RE: [squid-users] Odd Logs

From: AJ Lemke <aj.lemke@dont-contact.us>
Date: Tue, 29 Oct 2002 10:58:48 -0600

Thanks for the response Joe.

Since I am running in Acceleration Mode will a ACL like this work?

# Access control List
acl localhost src 127.0.0.1
acl purge method PURGE
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl accelerated_servers dst ***IP LIST GOES HERE***
acl SSL_Ports port 443 563
acl SMTP_Ports port 25
acl CONNECT method CONNECT

# Access Area
http_access deny CONNECT SSL_Ports
http_access deny CONNECT SMTP_Ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow all
http_access allow accelerated_servers

AJ

-----Original Message-----
From: Joe Cooper [mailto:joe@swelltech.com]
Sent: Monday, October 28, 2002 7:16 PM
To: AJ Lemke
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Odd Logs

AJ Lemke wrote:
> Hello all I am going through my squid logs and have noticed a lot if
> weird requests coming in. Here is a snippet:
>
> 138.89.169.242 - - [27/Oct/2002:00:01:01 -0500] "CONNECT
> mx1.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:02 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 276 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:04 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
>
> Any ideas why I would have a request from port 25 coming in?

I may be reading the common log format incorrectly, but this doesn't
look like a request coming /from/ port 25 to me. It looks like a
request connecting /to/ port 25 using the CONNECT method to set up a
tunnel. In other words someone is relaying mail through your proxy, and

not getting a TCP_DENIED response. That's a bad thing, and not the
default for Squid.

Fix your SSL_Ports and CONNECT acls to work correctly...(I.e. make sure
the deny CONNECT http_access rule comes before your rules that allow
connections from local users.) 

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Tue Oct 29 2002 - 09:59:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:56 MST