Joe P.H. Chiang wrote:
> What i meant is;
>
> This way when ddos attack occurs.. and the attacker is requesting
> something that doesn't exist on my squid servers and backend servers
>
> my server in the backend doesn't have to respond to it, squid will
> blocked the request and give a timeout interval for 30 seconds.
>
> so it goes like this
> Squid is accepting the request for no-existing file
> --> Squid doesn't have such file
> -----> Squid Pass the request to backend servers
> -------> backend server says I don't have it neither
> ---------> Squid say okay next time such request will be timeout for 30 seconds
>
> Possible? are there such config?
>
Not in the way you seems to be asking for.
You can send an Expires: header with the 404 error reply message.
That should make Squid do the not asking again part. During that period
Squid will send back its own stored copy of the 404 to the visitor,
without contacting the web server.
Any well-behaved proxies between you and the attacker will also be
protected and help lift the load on your Squid. Sadly there are a lot of
admin out there who set ignore-expires for things.
Just be aware that any real attacker will disobey the HTTP header
instructions anyway, and some badly configured proxies will as well.
>
>
> On Tue, Feb 9, 2010 at 12:26 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Joe P.H. Chiang wrote:
>>> Hi All Im New to squid..
>>>
>>> I've scanned through squid 2.6 & 3.0 Manual and Definitive guide, but
>>> i still can't find information about this question..
>>>
>>> Is it possible to have a request_timeout when the request file doesn't
>>> exist on the squid cache and peer server?
>>> e.g if client requestionwww.example.com/dontexist.html and then
>>> receives 404 http
>>> then the client will have to wait until request_timeout 30 seconds to
>>> able to request
>>> www.example.com/dontexist.html again
>>> could this be done? is there such setting/configuration?
>>
>> This is a "wetware" problem. You need to teach all your users to press the
>> refresh button at exactly 30 seconds after any failure.
>>
>>
>> Seriously though, not the way you describe. You can't prevent people being
>> "able" to make requests. You can only change the result if they do one you
>> don't like.
>>
>> What exactly are you trying to accomplish?
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16Received on Tue Feb 09 2010 - 10:40:36 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 09 2010 - 12:00:04 MST