On 26/12/2013 8:22 p.m., m.shahverdi wrote:
>>
>>> Not possible because there is none that "recognize request protocol".
>>>
>>> What happens is admin configure squid.conf ports manually, one per
>>> protocol type to be recieved. Squid only supports HTTP, HTTPS, ICP,
>>> HTCP, and SNMP incoming traffic.
>>>
>>> The non-HTTP traffic support in Squid is for gatewaying traffic, where
>>> Squid makes the outbound connection in FTP/Gopher/HTTP/HTTPS/Wais/ etc
>>> so there is no detection or recognizing going on.
>>
>> Sorry, I don't understand. Could you please explain the squid scenario for
>> a FTP request for example?
Squid takes the traffic from the client and parses it as HTTP. This will
either succeed or fail.
There is no "recognize" logic to prevent the parsing.
There is no undo functionality to rewind a transaction once it has
started consuming bytes.
When an FTP client connects to Squid there are three things which might
happen:
Scenario 1:
FTP client connects to Squid and waits for the FTP server greeting.
Squid waits for the client HTTP request. Up to 15mins later the hung
connection is aborted.
Scenario 2:
FTP client connects to Squid and sends the FTP message:
"
USER anonymous
"
Squid parses the HTTP method "USER" and the URL "anonymous". Absence of
"HTTP/x.x" field means HTTP/0.9 protocol backward compatibility is
enabled: no mime headers expected, and anything is valid in the body
section.
At some point in the message handling (probably URL parsing trying to
cope with the string "anonymous") Squid detects a major error in the
message and aborts with an HTTP error message:
HTTP/1.1 400 Invalid Request
...
The FTP client then aborts because that is invalid FTP syntax. The FTP
client software may (or may not) throw up an error about "status 0".
Scenario 3:
FTP client connects to Squid and sends the HTTP request:
"
GET ftp://example.com/ HTTP/1.1
Host: example.com
"
Squid parses and processes the HTTP request. Connecting to the FTP
server example.com and and fetching the root directory listing data
(using FTP protocol). Generating an HTTP response from that data for the
client.
Everything is happy.
>
> Furthermore is it possible to configure squid in order to redirect
> unsupported requests instead of displaying error page to the user?
>
Do you know what "unsupported requests" means?
These are three examples of unsupported requests:
1)
aaf9w7fkj4h\t/asfwf9\tawd/1\r\nw4vwe:sef34,t2df\n\n
2)
Secure * Secure-HTTP/1.4
Host: example.com
3)
FIND /smash RDP/1.0
Host: example.com
Response-Action: FORWARD-ANY
Squid is *incapable* of doing anything proper with unsupported requests
simply by fact of not being able to identify what they are saying.
Amos
Received on Fri Dec 27 2013 - 02:00:39 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 27 2013 - 12:00:06 MST