Amos Jeffries a écrit : >> This is quite strange, I think I'm misunderstanding something. >> I'm using squid as a reverse proxy. >> > > I understand. > > >> Clients (internet people surfing on my website) should connect to squid >> boxes to retrieve static content. Squid send the right file or connect >> to cache_peer to retrieve file before the resend process. >> > > ... and reject bad requests. As you pointed out > "http://pagead2.googlesyndication.com";... was not one of your images.... > > >> How can someone could tell to squid to retrieve something on a server >> not defined to a cache_peer ? >> > > Easily. They sends a HTTP request like this: > > GET http://foo.example.com/somethingbad HTTP/1.1 > > or this: > > GET /somethingbad HTTP/1.1 > host: foo.example.com > > > What you saw in your log was Squid receiving one of those bad requests, > checking for places where it can find the foo.example.com domain. Started > searching for places to get a reply from... > => Finding that it was not part of the local website (can/should not pass > it to the peer) > => Finding that its a reverse proxy (should not go direct to the external > foo.example.com). > > Since it was NOT one of your domains squid finished by sending a 404 "not > one of mine. go away" or something similar back to the nasty visitor. > > This is good. Your website is safe. Squid is acting a little bit like a > firewall blocking the bad stuff, letting the good requests through. > > >>> You might also want to occasionally scan the access.log to see if any >>> foreign requests do get through (2xx or 3xx status). If any do you >>> have a problem, otherwise everything is fine. >>> >> Something like this ? >> >> 2009/11/23 07:26:07| clientParseRequestMethod: Unsupported method in >> request 'HTTP/1.0 200 OK >> Last-Modified: Tue, 06 Jan 2009 14:02:42 GMT >> Accept-Ranges: bytes >> Content-Length: 166 >> Content-Type: image/gif >> Date: Mon, 23 Nov 2009 01:03:56 GMT >> Server: Apache >> ETag: "1247de8-a6-45fd0dc60a480" >> Expires: Tue, 24 Nov 2009 01:03:56 GMT >> Cache-Control: max-age=86400 >> Age: 19331 >> X-Cache: HIT from static.myhost.com >> X-Cache-Lookup: HIT from static.myhost.com:80 >> Connection: keep-alive >> >> GIF89a^P' >> >> ? >> > Something broken with that log. Thats a reply. :) one of your static > images being sent out. A 166-byte *.gif file. > > > If there was any attack problem it would show up in _access.log_ similar > to this: > > time - visitorIP 200 45235 GET http://example.com/bad - DIRECT/example.com > ... > or > time - visitorIP 302 1651 GET http://example.com/bad - ... > or > [time] visitorIP - - "GET http://example.com/bad HTTP/1.1" 200 42489 ... > > > Note the codes "200" attack retrieving an object, and "302" attack using a > redirect URL. > > Amos > Hi Amos, Thank you for your time ! All is right clear now. :) Have a great day. David.
