do the same? Not yet. see above about sponsorship to get early access to that ability and a faster time on the implementation. Amos
Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
- Original Message - From: Amos Jeffries squ...@treenet.co.nz If you are interested in sponsoring any code development towards that please contact me off-list about payment details. Hi Amos, First of all thanks for replying immediately. But sorry to say that its a very small company. Bosses will not approve. NOTE: redirectors do not block anything. They redirect. Possibly to a location which does not exist, or a page containing the word blocked. Yes you are right if you consider a literal meaning and what it actually does. But I suppose most of the people use redirector only for blocking hence I used word block. But technically you are right. Um, REDIRECT tag is documented 6 lines above DENIED. Please upgrade to Squid-3.2 where this logging is available by default already. Or re-build your Squid with the -DLOG_TCP_REDIRECTS compiler flag. I am already using 3.2. In all Squid whether they use that tag or not Squid will log a 301, 302, 303, or 307 status code along with NONE/- as the server contacted if url_rewrite_program redirected the request. If there is anything else in the upstream server field it means the 3xx status logged was generated by that server, not by Squid. I am doing URL rewrite instead of redirect. The reason I am doing a rewrite instead of redirect is to avoid additional lookup by client. It also maintains original URL of the page in browser. Redirect otherwise changes the URL in location bar of the browser. And people get confused. And if I recall right then I have also seen some browser complaining about XSS or something, because URL domains do not match. I suppose as of now there is no solution. But thanks again. Regards, Amm
