On Sat, 7 Feb 2004, Sumit Pandya wrote: > Dear Developers, > In our ISP setup we are running squid-2.5.STABLE1 cache in transparent mode > with "http_accel_with_proxy off". Since last few days our cache.log is > growing with > "proxy request denied in accel_only mode for xxx.xxx.xxx.xxx"
This is because you have "http_accel_with_proxy off" and someone is sending you requests with a full URL. > 2> We taken tcpdump for the "host xxx.xxx.xxx.xxx and port www" and we did > replay those raw packet in our production machine with running squid in full > debug mode. There we figured out that form of request was following > > GET http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1 > HTTP/1.1 > Host: www.Gustavo.com This is a Denial of Service worm trying to attack a website. I don't remember which worm. You need to have the offending client cleaned from this worm. If you enable httpd_accel_with_proxy then you will get rid of the warning, but you will also allow this worm to attach the requested web site via your proxy which is probably not what you want. And you SHOULD enable the recommended to_localhost deny rule. > My proposal to overcome this situation is can this code be little > modified and netfilter help can be taken for making decision about > acceleration. Such changes have already been done in Squid-3 to clearly separate accelerated and proxied (including transparently intercepted) requests. There is no plans for doing this in Squid-2.5. > Does this extra getsockopt and one conditional setting of integer variable > impact your performance? Henrik? From my technical point of view it is > feasible as logs about "proxy access denied ..." is generating false > information too. As this is not proxy request but it is accelerated and > invalid request; Am I right? The request is technically valid, but strictly speaking not something you want to have forwarded due to it's dubious origin (client station infected by a worm, trying to destroy Internet). In this case it is only good that Squid barfs on the request so you notice there is a problem with this client. The "httpd_accel_with_proxy off" directive violates the HTTP specifications and does not exists any longer in Squid-3. Transparently intercepting client requests violates fundamental aspects of the IP standard, but in some networks there unfortunately is no good alternatives. Regards Henrik
