Re: [squid-users] deny_info TCP_RESET all ?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 27 Aug 2008 01:40:26 +1200

vincent.blondel_at_ing.be wrote:
> vincent.blondel_at_ing.be wrote:
>> just one little question. I am trying to get 'deny_info TCP_RESET all'
>> working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I
> would
>> like not sending any error page to all clients.
>>
>> Maybe I did not really understand the real meaning of this statement
> but
>> I understand that a reset plus the right error code are sent to any
>> clients including localhost and/or world to any error including 400
> 503
>> ..
>>
>> I already tried to put this line everywhere in my config file but when
> I
>> simply try to telnet the squid server with any statement, let's
>> blablabla, I always get a text/html 503 error page.
>>
>> Can somebody help me troubleshoot this problem .. thks in advance .
>
> What that config statement means is:
>
> When user is blocked by the 'all' ACL, reset their TCP connection
> immediately.
>
> okay .. I see what you mean ...
>
> To use: add 'all' at the end of each *_access line you want clients to
> receive no error page from.
>
> now ... let we take an example ... let's immagine somebody connect on
> this squid and type something completely wrong ...
>
> $ telnet localhost 80
> ..
> Escape character is '^]'.
> hsjhdqksdkqshdkjqshkd
> ..
>
> this the config ..
>
> acl PROTO proto HTTP
> acl METHOD method GET
> ..
> http_access deny !PROTO
> deny_info TCP_RESET PROTO
> ..
> http_access deny !METHOD
> deny_info TCP_RESET METHOD
>
> below lines I received in cache.log files ( with debug activated so I
> get the internal parsing ). You see squid really complains due invalid
> method, so he considers this as a bad request ..
>
> 2008/08/25 16:26:18| parseHttpRequest: Unsupported method
> 'hsjhdqksdkqshdkjqshkd
> 2008/08/25 16:26:18| clientReadRequest: FD 13 (x.x.x.x:50535) Invalid
> Request
>
> but as you can see it I still get a text/html response ..
>
> $ telnet localhost 80
> ..
> Escape character is '^]'.
> hsjhdqksdkqshdkjqshkd
> HTTP/1.0 400 Bad Request
> Server: squid/2.6.STABLE16
> Date: Mon, 25 Aug 2008 14:26:18 GMT
> Content-Type: text/html
> Content-Length: 1200
> Expires: Mon, 25 Aug 2008 14:26:18 GMT
> ..
>
> So I tested some other things with success and I see your explanation is
> completely right ... but what did I make wrong in this case ??
>
> thks for your help.
>
> Amos

(NP: to general readers, only half of the text above attributed to me is
  by me, the rest is by VB.)

In my experience Squid has some weirdness where the deny_info needs to
be created before any http_access lines that are expected to use it.
Moving it up a line or two might show different results.

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE8
Received on Tue Aug 26 2008 - 13:40:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 26 2008 - 12:00:04 MDT