> You should be able to track the machine by correlate the cache.log
> timestamps with errors in access.log.
For 'Request header is too large' case, will squid still process the
request? will i see TCP_DENIED in access log?
> >From the request it seems it is a shockwave update agent that is
> causing this problem.
Agree, i see a lot of request of x-shockwave-flash and it quite difficult
to figure out the machine that cause the problem.
rgds,
Wei Keong
On Mon, 26 Aug 2002, Henrik Nordstrom wrote:
> You should be able to track the machine by correlate the cache.log
> timestamps with errors in access.log.
>
> Best way to continue the analysis is to make a packet dump of the
> requests from the offending client. Quite likely the client software
> is broken (software bug or virus) and needs to be fixed.
>
> >From the request it seems it is a shockwave update agent that is
> causing this problem.
>
> Regards
> Henrik
>
>
> On Monday 26 August 2002 04.15, Wei Keong wrote:
> > Hi Henrik,
> >
> > I've made the changes as mentioned and I got 24KB of 'y'.
> >
> > 2002/08/26 09:22:27| Request header is too large (24575 bytes)
> > POST http://update.shockwave.com/svc/shockmachine/ HTTP/1.0
> > Accept: , , Advanced Power Management supports, yyyyyyyyyy...
> > 2002/08/26 09:22:27| Config 'request_header_max_size'= 20480 bytes
> >
> > any idea what's is this? dos?
> > should i incease the request header and track the machine that sent
> > the request?
> > what's the sufficient request_header max size?
> >
> > Thanks,
> > Wei Keong
> >
> > On Fri, 23 Aug 2002, Henrik Nordstrom wrote:
> > > In src/client_side.c, try changing
> > >
> > > From:
> > >
> > > debug(33, 1) ("Request header is too large (%d
> > > bytes)\n",
> > > (int) conn->in.offset);
> > >
> > > To:
> > >
> > > debug(33, 1) ("Request header is too large (%d
> > > bytes)\n%s\n",
> > > (int) conn->in.offset, conn->in.buf);
> > >
> > >
> > > Regards
> > > Henrik
> > >
> > > Wei Keong wrote:
> > > > Hi,
> > > >
> > > > Just want to have a better understanding on request header. My
> > > > server seems to have a lot of 'request header too large' and I
> > > > am wondering if there is anyway to confirm whether it's due to
> > > > dos, buffer-overflow or bugs.
> > > >
> > > > Is there anyway to log the request header to investigate? I
> > > > tried using log_mime_hdrs, but I cant tell much from it...
> > > >
> > > > 2002/08/23 10:41:34| Request header is too large (24575 bytes)
> > > > 2002/08/23 10:41:34| Config 'request_header_max_size'= 20480
> > > > bytes.
> > > >
> > > > # TAG: request_header_max_size (KB)
> > > > # This specifies the maximum size for HTTP headers in a
> > > > request. # Request headers are usually relatively small
> > > > (about 512 bytes). # Placing a limit on the request
> > > > header size will catch certain # bugs (for example with
> > > > persistent connections) and possibly # buffer-overflow or
> > > > denial-of-service attacks.
> > > >
> > > > Rgds,
> > > > Wei Keong
>
Received on Mon Aug 26 2002 - 00:46:47 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:50 MST