Re: [squid-users] Mark log entries for redirected sites from Amos Jeffries on 2011-03-31 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 01 Apr 2011 13:52:42 +1300

On 01/04/11 05:08, Thomas Jarosch wrote:
> Hello,
>
> I'm successfully running squid 3.1.11 together
> with squidGuard 1.4 as redirector.
>
> Unwanted sites get blocked just fine. Unfortunately
> they also get logged like a normal request in the
> access.log. It looks like this:
>
> 1301586950.611 1 172.16.0.2 TCP_MEM_HIT/200 1627 GET http://www.facebook.com/ - NONE/- text/html
>
> or a later request:
>
> 1301587147.200 31 172.16.0.2 TCP_IMS_HIT/304 249 GET http://www.facebook.com/ - NONE/- text/html
>
>
> Is there a way to specially mark redirected entries in the log file?

Both if the above are identical content going to the user. The first one
if re-written contains the body with lies in it. The second is saying to
the client that the lie is still to be believed.

Redirection produces a 301/302/307 status in the logs for the original
URL followed by another such as the 200 for the redirected URL. 304 etc
normally show up on the redirected URL, but thats not set in stone they
can do the two-request from some clients.

It sounds like you have actually implemented a "re-writer". Which lies
to the client about where content came from.

The logs says Squid presented N bytes in response to a request for
"http://www.facebook.com/" contacting X server to fetch them. The 200
presents the lie and the 304 repeats that it is still to be believed.

Patches are welcome to implement a log tag for the adapted URL as well
as the client URL. The raw request details are pro

> Or don't log them at all? (though I would prefer to mark them).

You can use ACLs on the log_access and the access log directives (two
separate directives, not to be confused in what they do). To omit all
the URLs which get re-written and lies sent back.

However omitting these will produce lies in any bandwidth reports you
make.

I assume you are wanting this to get a report of the trouble URLs which
are getting past the filter? A log produced by the filter would be the
best place for that kind of information. It gets given the client IP to
work with as well so can do the IP<->URL<->redirected URL mapping much
more easily.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Fri Apr 01 2011 - 00:52:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 12:00:02 MDT