Search squid archive

Re: Re: TCP_DENIED_REPLY/403

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/07/11 07:32, Andrei wrote:
Ok. I got it fixed after reading the FAQ and changing the values to:
request_header_max_size 15824 KB
request_body_max_size 15824 KB
reply_header_max_size 15824 KB
reply_body_max_size 15824 KB

Is there any way to set these max_sizes to unlimited?


The body limits are unlimited by default. Remove the *_body_max_size lines from your config to be that way.


The header limits are your front line protection against several _groups_ of very nasty security vulnerabilities. And congestion collapse within Squid. Making then unlimited is an extremely unwise idea. The default values are 64KB. And HTTP only uses 1-4KB. So already over an order of magnitude larger than normal HTTP requires. And larger than every known web server and browser permit. The default limits are usually only hit when somebody attempts a DoS.

I see from your config that you set them to 0. That means 0 bytes of length is permitted, 1 byte is too large. Remove the *_header_max_size lines from your config to enable up to 64KB headers through.

Amos


On Fri, Jul 29, 2011 at 12:06 PM, Andrei<funactivities@xxxxxxxxx>  wrote:
I'm getting this error message:
http://yahoo.com/
The requested URL could not be retrieved
The request or reply is too large.
If you are making a POST or PUT request, then the item you are trying
to upload is too large.
If you are making a GET request, then the item you are trying to
download is too large.

Squid access logs show:
1311965841.744      0 176.16.0.161 TCP_DENIED_REPLY/403 3643 NONE
error:request-too-large - NONE/- text/html

I assume that reply_header_max_size are and  request_header_max_size
are set by default to unlimited in v3m but adding manually
reply_header_max_size 40 M and request_header_max_size 40 M still
gives me the same error message.

I'm running:
Squid Cache: Version 3.1.6
Debian stable 6.0.2.1
DualXeon 3GhZ, 250GB SCSI, 4GB RAM

Config file:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 172.16.0.0/21  # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
request_header_max_size 0
request_body_max_size 0
reply_header_max_size 0
reply_body_max_size 0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access allow all
icp_access allow all
htcp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
cache_dir ufs /var/spool/squid3 40960 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       40%     40320
icp_port 0
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
90% 432000 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private



--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.10


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux