> Thanks very much. I think I've got it working now. Below is a snippet from > my access log. Looks like they're being denied, right? Yep, they are being blocked now :-) > Also, these lines > appear in my cache.log: > > 2008/05/27 17:38:17| WARNING: suspicious HTTP request contains double CR > 2008/05/27 17:38:17| clientProcessRequest: Invalid Request > > Is that okay? > Sort of. It was a bug fixed in 3.0.STABLE5. A slightly over-enthusiastic security measure. It's only an issue for you if those were desired requests. If you find its causing problems getting any objects on your site you will need a later version of 3.0. > > > access.log snippet > ================== > 1211935075.466 0 87.80.92.213 TCP_DENIED/403 379 HEAD > http://members.purecfnm.com/ - NONE/- text/html > 1211935075.473 0 87.80.92.213 TCP_DENIED/403 379 HEAD > http://members.purecfnm.com/ - NONE/- text/html > 1211935075.485 0 219.236.102.44 TCP_DENIED/403 1847 GET > http://www.google.cn/ - NONE/- text/html > 1211935097.147 0 217.20.115.156 NONE/400 2431 GET error:double-CR - > NONE/- text/html > 1211935075.540 0 80.80.3.130 TCP_DENIED/403 2281 GET > http://fly.emirates.com/ - NONE/- text/html > 1211935075.551 0 87.80.92.213 TCP_DENIED/403 379 HEAD > http://members.purecfnm.com/ - NONE/- text/html > 1211935075.608 0 87.80.92.213 TCP_DENIED/403 379 HEAD > http://members.purecfnm.com/ - NONE/- text/html > 1211935075.609 0 78.109.30.208 TCP_DENIED/403 2492 GET > http://wap-top.ru/top/count.php? - NONE/- text/html > 1211935075.613 0 87.80.92.213 TCP_DENIED/403 379 HEAD > http://members.purecfnm.com/ - NONE/- text/html > 1211935075.619 0 123.19.141.173 TCP_DENIED/403 2179 GET > http://l01.member.mud.yahoo.com/config/pwtoken_get? - NONE/- text/html > 1211935075.651 0 80.80.3.130 TCP_DENIED/403 2281 GET > http://fly.emirates.com/ - NONE/- text/html > 1211935075.879 0 221.219.135.93 TCP_DENIED/403 2295 GET > http://afe.specificclick.net/? - NONE/- text/html > > Chris- > > --- On Tue, 5/27/08, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > >> From: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> >> Subject: Re: Squid Proxy Hijacked By Hackers in China >> To: badaboom003-asdf@xxxxxxxxx >> Cc: squid-users@xxxxxxxxxxxxxxx >> Date: Tuesday, May 27, 2008, 3:11 PM >> On tis, 2008-05-27 at 14:44 -0700, >> badaboom003-asdf@xxxxxxxxx wrote: >> > Hi, >> > >> > I upgraded to 3.0. The access log got blown away when >> i upgraded... Is the following configuration correct for >> 3.0? Am I missing anything necessary for security? >> >> For completeness I would also use never_direct allow all. >> It shouldn't >> be needed, but also doesn't hurt and gives you >> additional security just >> in case. >> >> Regards >> Henrik > >
