Amos Jeffries a écrit :
>> This is quite strange, I think I'm misunderstanding something.
>> I'm using squid as a reverse proxy.
>>
>
> I understand.
>
>
>> Clients (internet people surfing on my website) should connect to squid
>> boxes to retrieve static content. Squid send the right file or connect
>> to cache_peer to retrieve file before the resend process.
>>
>
> ... and reject bad requests. As you pointed out
> "http://pagead2.googlesyndication.com"... was not one of your images....
>
>
>> How can someone could tell to squid to retrieve something on a server
>> not defined to a cache_peer ?
>>
>
> Easily. They sends a HTTP request like this:
>
> GET http://foo.example.com/somethingbad HTTP/1.1
>
> or this:
>
> GET /somethingbad HTTP/1.1
> host: foo.example.com
>
>
> What you saw in your log was Squid receiving one of those bad requests,
> checking for places where it can find the foo.example.com domain. Started
> searching for places to get a reply from...
> => Finding that it was not part of the local website (can/should not pass
> it to the peer)
> => Finding that its a reverse proxy (should not go direct to the external
> foo.example.com).
>
> Since it was NOT one of your domains squid finished by sending a 404 "not
> one of mine. go away" or something similar back to the nasty visitor.
>
> This is good. Your website is safe. Squid is acting a little bit like a
> firewall blocking the bad stuff, letting the good requests through.
>
>
>>> You might also want to occasionally scan the access.log to see if any
>>> foreign requests do get through (2xx or 3xx status). If any do you
>>> have a problem, otherwise everything is fine.
>>>
>> Something like this ?
>>
>> 2009/11/23 07:26:07| clientParseRequestMethod: Unsupported method in
>> request 'HTTP/1.0 200 OK
>> Last-Modified: Tue, 06 Jan 2009 14:02:42 GMT
>> Accept-Ranges: bytes
>> Content-Length: 166
>> Content-Type: image/gif
>> Date: Mon, 23 Nov 2009 01:03:56 GMT
>> Server: Apache
>> ETag: "1247de8-a6-45fd0dc60a480"
>> Expires: Tue, 24 Nov 2009 01:03:56 GMT
>> Cache-Control: max-age=86400
>> Age: 19331
>> X-Cache: HIT from static.myhost.com
>> X-Cache-Lookup: HIT from static.myhost.com:80
>> Connection: keep-alive
>>
>> GIF89a^P'
>>
>> ?
>>
> Something broken with that log. Thats a reply. :) one of your static
> images being sent out. A 166-byte *.gif file.
>
>
> If there was any attack problem it would show up in _access.log_ similar
> to this:
>
> time - visitorIP 200 45235 GET http://example.com/bad - DIRECT/example.com
> ...
> or
> time - visitorIP 302 1651 GET http://example.com/bad - ...
> or
> [time] visitorIP - - "GET http://example.com/bad HTTP/1.1" 200 42489 ...
>
>
> Note the codes "200" attack retrieving an object, and "302" attack using a
> redirect URL.
>
> Amos
>
Hi Amos,
Thank you for your time ! All is right clear now. :)
Have a great day.
David.
Received on Tue Nov 24 2009 - 09:45:42 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST