RE: [squid-users] Filtering access.log

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Jan 2012 13:13:09 +1300

On 12.01.2012 12:49, Momen, Mazdak wrote:
> Thanks, looking into it though I think I'm limited by the way I can
> set up ACLs. Here is what I'm trying to filter:
>
> 1326325020.543 0 *.*.*.* NONE/400 3502 GET / - NONE/- text/html
>
> The starred IP, is the same for every request (all requests pass
> through a load balancer). I don't want filter out by that IP but
> maybe
> by the string of text "GET / - NONE/-". Would this be possible?

Not like that. Depending on your squid version http_status ACL testing
for status 400 may be possible. But that would catch all other status
400 events as well, which you may not want.

The NONE/400 part shows that these are Squid rejecting non-HTTP traffic
arriving at its port. Essentially a slow DoS against Squid. If you can
prevent that happening in the first place it would be better.

Amos
Received on Thu Jan 12 2012 - 00:13:12 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 12 2012 - 12:00:02 MST